Sunday, 9 June 2013

Wi-Fi connection File Format

Wi-Fi connection File Format

In this article I’ll try to present one new standard ta needs to be created and demonstrate how it can be used by a Wi-Fi Hotspot provider. This is based on Scenario 3 in my article Wireless Guest Networks

The scenario (summary)

  • Wi-Fi Hotspot provider
  • Needs rigid solution
  • Needs to identify every user
  • Needs billing options

The solution

This solution is split into two parts, First I’m going to present the WiFi Connection File Format, then I’m going to explain how this fits into the scenario.

The File Format

This is going to be a standardized, clear text file format containing everything you need to connect to a wireless network. My suggested mockup is like this:

SSID v1.0
[basic]
SSID:Hotspot
security:WPA2-Enterprise
EAP:EAP-TLS

[EAP-TLS]
username:exampleuser
password:examplepassword
cert:(some certificate fingerprint)
cert:(another certificate fingerprint)

[Signature]
(Signature for the above document) (optional)

Let’s start from the top. The first line is a declaration of the file format and the version of that file format. The second line is a section declaration declaring that the following settings are basic settings. The next few lines consists of key:value pairs separated with a newline. The next section contains specialized settings for EAP-TLS, this is just an example, but imagine that this is supposed to provide all the information needed to connect to that network, no questions asked. The signature section is optional, It’s a signature confirming the authenticity of the above document and contains all the information needed to authenticate it. I would personally just use regular X.509 certificates in some way.

The reason for standardizing the file format is to have one standard way of providing the credentials; without having to coach the user using a long series of screenshots to do it. You can simply download this file and auto-run it. The Wi-Fi manager will then ask you if you want to apply these settings to that SSID, prompt you for overwriting ask you for approval of signature (if needed) and apply the settings.

Solving the problem

For this hotspot provider, there is a number of ways this could be applied as a solution. Common for all solutions is that they use WPA2-Enterprise (RADIUS) as the primary connection and authentication system. The service provider still needs to do a lot of work on the back-end of the system, but they can now trust the client device to remember the credentials and they don’t have to ask the user to authenticate every time. For expired subscriptions you can simply use RADIUS to kick the user off to a walled-garden VLAN with enough access to renew their subscription.

Option 1

User registration and authentication could simply happen over on a separate SSID in exactly the same way as hotspot solutions do today. The exception is that after completing the signup (or just regular login) the user is sendt a settings file and connects to the secured SSID.

Option 2

Same as Option 1, but using [WPA-Guest] on the same SSID.

Pros

  • Pretty easy to use, and easier than manual setup.
  • Secure (depending on setup)
  • Most Hotspot providers need to do most of this work anyway

Cons

  • Harder to set up

Summary

That completes the planned part of my series on wireless guest networks. If anyone in a position to do anything about this find this interesting, feel free to contact me, I really want to see this implemented.

Sunday, 2 June 2013

Introducing EAP-Guest

Introducing EAP-Guest

In this article I’ll try to present a solution for providing encrypted wifi with authentication free access. This is based on Scenario 2 in my article Wireless Guest Networks

The scenario (summary)

  • Public access Wi-Fi provider
  • Many users
  • Many access points
  • Large coverage area
  • No need to identify individual users

The solution

As I hinted in my last article this article is going to introduce something that is as of yet not developed. As the title hinted to we are going to use WPA(2)-Enterprise and introduce a new EAP type, I’m going to call it EAP-Guest.

EAP-Guest, Overview

EAP Guest is a new EAP type that can be announced in the beacon (as a vendor specific extension) and can work in parallel with other EAP types on the same SSID. It requires no authentication credentials from the client, but does a couple of authentication exchanges to prevent man-in-the-middle attacks.

AEP-Guest, User perspective

The beacon includes EAP-Guest, so the padlock icon next to the SSID in the browser is set to something to make it stand out. This could be an open padlock, a padlock and a key or even a padlock with a G on it.
When the User selects the network, the client device initiates a regular WPA-Enterprise authentication session with EAP type EAP-Guest. During that authentication and identification run the service provider signs it’s packets with a X.509 certificate. The certificate is the tricky part, you need a central CA (Certificate Authority) to sign it. Issuing certificates for SSIDs are not an option, that’s way too complicated to enforce. I suggest using regular X.509 certificates for web use and present the domain and organization to the user for approval. When the certificate is approved the client device needs to store it for future use. Since there are large networks with multiple providers (e.g. eduroam) the client must be able to store multiple of these certificates.
Once the authentication process is completed (failure is an option) the client is returned a URL to go to and accepted into the network. The client must direct the user to this URL in a web-browser if the platform supports it.

Pros

  • Easy to use
  • Secure

Cons

  • Hard to set up
  • Requires new technology

Summary

The EAP-Guest solution is an imagined future solution to this problem and the very reason I wrote this series of articles. If you are a service provider and need user authentication on top of this solution, you only have to add a layer-3 security portal on top of WPA-Guest, this is the main motivation for the URL return at the end of the sequence. In the next article I’ll present a solution that I think is an even better solution for hotspot service providers.

Sunday, 26 May 2013

The simplest wireless guest solution

The simplest wireless guest solution

In this article I’ll try to present the simplest and cheapest solution available to any free Wi-Fi provider to offer encryption. This is based on Scenario 1 in my article Wireless Guest Networks

The scenario (summary)

  • The provider is a coffee shop, let’s call them “Coffee ‘N WiFi”
  • The provider needs a cheap and simple solution.
  • Low traffic scenario

The solution

Encrypt your Wi-Fi with WPA2-PSK and publish the key. All you need to do is to make a plaque saying: “Internet! Network: CoffeNwifi; Password: Cappuccino”

Pros

  • Easy to set up
  • No need for expensive equipment
  • Available today

Cons

  • Doesn’t scale very well
  • Users need to know the password
  • Still possible to crack if you intercept the handshake

Summary

The PSK solution is simple and it does increase security one notch. Unfortunately it does not scale, so next week I’m going to present the second solution. That one is going to invent something new and would require vendor adaptation before it can be used.

Sunday, 19 May 2013

Wireless guest networks

Wireless guest networks

Ever since the Google “Wi-Fi Scandal” the “outrage” of certain individuals has struck me. Or more correctly the fact that privacy advocates are screaming bloody murder; while it seems nobody noticed that anyone with half a brain and a laptop could do the exact same thing. As long as you use an unencrypted network, everyone can just sniff out all of your communication right over the air in clear text. If you use unencrypted Wi-Fi at home you are asking to get hacked, plain and simple.

Ten I got hit by a bomb of a revelation hit me, guest and public access networks. I’ve thought about the solution for a very long time. This is going to be the first post in a series of articles discussing the various solutions to the problem and their strengths/weaknesses. This first article is going to present a few use cases, the following articles are going to present the solution to each of the scenarios presented.

Scenario 1

A small coffee shop wants to offer free Wi-Fi to attract customers. They do not have a significant revenue so they can’t afford an expensive solution.

Scenario 2

A public access network provider. They need to connect users securely, no need for user identification.

Scenario 3

Wi-Fi hotspot provider. Needs per-user authentication but also authentication-free access for user registration.

I’ll do my best to type up these articles before I start posting, and post them about a week apart.

Tuesday, 29 May 2012

Creationism again

I recently got this comment:
"Evolution is not a fact, it is a delusion brought on by atheists who are desperate to grasp onto any crackpot explanation for how man came to be."

And the followup:

"A Christian who believes in macro evolution is as deluded as a satanist who goes to church every Sunday. As a Christian I don't claim to know exactly how old the universe is, but I do know God created man as he is today, not as a microorganism that slowly and randomly 'evolved'. This is the real world bro, not some Pokemon knockoff."

Let me see: Pokémon created by Satoshi Tajiri for Nintendo in 1996.
On the Origin of Species, by Charles Darwin in 1859
There's a 137 year gap there that the commenter can't explain because he/she pulled this comment out of their butts in an attempt to ridicule evolution, but only managed to show the lack of real arguments to present.

As for the use of "randomly 'evolved'" that pretty much tells me this person has no understating of natural selection. Natural selection is not random. Evolution is the non-random survival of randomly varying replicators. Using the word random to describe evolution just exposes your lack of understanding. The process is not random at all, there is randomness involved; just as in nuclear fission, but the process is in no way random. 

To enforce my point, I am going to take the example of the card game poker. In poker you get a number of random cards. Depending on what type of game you play you can choose to keep or discard certain cards. We can all agree that there is randomness involved, but for some reason the same professional players still rise to the top over and over again. So we are no left with the big question, if poker is truly a game of chance, why are the same group of people always winning? We are therefore forced to conclude that poker is not a random game even thou there is an element of randomness in it. 

Sunday, 27 May 2012

About evolution

I am going to do another of my short two-paragraph rants, this time about evolution and creationism. I'll start out by saying that evolution is a biological process; anyone who writes an argument that is not about biology, do not understand evolution. Secondly origins of life is abiogenesis, not evolution. Thirdly the second law of thermodynamics say that "[I]n a closed system, you can't finish any real physical process with as much useful energy as you had to start with[.]" and "Entropy in a closed system can never decrease."[1] Creationists love to quote this on, but they fail to notice that the earth is not a closed system. Look out of your window, do you see that big ball of Hydrogen and Helium plasma? That is an outside energy source. The second law of thermodynamics does allow for local decreases of entropy within a system; an AC unit is a perfect example. Every solar storm that doesn't hit any thing will increase the entropy of the the universe as a whole. However any energy or radiation that hits earth will add energy to the localized system called earth effectively destroying that argument.
To sum up, if I in any argument tell you that "that has nothing to do with evolution" I really mean it, and I am not going to debate you on that subject unless you add the proper label to it. And the "biology is a subset of chemistry which in turn is a subset of physics" argument is stupid too. Just look at this:

A = {1,2,3} B = {5,6,7} C = {0,1,2,3,4,5,6,7,8,9}
It is true that both A and B are both subsets of C, but there is no intersection between A and B so you can't use B to make a proof on A and any thing that applies to B may not necessarily apply to the entirety of C. QED.
[1] http://www.panspermia.org/seconlaw.htm

Friday, 18 May 2012

Religious neutrality

I've had a discussion lately on separation of church and state. And for some reason, theists (mostly Christians) seems to be having problems seeing the difference between an atheistic state religion and "no state religion" also known as "neutral state religion". Because they see atheism as a religion; atheism is not a religion, just as "not smoking" is a habit, and not collecting stamps is not a hobby. Atheism literally translates to "no god". This includes agnostics by the way, because they have no God. Now, remember I am talking about religious neutrality here, a religiously neutral state has to be agnostic by definition, because acknowledging a God, any god, is taking sides, and breaching neutrality.

Just a little note at the end. In a neutral state, the state do not care if "God hates fags", if someone want to smoke those horrible things and poison themselves, they should be free to do so. Allowing cigarettes is not going to infringe on your rights not to smoke them, so why are you complaining anyway? And by the way, pun intended, and it applies to both interpretations.

Richard Feynman

I'm making a habit out of posting youtube videos, but I really don't care. Here are some videos of Richard Feynman on science.

Stupid arguments #1

The other day I got the following argument thrown at me from a creationist: "Newton didn't believe in evolution"
Why is this wrong on so manny levels, and why is this argument stupid? Lets's start off:
Sir Isaac Newton, 4 January 1643 – 31 March 1727 (Gregorian calendar)
Charles Robert Darwin, 12 February 1809 – 19 April 1882
Darwin's Book: "On the Origin of Species" where evolution were introduced. - 1959
Isaac Newton died 132 years before the theory of evolution were even coined, did you really think nobody would realize that? Or is it a habit of young earth creationists to ignore documented death dates in favor of imaginary ideas.
One phrase comes to mind: "Shame on you"

Monday, 7 May 2012

Godwin's law

I see a lot of "pulling Godwin's law" in my future, so I'm going to do some clarification on exactly what that means.
When I pull Godwin's law that means that somebody used the argument "The Nazis (...) so therefore (...)" Same goes for Hitler, Al Qaeda, Stalin, Lenin, Marx, Mao etc. I'll even extend it to "Jesus". And the argument I make is this: Just because someone liked or disliked something does not mean that thing is automatically good or bad; and if you make such an absurd claim you automatically lost your credibility in the conversation.
When I pull a Reverse Godwins law, that means I'm using a Godwin's Law analogy to show that your argument is absurd; usually by injecting the Nazi's or Hitler into your argument. For instance: Hitler probably won a lot of debates; killing jews is still bad and winning a debate is not evidence of truth.