aboutsummaryrefslogtreecommitdiffstats
path: root/wpa_supplicant
diff options
context:
space:
mode:
authorJouni Malinen <jouni.malinen@atheros.com>2008-11-06 17:57:21 (GMT)
committerJouni Malinen <j@w1.fi>2008-11-06 17:57:21 (GMT)
commit581a8cde77670ba7de2cce57f4a723ba435df9b7 (patch)
treed06cf58048193c7a10dc8e6de59fc414124fffcc /wpa_supplicant
parent81eec387dd7c1f4521822e48023e950dfa7b5a52 (diff)
downloadhostap-06-581a8cde77670ba7de2cce57f4a723ba435df9b7.zip
hostap-06-581a8cde77670ba7de2cce57f4a723ba435df9b7.tar.gz
hostap-06-581a8cde77670ba7de2cce57f4a723ba435df9b7.tar.bz2
Added support for enforcing frequent PTK rekeying
Added a new configuration option, wpa_ptk_rekey, that can be used to enforce frequent PTK rekeying, e.g., to mitigate some attacks against TKIP deficiencies. This can be set either by the Authenticator (to initiate periodic 4-way handshake to rekey PTK) or by the Supplicant (to request Authenticator to rekey PTK). With both wpa_ptk_rekey and wpa_group_rekey (in hostapd) set to 600, TKIP keys will not be used for more than 10 minutes which may make some attacks against TKIP more difficult to implement.
Diffstat (limited to 'wpa_supplicant')
-rw-r--r--wpa_supplicant/ChangeLog3
-rw-r--r--wpa_supplicant/config.c3
-rw-r--r--wpa_supplicant/config_ssid.h8
-rw-r--r--wpa_supplicant/wpa_supplicant.conf14
-rw-r--r--wpa_supplicant/wpas_glue.c1
5 files changed, 28 insertions, 1 deletions
diff --git a/wpa_supplicant/ChangeLog b/wpa_supplicant/ChangeLog
index 251e95a..4f213fa 100644
--- a/wpa_supplicant/ChangeLog
+++ b/wpa_supplicant/ChangeLog
@@ -5,6 +5,9 @@ ChangeLog for wpa_supplicant
(can be used to simulate test SIM/USIM card with a known private key;
enable with CONFIG_SIM_SIMULATOR=y/CONFIG_USIM_SIMULATOR=y in .config
and password="Ki:OPc"/password="Ki:OPc:SQN" in network configuration)
+ * added a new network configuration option, wpa_ptk_rekey, that can be
+ used to enforce frequent PTK rekeying, e.g., to mitigate some attacks
+ against TKIP deficiencies
2008-11-01 - v0.6.5
* added support for SHA-256 as X.509 certificate digest when using the
diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index fc64be1..70b02c4 100644
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -1357,7 +1357,8 @@ static const struct parse_data ssid_fields[] = {
#endif /* CONFIG_IEEE80211W */
{ INT_RANGE(peerkey, 0, 1) },
{ INT_RANGE(mixed_cell, 0, 1) },
- { INT_RANGE(frequency, 0, 10000) }
+ { INT_RANGE(frequency, 0, 10000) },
+ { INT(wpa_ptk_rekey) }
};
#undef OFFSET
diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h
index 5e57bc1..5510639 100644
--- a/wpa_supplicant/config_ssid.h
+++ b/wpa_supplicant/config_ssid.h
@@ -334,6 +334,14 @@ struct wpa_ssid {
* will be used instead of this configured value.
*/
int frequency;
+
+ /**
+ * wpa_ptk_rekey - Maximum lifetime for PTK in seconds
+ *
+ * This value can be used to enforce rekeying of PTK to mitigate some
+ * attacks against TKIP deficiencies.
+ */
+ int wpa_ptk_rekey;
};
#endif /* CONFIG_SSID_H */
diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index b639d39..44dc3a1 100644
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -276,6 +276,9 @@ fast_reauth=1
# 1 = enabled
#peerkey=1
#
+# wpa_ptk_rekey: Maximum lifetime for PTK in seconds. This can be used to
+# enforce rekeying of PTK to mitigate some attacks against TKIP deficiencies.
+#
# Following fields are only used with internal EAP implementation.
# eap: space-separated list of accepted EAP methods
# MD5 = EAP-MD5 (unsecure and does not generate keying material ->
@@ -475,6 +478,17 @@ network={
priority=2
}
+# WPA-Personal(PSK) with TKIP and enforcement for frequent PTK rekeying
+network={
+ ssid="example"
+ proto=WPA
+ key_mgmt=WPA-PSK
+ pairwise=TKIP
+ group=TKIP
+ psk="not so secure passphrase"
+ wpa_ptk_rekey=600
+}
+
# Only WPA-EAP is used. Both CCMP and TKIP is accepted. An AP that used WEP104
# or WEP40 as the group cipher will not be accepted.
network={
diff --git a/wpa_supplicant/wpas_glue.c b/wpa_supplicant/wpas_glue.c
index f0c1cda..d5e31eb 100644
--- a/wpa_supplicant/wpas_glue.c
+++ b/wpa_supplicant/wpas_glue.c
@@ -626,6 +626,7 @@ void wpa_supplicant_rsn_supp_set_config(struct wpa_supplicant *wpa_s,
#endif /* IEEE8021X_EAPOL */
conf.ssid = ssid->ssid;
conf.ssid_len = ssid->ssid_len;
+ conf.wpa_ptk_rekey = ssid->wpa_ptk_rekey;
}
wpa_sm_set_config(wpa_s->wpa, ssid ? &conf : NULL);
}