[CUWiN] Open 1X Project Info:
Zachary C. Miller
zach at chambana.net
Wed Sep 29 10:19:57 CDT 2004
I find it hard to believe that something that relies on kerberos
"doesn't require client software". I mean Windows XP uses some
proprietary version of kerberos for domain authentication but I don't
think it's neccessarily compatible with off the shelf kerberos servers
and other OSes do not come with any kind of kerberos stuff without
installing external packages.
Kerberos is also problematic because it requires a central highly
trusted authentication server. Kerberos domains are a big
administrative overhead to maintain.
Sascha Meinrath wrote:
> This is a really interesting interview with two of the folks who are
> working on the Open 1X Project (an open source project working on wireless
> networking security). The system uses dynamic keying (rather than VPN
> like the UofI) so it doesn't require client software.
> In a nutshell:
> "We use TTLS, with PAP as the inner authentication method. As a security
> measure, our user accounts are stored in Kerberos, which encrypts user
> passwords on the server. Kerberos allows you to give it a user name and
> unencrypted password for validation, but it does not store the password in
> a way that the unencrypted form can be recovered. We needed an EAP method
> worked with a user name and an unencrypted password. Kerberos can validate
> a password, but it doesn't work with challenge/response systems like PEAP.
> [Interviewer's note: PEAP actually can work with an unencrypted
> authentication string, by using EAP-GTC as the inner method. However,
> PEAP/EAP-GTC is not widely supported by clients, and it is not implemented
> by the supplicant built in to Windows.]"
> There's a fairly accessible white-paper explaining their system here:
> For the BSD folks in the crowd, "We're spending most of our time writing
> code to implement WPA and 802.11i. The BSD frame handler is also on the
> short list, but we are spending more time on WPA and 802.11i. If somebody
> were to write the BSD frame handler, we would be more than happy to take
> it, though."
> Sascha Meinrath
> Project Manager & Pres. * Project Coordinator * Policy Analyst
> Acorn Worker Collective *** CU Wireless Network *** Free Press
> www.acorncollective.com * www.cuwireless.net * www.freepress.net
> Subject: Open-Source 802.1X Deployment, Future
> By Glenn Fleishman
> Special to Wi-Fi Networking News
> Permanently archived at <http://wifinetnews.com/archives/004168.html>
>  Matthew Gast interviews two of the principals of the open-source
> 802.1X project called Open1X: Matthew is involved in testing 802.1X
> systems (supplicants and servers); he's the author of O'Reilly's 
> 802.11 Wireless Networks. He interviews Chris Hessing and Terry Simons
> about their use of 802.1X at the University of Utah--fascinating in
> itself--and their broader goals of bringing more interoperability and
> sophistication to 802.1X implementations. Open1X was started because they
> needed a client that worked across many platforms; now some platforms have
> limited 802.1X clients built in, but the need for a robust open-source
> supplicant is still quite high.
> URLs referenced:
>  <http://www.macdevcenter.com/pub/a/mac/2004/09/21/open1x.html>
>  <http://isbn.nu/0596001835>
> CU-Wireless mailing list
> CU-Wireless at lists.groogroo.com
> Project Page: http://cuwireless.ucimc.org
Zachary C. Miller - @= - http://wolfgang.groogroo.com/
IMSA 1995 - UIUC 2000 - Just Another Leftist Muppet - Ya Basta!
Social Justice, Community, Nonviolence, Decentralization, Feminism,
Sustainability, Responsibility, Diversity, Democracy, Ecology
More information about the CU-Wireless