@RichFelker @SwiftOnSecurity @radioctiveeucom it's even in the RFC http://tools.ietf.org/html/rfc4764#section-8.10 … no DH is involved
-
-
-
@khaxan@SwiftOnSecurity @radioctiveeucom See 1.1p4: ..."WPA-PSK". EAP-PSK is distinct from these protocols & should not be confused w/them -
@RichFelker@SwiftOnSecurity @radioctiveeucom you're correct, but wpa2 uses same method to derive the key -
@khaxan@SwiftOnSecurity @radioctiveeucom OK so apparently there's a lack of DH too. Lovely. -
@RichFelker@SwiftOnSecurity @radioctiveeucom indeed, only way around this is a mix of certificates and a external auth source AFAIK -
@khaxan@SwiftOnSecurity @radioctiveeucom All this makes me think the designers of WPA did not understand the threat model. :( -
@khaxan@SwiftOnSecurity @radioctiveeucom Active attacks are much more detectable, so precluding passive attacks is valuable in itself. -
@khaxan@SwiftOnSecurity @radioctiveeucom And "poster on the wall with AP key fingerprint" makes an easy external auth source.
End of conversation
New conversation -
-
-
@radioctiveeucom
@SwiftOnSecurity In principle correct (DH) key exchange should make passive sniffing impossible. -
@RichFelker @radioctiveeucom yeah that's what I was assuming
End of conversation
New conversation -
-
-
@RichFelker @radioctiveeucom@SwiftOnSecurity PSK key derivation explained here: https://security.stackexchange.com/questions/66008/how-exactly-does-4-way-handshake-cracking-work …Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.