RSA proves security isn't usable by example

RSA proves security isn't usable by example

Summary: The old axiom of more security and less usability couldn't have been more apparent at RSA conference 2007. It took members of the press and attendees over an hour to get Wireless LAN access because username/password style wireless LAN security is employed.

SHARE:
TOPICS: Security
33

The old axiom of more security and less usability couldn't have been more apparent at RSA conference 2007.  It took members of the press and attendees over an hour to get Wireless LAN access because username/password style wireless LAN security is employed.  Last year it was even worse when each member of the press had to have their own unique username and password.  It was a bit simpler this year because they handed out generic usernames and passwords but the lines around the Wireless LAN helpdesk remained a mile long much of the day.

The universally accepted way of providing guest hotspot access is to not have any kind of link-layer security at all and just running everything wide open.  This doesn't provide any security on the link between the client and the access point and users are expected to use secure protocols.  Since secure protocols are the exception and not the rule, hotspots are the most insecure and dangerous form of connectivity and the RSA conference is trying to lead by example.  The problem is that true wireless LAN security in an ad hoc environment isn't usable because there is no seamless inter-organization identity infrastructure in place.

Email communications work because you can hand anyone a business card with your email on it and expect to be able to email each other without IT intervention even if the two domains have never communicated with one another.  Until ID and authentication can be just as seamless as exchanging email, widespread security will be nothing more than a small niche market and a pipe dream for the masses.  The reason email is so seamless is because it's published in DNS, perhaps it's time we considering a similar mechanism for authentication.  If RADIUS authentication servers were published in a DNS record for a particular domain, this would allow seamless secure Wireless LAN authentication anywhere without the need for new and cumbersome user accounts on every new network you touch.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

33 comments
Log in or register to join the discussion
  • Confused?

    Why would I trust a RADIUS server in another domain to authenticate access to my
    wireless infrastructure?

    "The reason email is so seamless is because it's published in DNS, perhaps it's
    time we considering a similar mechanism for authentication."

    Which is also a downfall. MTAs don't require authentication for incoming email (or
    we'd have to know everyone's credentials in advance) so my server resources are
    ripe for abuse (e.g. spam). Here the utility of emails outweighs the annoyance of
    spam (which is a huge problem despite tools to manage it).

    Is this the case for users of my wireless infrastructure or am I missing something?
    Richard Flude
    • You have to explicitly permit the domains on your wireless infrastructure

      We're not talking about anyone being able to get on so yes; you're missing something.

      We're talking about RSA which lets me in to their show and press room which means at that point they already trust me and have my email address. What I am saying is that at this point they should be able to look up my RADIUS server and relay the authentication request to give me a local secure hotspot connection. We're not talking about any Joe off the street being able to get on though we could allow that if we wanted to offer free private hotspot surfing and if they had RADIUS set up. But in this case with RSA, it would be explicitly set for my email address to permit access.
      georgeou
      • OK, so like OpenID

        http://openid.net/

        Using RADIUS to identify a user, not as a trust system.

        Sounds reasonable.
        Richard Flude
        • RADIUS delegation is very similar to WS-Federation

          RADIUS is a standardized authentication protocol that allows delegation of authentication for access devices like switches and access points. WS-Federation, Liberty Alliance, MS InfoCard 2.0 which is interoperable with OpenID, and OpenID are standardized mechanisms for delegating authentication for web based applications. They all work in a similar fashion for different applications along the OSI stack.
          georgeou
  • Hot Pockets

    Wireless Hot Spots. Oh so very convenient and oh so veheheheherrrry insecure.

    So much so, if you've got a home PC running ssh server, I strongly recommend you consider using ssh, [url=http://en.wikipedia.org/wiki/Secure_shell]Secure Shell[/url][1].

    Very simply, one can open a terminal shell to set up a tunneled SOCKS4 proxy with ssh for all of your web activity--example ssh syntax:

    $ssh -D 8000 -f -N username@home_ip

    Input your ssh password when prompted, then close the terminal window after the tunnel is set and backgrounded.

    In your browser, set up your proxy to SOCKS4 and localhost (127.0.0.1) with the port above (port 8000 in the example command line above is arbitrary--you can make it any non-priviledged port you want)

    At that point close and reopen your browser and off you go.

    You have set up a secure tunnel to your home PC[2].

    If you aren't sure if you are proxied to home, go to www.dnsstuff.com and you should see your home ip at the top of the screen.

    OK George, so I am an ssh 'Fan Boy'.
    For good reason.

    [1] Windows client users, download a copy of [url=http://www.cygwin.com/]Cygwin[/url]
    [2] Additional steps required to set up a ssh port (22) forward if PC is firewalled behind a router at home
    D T Schmitz
    • Different purpose

      We're talking about securing the link between the client and the laptop which is the most critical since messages are transmitted in the air.
      georgeou
      • no not really

        ssh method I describe (in the thread above) is an rsa encrypted tunnel from the laptop thru the wireless ap to the home pc.

        Totally secure endpoint from laptop to home.
        Thank youz
        D T Schmitz
        • That covers the user's security, but not the network's security

          First of all, most people are not going to set up their own SSH or VPN gateway at home.

          Second, the VPN/SSH security model opens the network to Layer 2 threats. See:
          http://blogs.zdnet.com/Ou/?p=417
          georgeou
          • Well if they knew how they would!

            And if they are using Linux--it's a piece o' cake as I describe above.

            Anyone who relies on other's underlying security infrastructure on a public wireless is tempting fate.

            My 'usable example' isn't really difficult to set up.

            The hardest part is a 'one-time' configuration of a port forward on the user's home router, enabling the destination PC's firewall to accept inbound ssh (port 22) and adding sshd server to the /etc/init.d/rc5.d runlevel boot sequence (using chkconfig --add or a gui such as Yast).

            Thus, one can be in any public hotspot and not care about such 'truck'. You are tunneled to your home anyhow.

            OK? OK! Thanks George. :) :)
            D T Schmitz
  • So you are saying that reporters are increadibly inept?

    [i]It took members of the press and attendees over an hour to get Wireless LAN access because username/password style wireless LAN security is employed. Last year it was even worse when each member of the press had to have their own unique username and password.[/i]

    People in the press can't be as completely inept as you claim, that is rediculous! Years back, I used to get Wi-Fi in San Diego for a wireelss hotspot provider (for a fee) and they provided a UUID/password pair for every subscriber. Are you saying that the press is so technically inept that they can not deal with something as simple as a UUID/password pair (something that has been in Unix based OS's for over 20 years and Windows for at least 10 to 15)?

    [i]The universally accepted way of providing guest hotspot access is to not have any kind of link-layer security at all and just running everything wide open.[/i]

    Depends on the wireless hot spot and if you were just free loading on an open link.

    [i]Since secure protocols are the exception and not the rule, hotspots are the most insecure and dangerous form of connectivity and the RSA conference is trying to lead by example.[/i]

    You implied that the users were inept or lazy.

    [i]The problem is that true wireless LAN security in an ad hoc environment isn't usable because there is no seamless inter-organization identity infrastructure in place.[/i]

    Depends on how one sets up the wireless aspect of their LAN. If you have a centralized authentication source (RADIUS, etc.), as you mentioned in the next paragraph, something that many wireless LANs and hot spots have had for well over 5 years, you have more security than having an open unauthenticated connection.

    If you actually want some layer of security then you have to use some encryption system, be it TLS/SSL, WEP (broken) or similar. [url=http://talkback.zdnet.com/5208-10533-0.html?forumID=1&threadID=29965&messageID=557142&start=-1]One post mentioned using SSH[/url], but most people won't do that (though you could use Putty or Cygwin).
    B.O.F.H.
    • No that's not what I said

      The reporters/attendees were in line to get their temporary username/passwords to get on. However many people had a hard time with the security settings since.
      georgeou
      • Seeing as I quoted you, what did you actually say?

        I would presume from your response that you (or they) found using a simple UUID/password pair (as used on many Wi-Fi hotspots) to be too complicated. You have a debate with your words or my interpretation of what you wrote (in a few paragraphs). What were the specifics of the configuration that you (or they) found to be too complicated to use?

        What simple security setting did you find to be so hard or complicated to use?
        B.O.F.H.
        • Why not Read the Article?

          You ask a question that is easily answered by reading the article. Why don't you read it instead of making rash presumptions?

          No, George did NOT say that the reporters "found using a simple UUID/password pair to be too complicated". That is your presumption, and in -both- senses of the word.

          He _did_ say that the delays in getting this UUID/password pair to _work_ were long, implicating the long lines at the helpdesk.

          Why can't you see that these are two different things? Are you really unaware of how many things can go wrong when someobdy tries to implement wireless security? Too many pieces of the puzzle simply do not work as advertised. That is why so many hotspots have given up on link level security, and just allow anyone to connect, warning them that their data is not secure (unless they use SSL or SSH).

          Now of course, it would have been nice if George had gone into a little more detail concerning _why_ the attempt to provide wireless security resulted in such long lines, but that might have made the article too long for his purpose. Whatever the specific reason for RSA's failure, it was a failure. And that was the key fact he needed to make his point.

          Surely understanding this is easier than setting up a usable hotspot with link-level security;)
          mejohnsn
          • I've got an article coming up on how to do this safely and easily

            First of all, thanks for giving a great explaination. I had given up on trying to explain it to him.

            Second, I figured out an even easier way to provide link layer security for anonymous user hotspots and I'm going to write an article on how to do it.
            georgeou
  • Important factor in software design.

    Yes, there's a contradiction between useability and security.

    Most people begrudge the effort necessary to increase security. And it isn't a selling point.

    The customers image of computer use is turning it on and having the device work with as little attention to the fact that there's a machine involved as possible.

    There's no strong distinction between as little attention to the computer as possible and no attention to the computer.

    So if you want to make software widely used, ask as little of the buyer that's not related to functionality as possible.

    That's one reason Microsoft has consistently made security upgrades that ask nothing of the user. That's as much as the user wants to provide. In fact, nothing may be too much, if it slows the machine.
    Anton Philidor
  • Shibboleth

    What you are asking for is "... Web Single SignOn (SSO) across or within organizational boundaries". That is the goal of the Open Source Shibboleth Project (http://shibboleth.internet2.edu/) It does require setting up trust relationships between sites, but that would be true of a Radius approach, too.

    In the end, I don't see how I can ever trust any publicly accessible connection, wireless or wired (I don't know where that wire goes, either). I have to do the security on my device - SSL, SSH, VPN, Firewall, ...
    R West
  • I have a couple of notions that might help

    Considering the almost disposable cost of Wireless devices and the availability of USB ports, why not a wireless dongle with enough flash memory to contain settings to connect to a secure Access point. Format them before the event, hand them out, let laptops connect with plug and play drivers for each OS and be ready to go when they get there.

    If they want to add more thought to it, they could include some flash presentations as well as some other product data on the USB storage/WiFi device so they can take it home.

    Ofcourse all of this information would have to be encrypted on the drives, but this would add for an interesting demonstration of their security. I am sure setup would be easier for the user over all, just that annoying dongle to deal with.

    Well anyways, this is just a thought, nothing that I could really implement myself, maybe if I had a slight skill with a soldering gun and a little more skills with the scripts. Hell, I might even have a new product line.
    nucrash
    • But wait

      You're onto something!
      No. Let's see. Sorry. I take that back.
      D T Schmitz
      • Sorry you didn't like it

        You are right though, I don't know if it would be feasible.

        I just thought that perhaps there should be such a device keyed into LANs. If production costs permitted, it could be like the 1.44 MB of free disk space that AOL used to provide.
        nucrash
        • nucrash--it's me

          Just messing with your head. ;)
          Actually you're idea is good.

          Is [url=http://linuxdevices.com/news/NS8562564746.html]this[/url] something you've seen before?

          Best,
          Dietrich
          D T Schmitz