1
Does the authentication mechanism of 802.1X assume that you have already initially connected to the trusted network? What's puzzling me is that if I set up a cloned access point to fool users into connecting through me, if they connected to me before they connected to the proper network, how would they ever realise I wasnt the proper network? My dodgey access point can use 802.1X and I can give them my authentication messages and they can use my public key to decrypt? It doesnt tell them they are on the wrong network?
I presume 802.1X is only good at preventing this type of attack if you already have the public key of the trusted network on your machine? But now im confused again: how does my computer know which public key to use when I connect to a network? It cannot store the public keys according to SSIDs, because SSIDs are not unique??
What is your question exactly? It is unclear from what you've written. – None – 2012-01-21T21:41:26.770
See above for edit – Brad – 2012-01-21T21:54:54.547
Your computer doesn't need to know which public key to use. It simply connects to the network and then checks to see if the public key used is one it trusts. If so, it authenticates with the associated credentials, knowing it's talking to the right network. – David Schwartz – 2012-01-21T22:25:33.043
@David, as I understand it 802.1X provides mutual authentication using public key cryptography. If the server provides the public key then that defeats the point of the key being public, surely i should be obtaining it not from the server but from somewhere.... public so that I know it IS their public key? I dont understand how this is done on 802.1X for wireless? – Brad – 2012-01-21T22:40:08.187
@Brad I think you don't understand how public keys work fundamentally. You store a public key bound to an identity. The server proves it owns that public key, and then you prove you own that identity. Done. So the server says, "This is my public key, and here is proof it's mine." The client says, "Ahh, I have an identity for the owner of that key, here it is and here's proof it's mine." The server says, "Yes, that's you." – David Schwartz – 2012-01-21T22:48:10.587
@David, I thought the server returns a digest from the client, signed with it's private key. The client decrypts this using the server's public key, read's its own digest and therefore knows the sender was the person who received the digest? However, how does the client know which public key to use on the encrypted digest? – Brad – 2012-01-21T23:02:38.993
@Brad It's not encrypted, it's signed. And the digest can either include the public key (the usual method) or the client can try all of them. – David Schwartz – 2012-01-22T01:34:51.903
If I send you a phone number and tell you it's microsoft, you ring and the person answering says he works for microsoft, that doesnt prove its microsoft, does it? If i went on google and that said the number is microsoft- that would prove it..... ? – Brad – 2012-01-22T13:30:42.607
It's not clear which of two issues you're confused about. Is your question "how do I know the public key belongs to the right entity?" Or is it "how do I know the entity I'm talking to owns the public key I have an identity for?" – David Schwartz – 2012-01-22T19:06:12.280