29c3

spacenet @ 29c3

Spacenet is also being offered at 29c3! You can connect with your credentials from your home hackerspace (or community). If you don't have an account you can connect with these credentials:

Username: guest@event
Password: guest

Phase 1: EAP-TTLS or PEAP
Phase 2: MSCHAPv2 or PAP
CN = eventradius.spacefed.net
CA = StartCom
Fingerprint = 88:4C:4F:41:C0:24:C8:53:87:10:1E:8F:90:22:F3:67:F2:B1:32:79

Join us at #spacefed on irc.smurfnet.ch if you have any questions. Enjoy! :)

P.S. Your link layer should be secure using spacenet if you do certificate checking, but please note that spacenet in and of itself does not protect against ethernet/layer 2 attacks. Watch out for DHCP spoofing, ARP/NDP spoofing of the gateway and rogue router advertisements!

FAQ

Why is this useful?

Spacenet is federated authentication for WiFi networks. Spacenet is about providing easy and secure "guest" WiFi access for your fellow hackers. When you have an account at a hackerspace or community you can connect to spacenet. If you do not have an account you can connect to spacenet at 29c3 with the guest credentials as noted above.

Spacenet is useful because:

Easy of use: configure once, use wherever available. Security: uses WPA2 Enterprise, thus dynamic keys (unlike WPA2-PSK).

Is connecting to spacenet at 29c3 with guest-credentials more secure then connecting to the unencrypted (open) 29c3 network?

Yes. Spacenet at 29c3 runs on the same WiFi infrastructure and backend as the 29c3-networks. Instead of providing completly unencrypted WiFi access, your data goes encrypted over-the-air encrypted by WPA2 Enterprise (CCMP/AES). Eventhough a lot of clients are using the same credentials to login to the network this is no issue.

The credentials you provide are used for authorization and authentication, *not* for encryption. A temporary key is derived in the 802.1X authentication process, this is transferred in TLS. This temporary key is used to encrypt the WPA2 handshake, in this handshake the session-key is determined.

In WPA2-PreSharedKey networks the temporary key is entered by the users and thus is open to attacks because the users know the key.

Why is checking the certificate important?

If your client does not check the certificate you cannot be sure you are actually connecting to the "correct" network. When your client is onboarded to a rogue network you are vulnerable to:

Man-in-the-middle attacks (your are not connecting to the "trusted" network) Password sniffing (not really critical for guest credentials): with PAP your password goes encrypted over the air and with MSCHAPv2 your password will be reversible within a reasonable amount of time.

Certificate

Please check the certificate!

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 53618 (0xd172)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 2 Primary Intermediate Server CA
        Validity
            Not Before: May 19 10:43:10 2012 GMT
            Not After : May 20 01:28:11 2014 GMT
        Subject: description=BEXj6vlnNl3Q294m, C=NL, ST=Utrecht, L=Amersfoort, O=Arjan Koopen, CN=eventradius.spacefed.net/emailAddress=hostmaster@spacefed.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:a3:4b:77:d5:4c:a7:fa:5a:a0:3b:23:af:24:53:
                    b1:eb:11:4e:5b:b7:05:72:10:ee:18:0c:0b:6d:d0:
                    9d:74:aa:23:7e:0b:df:1e:ef:99:3a:02:77:de:e5:
                    9f:86:75:26:89:21:43:08:00:08:92:d5:75:a3:83:
                    24:17:66:d1:0f:e3:15:e6:d2:bf:f9:71:cc:e5:f7:
                    00:56:8f:0c:2a:3a:da:1d:e4:83:bb:8e:af:bd:c0:
                    cd:dc:d7:84:67:84:b0:61:d7:17:d9:b3:a5:65:cd:
                    c9:5f:61:c3:5d:68:b9:3c:c1:cd:f9:2b:84:45:59:
                    38:9f:8e:52:c4:91:e2:92:fa:30:3f:5b:df:18:61:
                    f0:4b:12:0f:76:ce:98:5b:19:c9:ce:2c:81:c9:8c:
                    19:00:92:ca:2b:d9:9f:dc:5e:1f:2d:f7:c2:eb:45:
                    3c:e0:02:3a:28:67:58:db:4e:74:4d:f0:f1:bb:7b:
                    8c:04:63:ac:19:8d:68:21:27:dc:b3:c8:38:2c:73:
                    0a:8a:4f:61:42:b5:23:6f:b1:45:ee:c8:f9:52:3a:
                    c7:c0:b7:b9:0e:a3:9b:c9:e4:34:5b:33:d8:09:5b:
                    07:c6:22:df:84:36:76:11:7c:2d:86:92:63:fe:5c:
                    02:88:e2:af:36:ef:c5:bc:0b:bd:2d:39:a9:4b:5d:
                    bf:95
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Subject Key Identifier: 
                99:DF:40:9A:A9:CB:D6:ED:B6:77:56:52:7B:E2:CC:BA:69:90:BB:AA
            X509v3 Authority Key Identifier: 
                keyid:11:DB:23:45:FD:54:CC:6A:71:6F:84:8A:03:D7:BE:F7:01:2F:26:86

            X509v3 Subject Alternative Name: 
                DNS:eventradius.spacefed.net, DNS:spacefed.net
            X509v3 Certificate Policies: 
                Policy: 1.3.6.1.4.1.23223.1.2.2
                  CPS: http://www.startssl.com/policy.pdf
                  CPS: http://www.startssl.com/intermediate.pdf
                  User Notice:
                    Organization: StartCom Certification Authority
                    Number: 1
                    Explicit Text: This certificate was issued according to the Class 2 Validation requirements of the StartCom CA policy, reliance only for the intended purpose in compliance of the relying party obligations.
                  User Notice:
                    Organization: StartCom Certification Authority
                    Number: 2
                    Explicit Text: Liability and warranties are limited! See section "Legal and Limitations" of the StartCom CA policy.

            X509v3 CRL Distribution Points: 
                URI:http://crl.startssl.com/crt2-crl.crl

            Authority Information Access: 
                OCSP - URI:http://ocsp.startssl.com/sub/class2/server/ca
                CA Issuers - URI:http://aia.startssl.com/certs/sub.class2.server.ca.crt

            X509v3 Issuer Alternative Name: 
                URI:http://www.startssl.com/
    Signature Algorithm: sha1WithRSAEncryption
        40:f1:ba:16:4a:ef:23:50:69:c2:dd:a8:e6:b1:2e:4a:e0:37:
        c3:b6:97:64:01:e7:93:4f:ef:06:3f:c1:75:13:a5:cd:92:15:
        12:fd:16:87:bd:ca:5b:35:a0:97:de:3b:4d:0a:75:ad:df:af:
        5b:03:56:db:6d:7f:61:42:00:fd:ac:ee:91:35:53:64:f9:07:
        8a:2a:2f:07:b2:c7:b0:4b:8e:ba:63:18:7f:aa:6a:28:f3:79:
        bf:9d:45:79:7c:37:3b:58:67:52:5a:1f:5b:4e:f5:ba:48:4a:
        ca:2e:68:43:52:6f:86:9a:0f:f6:83:ed:93:78:1f:d6:fb:50:
        c9:38:02:df:46:8b:00:bf:43:fc:d2:d8:d1:35:3e:ab:8c:44:
        17:bd:6c:c1:e1:a8:18:b2:7c:98:8b:2d:d2:6d:6c:ec:a1:6b:
        88:d7:ee:d6:b0:97:68:52:c1:49:90:45:63:af:9d:9c:ab:77:
        b0:73:7f:03:ec:c9:51:c8:42:92:c4:d6:a2:e0:de:dc:04:bc:
        74:3d:ce:20:8d:70:e4:c5:51:e5:04:26:ad:dc:82:c3:85:33:
        cc:d1:88:32:17:dd:b0:74:c0:0a:11:4c:e7:5e:b5:64:7c:33:
        9f:48:e7:94:bd:8b:5b:09:6c:5f:23:31:97:04:ee:47:b2:4e:
        f9:9a:bd:55
-----BEGIN CERTIFICATE-----
MIIHfjCCBmagAwIBAgIDANFyMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg
MiBQcmltYXJ5IEludGVybWVkaWF0ZSBTZXJ2ZXIgQ0EwHhcNMTIwNTE5MTA0MzEw
WhcNMTQwNTIwMDEyODExWjCBsTEZMBcGA1UEDRMQQkVYajZ2bG5ObDNRMjk0bTEL
MAkGA1UEBhMCTkwxEDAOBgNVBAgTB1V0cmVjaHQxEzARBgNVBAcTCkFtZXJzZm9v
cnQxFTATBgNVBAoTDEFyamFuIEtvb3BlbjEhMB8GA1UEAxMYZXZlbnRyYWRpdXMu
c3BhY2VmZWQubmV0MSYwJAYJKoZIhvcNAQkBFhdob3N0bWFzdGVyQHNwYWNlZmVk
Lm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKNLd9VMp/paoDsj
ryRTsesRTlu3BXIQ7hgMC23QnXSqI34L3x7vmToCd97ln4Z1JokhQwgACJLVdaOD
JBdm0Q/jFebSv/lxzOX3AFaPDCo62h3kg7uOr73AzdzXhGeEsGHXF9mzpWXNyV9h
w11ouTzBzfkrhEVZOJ+OUsSR4pL6MD9b3xhh8EsSD3bOmFsZyc4sgcmMGQCSyivZ
n9xeHy33wutFPOACOihnWNtOdE3w8bt7jARjrBmNaCEn3LPIOCxzCopPYUK1I2+x
Re7I+VI6x8C3uQ6jm8nkNFsz2AlbB8Yi34Q2dhF8LYaSY/5cAojirzbvxbwLvS05
qUtdv5UCAwEAAaOCA8AwggO8MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1Ud
JQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAdBgNVHQ4EFgQUmd9AmqnL1u22d1ZS
e+LMummQu6owHwYDVR0jBBgwFoAUEdsjRf1UzGpxb4SKA9e+9wEvJoYwMQYDVR0R
BCowKIIYZXZlbnRyYWRpdXMuc3BhY2VmZWQubmV0ggxzcGFjZWZlZC5uZXQwggIh
BgNVHSAEggIYMIICFDCCAhAGCysGAQQBgbU3AQICMIIB/zAuBggrBgEFBQcCARYi
aHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjA0BggrBgEFBQcCARYo
aHR0cDovL3d3dy5zdGFydHNzbC5jb20vaW50ZXJtZWRpYXRlLnBkZjCB9wYIKwYB
BQUHAgIwgeowJxYgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwAwIB
ARqBvlRoaXMgY2VydGlmaWNhdGUgd2FzIGlzc3VlZCBhY2NvcmRpbmcgdG8gdGhl
IENsYXNzIDIgVmFsaWRhdGlvbiByZXF1aXJlbWVudHMgb2YgdGhlIFN0YXJ0Q29t
IENBIHBvbGljeSwgcmVsaWFuY2Ugb25seSBmb3IgdGhlIGludGVuZGVkIHB1cnBv
c2UgaW4gY29tcGxpYW5jZSBvZiB0aGUgcmVseWluZyBwYXJ0eSBvYmxpZ2F0aW9u
cy4wgZwGCCsGAQUFBwICMIGPMCcWIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0
aG9yaXR5MAMCAQIaZExpYWJpbGl0eSBhbmQgd2FycmFudGllcyBhcmUgbGltaXRl
ZCEgU2VlIHNlY3Rpb24gIkxlZ2FsIGFuZCBMaW1pdGF0aW9ucyIgb2YgdGhlIFN0
YXJ0Q29tIENBIHBvbGljeS4wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5z
dGFydHNzbC5jb20vY3J0Mi1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsG
AQUFBzABhi1odHRwOi8vb2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMi9zZXJ2
ZXIvY2EwQgYIKwYBBQUHMAKGNmh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRz
L3N1Yi5jbGFzczIuc2VydmVyLmNhLmNydDAjBgNVHRIEHDAahhhodHRwOi8vd3d3
LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEFBQADggEBAEDxuhZK7yNQacLdqOax
LkrgN8O2l2QB55NP7wY/wXUTpc2SFRL9Foe9yls1oJfeO00Kda3fr1sDVtttf2FC
AP2s7pE1U2T5B4oqLweyx7BLjrpjGH+qaijzeb+dRXl8NztYZ1JaH1tO9bpISsou
aENSb4aaD/aD7ZN4H9b7UMk4At9GiwC/Q/zS2NE1PquMRBe9bMHhqBiyfJiLLdJt
bOyha4jX7tawl2hSwUmQRWOvnZyrd7BzfwPsyVHIQpLE1qLg3twEvHQ9ziCNcOTF
UeUEJq3cgsOFM8zRiDIX3bB0wAoRTOdetWR8M59I55S9i1sJbF8jMZcE7keyTvma
vVU=
-----END CERTIFICATE-----