spacenet @ OHM2013
Spacenet is also being offered at OHM2013! You can connect with your credentials from your home hackerspace (or community). If you don't have an account you can connect with these credentials:
Username: firstname.lastname@example.org Password: guest Phase 1: EAP-TTLS or PEAP Phase 2: MSCHAPv2 or PAP
CN = *.ohm2013.org CA = StartCom SHA1 Fingerprint = BA:31:76:3C:D9:94:F7:D3:1B:E1:35:5C:E4:E1:72:34:74:02:59:C5
Join us at #spacefed on irc.smurfnet.ch if you have any questions. Enjoy! :)
P.S. Your link layer should be secure using spacenet if you do certificate checking, but please note that spacenet in and of itself does not protect against ethernet/layer 2 attacks. Watch out for DHCP spoofing, ARP/NDP spoofing of the gateway and rogue router advertisements!
Why is this useful?
Spacenet is federated authentication for WiFi networks. Spacenet is about providing easy and secure "guest" WiFi access for your fellow hackers. When you have an account at a hackerspace or community you can connect to spacenet. If you do not have an account you can connect to spacenet at OHM2013 with the guest credentials as noted above.
Spacenet is useful because:
- Easy of use: configure once, use wherever available.
- Security: uses WPA2 Enterprise, thus dynamic keys (unlike WPA2-PSK).
Is connecting to spacenet at OHM2013 with guest-credentials more secure then connecting to the unencrypted (open) OHM2013 network?
Yes. Spacenet at OHM2013 runs on the same WiFi infrastructure and backend as the OHM2013-networks. Instead of providing completly unencrypted WiFi access, your data goes encrypted over-the-air encrypted by WPA2 Enterprise (CCMP/AES). Eventhough a lot of clients are using the same credentials to login to the network this is no issue.
The credentials you provide are used for authorization and authentication, *not* for encryption. A temporary key is derived in the 802.1X authentication process, this is transferred in TLS. This temporary key is used to encrypt the WPA2 handshake, in this handshake the session-key is determined.
In WPA2-PreSharedKey networks the temporary key is entered by the users and thus is open to attacks because the users know the key.
Why is checking the certificate important?
If your client does not check the certificate you cannot be sure you are actually connecting to the "correct" network. When your client is onboarded to a rogue network you are vulnerable to:
- Man-in-the-middle attacks (your are not connecting to the "trusted" network)
- Password sniffing (not really critical for guest credentials): with PAP your password goes encrypted over the air and with MSCHAPv2 your password will be reversible within a reasonable amount of time.
Please check the certificate!
Certificate: Data: Version: 3 (0x2) Serial Number: 66839 (0x10517) Signature Algorithm: sha1WithRSAEncryption Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 2 Primary Intermediate Server CA Validity Not Before: Oct 8 07:50:42 2012 GMT Not After : Oct 9 23:22:54 2014 GMT Subject: description=nU7rvkhG3Xy0kwk6, C=NL, ST=Utrecht, L=Muiden, O=Int. Festivals for Creative Application of Technology Foundation, CN=*.ohm2013.org/emailAddressemail@example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:b6:55:a8:36:bb:77:2f:98:bd:bf:91:3e:75:07: ea:5a:76:ca:25:fa:0f:a4:b3:53:59:04:73:a7:4c: 4b:c6:dc:45:3c:3b:35:23:ee:6a:f7:9a:ea:fe:b7: be:67:29:3b:9b:53:1e:2d:ea:ee:dc:a2:58:db:ea: 20:f7:ab:73:66:0c:ad:fb:8f:2b:df:65:49:68:ed: aa:a4:41:15:9e:6a:29:59:91:1b:25:cf:a6:bc:1b: 38:d7:8d:8b:18:12:87:62:b9:fd:47:21:22:c7:00: 17:d4:00:a0:65:77:9d:bd:6b:9e:78:2d:3e:9b:bc: 09:9f:4e:3c:8c:f8:4e:b3:64:96:18:70:3b:7a:ee: 02:55:8b:c5:bd:b5:a1:88:11:98:f6:71:28:01:12: 0c:ae:cd:00:05:3c:77:aa:e8:0e:a5:45:a8:6e:e7: af:57:6e:ba:14:c6:07:b1:90:99:33:bd:d8:08:55: dd:34:47:ce:c7:fc:1f:05:c3:e5:b6:20:49:95:04: 09:56:0c:6d:ac:4f:a5:98:5a:bc:c0:2c:7b:4b:5d: 31:97:b7:e7:91:12:28:92:e5:4e:54:9b:fe:7f:c6: a6:3c:13:57:8f:1c:8b:4c:d2:f6:fb:56:24:d4:bf: 3e:8e:8e:45:dc:a3:fc:c7:22:df:ee:40:c5:52:79: ec:4f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Subject Key Identifier: 18:A9:E4:DC:CD:FF:3C:DA:BE:0B:94:ED:1B:7C:C8:7D:3C:76:AF:FC X509v3 Authority Key Identifier: keyid:11:DB:23:45:FD:54:CC:6A:71:6F:84:8A:03:D7:BE:F7:01:2F:26:86 X509v3 Subject Alternative Name: DNS:*.ohm2013.org, DNS:ifcat.org, DNS:*.ifcat.org, DNS:ohm2013.org X509v3 Certificate Policies: Policy: 220.127.116.11.4.1.2318.104.22.168 CPS: http://www.startssl.com/policy.pdf CPS: http://www.startssl.com/intermediate.pdf User Notice: Organization: StartCom Certification Authority Number: 1 Explicit Text: This certificate was issued according to the Class 2 Validation requirements of the StartCom CA policy, reliance only for the intended purpose in compliance of the relying party obligations. User Notice: Organization: StartCom Certification Authority Number: 2 Explicit Text: Liability and warranties are limited! See section "Legal and Limitations" of the StartCom CA policy. X509v3 CRL Distribution Points: URI:http://crl.startssl.com/crt2-crl.crl Authority Information Access: OCSP - URI:http://ocsp.startssl.com/sub/class2/server/ca CA Issuers - URI:http://aia.startssl.com/certs/sub.class2.server.ca.crt X509v3 Issuer Alternative Name: URI:http://www.startssl.com/ Signature Algorithm: sha1WithRSAEncryption 7a:5d:01:5a:a7:6d:46:6b:d7:2a:5f:b5:0b:18:d9:56:da:c8: 4d:c4:86:72:62:b6:1c:1a:c0:f2:9a:2b:a1:a7:d1:22:5f:68: 6c:c5:b9:f6:57:9c:4c:86:37:1b:e9:47:c1:03:37:98:d3:7d: d2:da:be:9f:d6:1a:f2:5c:08:06:a7:2a:c2:eb:7b:58:1e:88: 94:57:a1:4c:f4:7e:5d:fc:38:82:49:53:10:42:60:e7:12:7e: 25:13:de:1b:4c:74:d9:9d:00:d6:f6:74:eb:4b:a4:81:d0:41: 52:07:d6:64:e2:04:16:3a:97:93:70:6b:6d:9d:31:63:34:92: d1:b4:0c:4b:af:76:44:3e:08:95:08:14:e9:16:06:9e:8a:2a: 1f:e4:22:01:dd:44:7c:53:7f:64:61:a2:e7:44:f8:76:b3:ec: 20:1b:02:7e:5a:72:5e:49:1e:82:9b:60:12:b3:9d:c8:52:93: 1a:30:4b:54:c0:07:9d:ea:41:89:30:d8:0f:99:2e:90:ac:95: 26:b9:26:bc:cc:41:9e:e5:d1:23:1d:45:06:60:bc:fa:d2:05: 28:7f:68:ee:14:b1:36:2b:5d:32:57:96:a6:b8:ff:31:5a:a9: f7:99:79:74:b0:f2:30:c7:9d:2b:f6:e8:89:55:24:98:8b:0f: c0:bb:72:e5 SHA1 Fingerprint=BA:31:76:3C:D9:94:F7:D3:1B:E1:35:5C:E4:E1:72:34:74:02:59:C5