What is spacenet?
Spacenet is a federated authentication system for secure roaming (wireless) network access across hackerspaces and community events.
Why is it useful?
It is useful because it allows secure wifi access anywhere. We all know hackerspaces and hacker events don't usually provide the most harmless networks, this way you get your own session key and your network session will be extremely hard to sniff without a mirror port on the switch or access to the gateway. It's also very easy to use once your hackerspace has set it up correctly. So:
- Easy to use
- Works at every connected hackerspace/hacker event
- Can be used to regulate access to your network
How does it work?
It works by using WPA2 Enterprise/802.1x. The access point connects to a local RADIUS server for authentication and session key distribution. If the anonymous identity is not something that ends with @your-local-realm.tld it will proxy the request to one of your country's Spacenet RADIUS nodes which will proxy it to the correct home RADIUS server. From that point on a secure TLS connection will be estabilished and the certificate is verified. If this matches, authentication is performed. If the authentication works, this is passed along to the local RADIUS server and a session key will be handed out to the access point and you will have a secure connection.
Is it really secure?
Nothing is completely secure, but this is as close as possible right now. The connection between the access point and the radius server is done over an ethernet link. Of course it should be protected against ARP/DHCP spoofing. These connections are using RADIUS 'encryption' based on MD5 for passwords, as are all connections to the proxy nodes. All authentication is done through a TLS tunnel to your home RADIUS server. Provided the certificates are verified it should be secure. The session key distribution is done within the RADIUS connection and as far as I know has this not been cracked.
So, put simply, yes, your traffic is now secured between your client and the network termination point, but if you don't trust the gateway or switched network, you should still use a VPN to your own infrastructure.
Can my authentications be logged?
Only at your local hackerspace if you use an anonymous identity. If you use email@example.com then the local radius will know that a client wants to authenticate to your home realm and it will forward the authentication to your home radius server, but it will never know that it is you specifically. This information is only sent within the TLS-encrypted channel to your home radius server.
Checkout the howto's here.