Thread Links | Date Links | ||||
---|---|---|---|---|---|
Thread Prev | Thread Next | Thread Index | Date Prev | Date Next | Date Index |
Thanks Duncan for this thread. In slide 8, the fourth bullet, is the <TA, RA> should be <a2,m2’>? Since the AP MLD only receive m’ from the association frames. Still I have a doubt on the attack procedure. As you mentioned, there should be a relay between the AP MLD and non-AP MLD, and then the attack can happen. I’m not sure if it’s a
real problem. Best Regards. 周逸凡 /
Yifan Zhou Huawei Technologies 发件人: Duncan Ho [mailto:dho@xxxxxxxxxxxxxxxx]
Hi all, Sorry we ran out of time answering questions on the call today. I’ll try to answer them below here and please send me other questions you may have. Rojan asked: How can 4-way handshake pass? Answer: The 4-way handshake is between the non-AP MLD and the AP MLD and in MLO case it uses the MLD addresses to generate the PTK. Only the non-AP MLD and AP MLD know the PMK. The attacker does not change anything in
the 4way handshake so the 4WH will pass. The problem is the attacker has changed one of the STA MAC addresses of the non-AP MLD included in the Association Req msg, which goes undetected. If we add the STA MAC addresses of the non-AP MLD in one of the protected msgs within the 4way handshake, the AP will receive the protected STA MAC addresses. Same idea goes in the other direction (AP MLD to the STA MLD). Yongho asked: can we change the MAC address part as the following? The MAC address(es) of the STA(s) of the non-AP MLD corresponding to the link(s) it intends to setup with the AP MLD. Answer: Absolutely. Thanks, Duncan To unsubscribe from the STDS-802-11-TGBE list, click the following link:
https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-TGBE&A=1
To unsubscribe from the STDS-802-11-TGBE list, click the following link: https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-TGBE&A=1 |