Thread Links | Date Links | ||||
---|---|---|---|---|---|
Thread Prev | Thread Next | Thread Index | Date Prev | Date Next | Date Index |
--- This message came from the IEEE 802.11 Working Group Reflector ---
Hello, CIDs 1056 and 1057 deal with the SAE Password Identifier that was added to the REVmd draft in January (11-18/0202r3). CID 1056 raises a privacy concern since the Password Identifier is passed in the clear and CID 1057 requests a generation technique for identifiers. Both CIDs state that the "commenter will bring a contribution." Document 11-18/0867r0 is by the commenter(s) and proposes resolution to both CIDs. Unfortunately, the proposed solution will gut the security of the standard. SAE was very carefully designed to be resistant to dictionary attack and the proposed resolution to these CIDs adds in a dictionary attack against SAE. And if that isn't bad enough, the dictionary attack it introduces is *three orders of magnitude faster* than the dictionary attack against PSK mode. This is profoundly bad idea that should be rejected. The case for the privacy concern was not adequately brought, in my opinion, and the use case for the Password Identifier does not really introduce any new privacy issues.
For these two reasons—lack of a clear problem, solution that destroys security—I propose that CIDs 1056 and 1057 be rejected. If text is needed to add to the comment spreadsheet to justify rejection I think it can be cobbled together from the paragraphs above and I would be happy to do such cobbling if need be. regards, Dan. To unsubscribe from the STDS-802-11 list, click the following link: https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11&A=1 |