

[CSAIL - MIT]: New Wi-Fi security method does not require password - enterneo
http://web.mit.edu/newsoffice/2011/secure-wifi-0822.html

======
tlb
TL;DR: wireless communications can be attacked by injecting partial packets
into the wireless stream. An attacker just needs a higher-power transmitter.
They propose adding a second signature using on-off keying because an attacker
can't simulate an "off".

First of all, it's not true that a jammer can't simulate silence. It's tricky
and requires phase locking with accurate propagation delay estimates to the
receiver, but possible.

It also does nothing against a relay attack where the client can't hear the
server directly. For example, I could relay the wireless AP from two rooms
over so you'd connect to that one entirely through my relay.

------
ryan42
There is a way to do smart card authentication to a LAN,where you would not be
required to enter a password to connect and everything would be wpa2
encrypted. I implemented it before in a MS environment. It required a ton of
painful configuration. The downside, even though it worked, was that it was
pretty flaky and refused to stay connected for certain users when we rolled it
out. Ended up scrapping it for a wpa2+password setup with a better password
than the old one.

~~~
wmf
The advance here is not the lack of a password _per se_ but the lack of any
authentication at all.

------
wccrawford
While I think it -could- work, no 2 people could authenticate at the same
time, even to different access points. That would be a nightmare for
conventions.

~~~
brlewis
I wouldn't read the word "silence" in this article as a precise term. Check
out their abstract/paper:

<http://www.usenix.org/events/sec11/tech/tech.html#Gollakota>

The abstract says they've made it work on busy networks.

