Broadband-Hamnet™ Forum :: General
Welcome Guest   [Register]  [Login]
 Subject :Why Encryption?.. 2012-03-02- 21:22:17 
DJ0IQ
Member
Joined: 2012-03-03- 03:05:58
Posts: 6
Location

I started this thread on the QRZ site when the HSMM-MESH topic was posted earlier this week.

The issue of the use of encryption when operating HSMM-MESH on a part 97 transmitter has been heavily debated in the Amateur Radio community but never ruled upon by the FCC. I have offered to use my professional services to file a Request for Ruling with the FCC on this topic.

As part of my research, I have asked why HSMM-MESH makes use of encryption. The typical answer is that it is needed to keep the unwanted off the mesh. As I have made quite clear on the QRZ forum, this is an application for authentication, not encryption. One can keep unwanted users off the mesh through authentication alone without the need to use any encryption.

I have asked the following research question on the QRZ forum but I have not received an answer so I will ask it here:

Since authentication does not require encryption, why does HSMM-MESH use encryption?

I don't ask this to be glib, cute or for spite. This is an essential point to the request for ruling with the FCC. We need to be clear as to why the choice has been made as it has.

If anyone would like to participate in the Request for Ruling, please send me a PM via my email on QRZ.

- Glenn DJ0IQ and W9IQ

IP Logged
 Subject :Re:Why Encryption?.. 2012-03-03- 14:21:22 
W5LMM
Member
Joined: 2012-02-13- 18:18:04
Posts: 126
Location: Albuquerque, NM
 

Glenn:


I appreciate your efforts, and I wish I knew the answer, but I dont.  Hopefully someone knowledgeable about the standard will chime in.

someone mentioned that encryption was used, but I see no settings for it, or any references to it either.



IP Logged
 Subject :Re:Why Encryption?.. 2012-03-03- 20:02:47 
DJ0IQ
Member
Joined: 2012-03-03- 03:05:58
Posts: 6
Location

Hi Lee,

Thanks for the reply. It concerns me that the issue of encryption is not made clear to the users of HSMM-MESH. I have looked over the documentation and help areas and have not found a clear statement either.

The good news is that you can check this out yourself. If you have an HSMM-MESH AP, connect to with with SSH and look for this file: /etc/config/wireless. Open or cat the file and look for the following lines, typically near the end of the file:

option encryption wep

option key THEKEY

The encryption option sets or turns off encryption. Its options are "none", "wep", "wpa", "wpa2", "psk", and "psk2". I believe that for ad-hoc networks like HSMM-MESH this needs to be "none" or "wep". The key option is the authentication key that must be the same for all APs participating in a common mesh.

I am doing this from memory without an AP in front of me and it has been a while since I have configured an openwrt device. If I have it wrong, someone please correct me. Take a look at these settings and report back on this thread what you find if you have the chance, Lee.

Meanwhile, I am still hoping that someone can answer my original question on this thread.

- Glenn DJ0IQ and W9IQ

IP Logged
Last Edited On: 2012-03-03- 20:04:20 By DJ0IQ for the Reason
 Subject :Re:Why Encryption?.. 2012-03-04- 00:48:06 
N2ZUL
Member
Joined: 2012-03-03- 07:34:20
Posts: 1
Location
config wifi-device wl0 option type broadcom option channel 1 option rxant 3 option txant 3 option distance 0 config wifi-iface option device wl0 option network wifi option mode adhoc option ssid "HSMM-MESH" option encryption none same as the other site
IP Logged
 Subject :Re:Why Encryption?.. 2012-03-04- 10:00:41 
W5LMM
Member
Joined: 2012-02-13- 18:18:04
Posts: 126
Location: Albuquerque, NM
 
So that looks to me as if encryption is NOT enabled by default, but can be used if desired, although you'd have to set it up manually since there is no setting in the web interface.
IP Logged
 Subject :Re:Why Encryption?.. 2012-03-04- 15:00:12 
AD5OO
Admin
Joined: 2010-01-18- 23:05:42
Posts: 37
Location

HSMM-MESHTM does not use encryption.  Every layer of the network and every protocol is open and unencrypted.  Authentication is used when logging into the administrative interface of a mesh node, as it should be.  No other form of "obfuscation" is used.

73
ad5oo


IP Logged
 Subject :Re:Why Encryption?.. 2012-03-04- 23:00:03 
DJ0IQ
Member
Joined: 2012-03-03- 03:05:58
Posts: 6
Location

Hi Bill and Dave,

Thanks much for that information. It looks like some of the feedback I got on QRZ was wrong. I am glad to see it is on solid footing and this doesn't warrant a request for ruling.

If I may make a suggestion, it would be to remove the reference to the CQ article that leaves one to infer encryption is used and somewhere make a clear statement that encryption is not used - perhaps in the design philosophy or the getting started section. Just a thought.

Thanks again. - Glenn DJ0IQ and W9IQ

IP Logged
Last Edited On: 2012-03-04- 23:01:02 By DJ0IQ for the Reason
 Subject :Re:Why Encryption?.. 2012-03-05- 11:50:45 
kf7bws
Member
Joined: 2011-10-28- 14:57:45
Posts: 13
Location: Keizer, Oregon CN84lx
  
http://hsmm-mesh.org/images/stories/...ionIsLegal.pdf http://hsmm-mesh.org/documentation/1...ncryption.html
IP Logged
 Subject :Re:Why Encryption?.. 2012-03-05- 18:40:06 
DJ0IQ
Member
Joined: 2012-03-03- 03:05:58
Posts: 6
Location

Hi Wes,

I am sorry but I don't understand your reply. Both of your links have ellipses in them so they cannot be followed. One looks like you were intending to show the link to the CQ article that I recommend be removed from the site.

Perhaps you could correct the links and explain your point in posting them?

- Glenn DJ0IQ and W9IQ

IP Logged
Last Edited On: 2012-03-05- 18:40:40 By DJ0IQ for the Reason
 Subject :Re:Re:Why Encryption?.. 2012-03-11- 18:24:24 
AC7BR
Member
Joined: 2012-03-10- 21:48:47
Posts: 13
Location: Riverton, UT

At a minimum, the it should be explained in the FAQ and documentation that HSMM-MESH does not use encryption.  I too was confused by the CQ article and thought that HSMM-MESH used encryption.  This is the first time I have found anything to the contrary.

Thanks,

AC7BR




[DJ0IQ 2012-03-04- 23:00:03]:

Hi Bill and Dave,

Thanks much for that information. It looks like some of the feedback I got on QRZ was wrong. I am glad to see it is on solid footing and this doesn't warrant a request for ruling.

If I may make a suggestion, it would be to remove the reference to the CQ article that leaves one to infer encryption is used and somewhere make a clear statement that encryption is not used - perhaps in the design philosophy or the getting started section. Just a thought.

Thanks again. - Glenn DJ0IQ and W9IQ


IP Logged
 Subject :Re:Why Encryption?.. 2013-01-29- 17:19:43 
kr0siv
Member
Joined: 2013-01-26- 20:02:56
Posts: 8
Location
Its easy guys.. Do NOT use WEP, WPA, or ANY option other than none..... Authorization is used on the administration pages... thats all good and there is no encryption there. To get into the network there is no security at all, anyone could hack right on in..... but who cares? Thats the same as any radio repeater, pl tone or not.... I know for a fact WEP is a form of encryption and it encrypts not only the authentication key but ALL data passed through the network. So Don't use wep. I hope that cleared things up for those who were still unsure.
IP Logged
 Subject :Re:Why Encryption?.. 2013-04-22- 16:10:17 
KC2OTS
Member
Joined: 2013-04-16- 11:34:57
Posts: 6
Location: Eastern NY

What I took from the CQ article is that it depends on why you're encrypting the traffic.  They mentioned network security and access control, and also repeater control codes.  This sticks  out to me because not only is a mesh node basically a repeater, but the admin pages for each one are unencrypted.  When you log in, the root password for that node is going over the air in plain text.  (Of course, something like WPA would prevent the casual listener from seeing this, but if the key could be obtained or cracked somehow, this would be moot.)

I think that using SSL for the admin page (ie, giving it an https:// url) would be a wise idea.  It would require some work on the firmware, which I am looking into, but I think it could be done technically.  Without it, there is the possibility of a casual WiFi sniffer to lift the password and tamper with a node.  If the mesh is being used for something like emergency communications a measure like this would be very important for the stability of the network.  Of course, the workaround is to just access the admin page only through a wired connection and never through the mesh, but this could be impractical for a remote site.

IP Logged
 Subject :Re:Why Encryption?.. 2013-04-23- 04:29:10 
kr0siv
Member
Joined: 2013-01-26- 20:02:56
Posts: 8
Location
We are still faced with a problem though..... Lets say you do use a WEP key, that is cracked in under a minute (I've done it) Lets say you use a WPA key, thats better but keep the password strong. Now at this point we must legally publish the key to get onto the network which makes this moot.. Lets assume that's not the case, anyone who can access a node can now sniff all traffic on the line. You suggested SSL but since we don't have a CA it would be VERY easy for anyone to strip or intercept the SSL communication. However..... I don't think any of this is required, with the way these nodes are setup nobody can just wireless connect. They must use another node, it would be a good idea to setup a mac address system that block unapproved nodes so that someone can't just flash a router and hop on. That of course isn't perfect since people can sniff mac addresses easily, of course you still have the issue that while a normal wifi device cannot connect you could modify one to do so... The thing here though is that the average person and even today's average Tech wouldn't know how to do this. I'm sure these networks might some day be targeted but it would be by few and far between by those few who really understand whats going on with these networks. Just my 80 cents...
IP Logged
 Subject :Re:Why Encryption?.. 2013-04-23- 14:22:13 
KC2OTS
Member
Joined: 2013-04-16- 11:34:57
Posts: 6
Location: Eastern NY

I think the CQ article mentioned that the encryption scheme would have to be documented, but we wouldn't have to publish they key.  Then again, it would need to be published somewhere if we want people to actually get on the network, so whether or not it's right about that doesn't really matter.

I could be wrong, but I'm pretty sure that a self-signed SSL certificate would work.  The first time you went to the SSL-protected page your browser would complain about the cert not being from a trusted authority, but if you accept the cert anyway you won't get that error again until it expires, or if someone tries to do a man-in-the-middle attack in which case you can simply choose to not accept it.  The initial accepting of the certificate could be done by the user right after flashing the firmware, presumably while plugged in with a cable.  This wouldn't quite be as streamlined as having a CA, but I think it would get the job done.

As for connecting, the nodes use OLSR to negotiate routes and addresses, but other than that it's basically a normal ad-hoc network.  You can still connect and either sit there with no IP and watch the traffic, or just pick a random IP.  All you need then is a packet sniffer - I just tried connecting to the mesh with my laptop, and was able to sniff a root password being send from one of my WRT54Gs to the other. 

I agree that under most cases, the mesh wouldn't really be much of a target, especially since it despite what I said earlier if someone blindly tries to connect they won't get very far without OLSR.  Regardless, getting on and listening around isn't the most difficult thing, and doesn't necessarily take a lot of skill.  If someone was really intent on disrupting things it would not be that far out of reach.  I do like the openness of the network, in that it is easy for anyone to join in, so I would not really agree with using something like WPA or WEP.  But we should probably be careful of critical parts of the mesh infrastructure, like the configuration page.

IP Logged
Page # 


Powered by ccBoard


SPONSORED AD: