Lab Notes

I'm always on the lookout for Wi-Fi security breakthroughs, so I read this article with intense interest. Then I read the details, and became far less interested. It looks like a new type of challenge-response authentication protocol. It doesn't solve any problem that hasn't already been solved a dozen different ways, and being patented is going to get it put into many systems when so many patent-free protocols are available. I think the only reason that this "delayed password disclosure protocol" is getting any attention at all is that they have tied it to the recent hullabaloo over "evil twins".

Evil twin protection exists today in the form of WPA security. WPA Personal provides mutual authentication without password disclosure through its 4-way handshake, while WPA Enterprise uses a TLS tunnel that first authenticates the server before sending any password data through its encrypted channel. Even then, WPA Enterprise typically uses MS-CHAPv2 as the password protocol inside the tunnel, which provides mutual authentication without password disclosure even without the TLS tunnel.