38

Eduroam is an organization that provides free WiFi to educational institutions and around some cities. I don't fully understand how the authentication works, but in order to connect you have to install a CA Certificate called eduroam_WPA_EAP_TTLS_PAP on your device. I know CA certificates are used to decrypt TLS/SSL traffic, so doesn't this mean that Eduroam can decrypt my traffic considering I have their certificate installed on my phone? Any input is appreciated.

The specific certificate looks like this (numbers changed for security):

$ openssl x509 -inform der -in ca.skole.hr.der -noout -tex
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C = HR, ST = Zagreb, L = Zagreb, O = MZOS, OU = CARNet, CN = CA Root certificate skole.hr
        Validity
            Not Before: Nov 15 14:17:58 2011 GMT
            Not After : Nov 12 14:17:58 2021 GMT
        Subject: C = HR, ST = Zagreb, L = Zagreb, O = MZOS, OU = CARNet, CN = CA Root certificate skole.hr
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (1024 bit)
                Modulus:
                    00:e5:a0:99:17:88:9d:1c:93:e5:d0:8f:97:da:63:
                    00:e5:a0:99:17:88:9d:1c:93:e5:d0:8f:97:da:63:
                    00:e5:a0:99:17:88:9d:1c:93:e5:d0:8f:97:da:63:
                    00:e5:a0:99:17:88:9d:1c:93:e5:d0:8f:97:da:63:
                    00:e5:a0:99:17:88:9d:1c:93:e5:d0:8f:97:da:63:
                    00:e5:a0:99:17:88:9d:1c:93:e5:d0:8f:97:da:63:
                    00:e5:a0:99:17:88:9d:1c:93:e5:d0:8f:97:da:63:
                    00:e5:a0:99:17:88:9d:1c:93:e5:d0:8f:97:da:63:
                    00:e5:a0:99:17:88:9d:1c:93
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                00:e5:a0:99:17:88:9d:1c:9300:e5:a0:99:17:88:9d:1c:93
            X509v3 Authority Key Identifier: 
                keyid:00:e5:a0:99:17:88:9d:1c:93:00:e5:a0:99:17:88:9d:1c:93:00:e5:a0

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
         00:e5:a0:99:17:88:9d:1c:93:00:e5:a0:99:17:88:9d:1c:93:
         00:e5:a0:99:17:88:9d:1c:93:00:e5:a0:99:17:88:9d:1c:93:
         00:e5:a0:99:17:88:9d:1c:93:00:e5:a0:99:17:88:9d:1c:93:
         00:e5:a0:99:17:88:9d:1c:93:00:e5:a0:99:17:88:9d:1c:93:
         00:e5:a0:99:17:88:9d:1c:93:00:e5:a0:99:17:88:9d:1c:93:
         00:e5:a0:99:17:88:9d:1c:93:00:e5:a0:99:17:88:9d:1c:93:
         00:e5:a0:99:17:88:9d:1c:93:00:e5:a0:99:17:88:9d:1c:93:
         00:e5

It is installed using the Eduroam app into the Android credential storage and is "Installed for Wi-Fi" which I assume means that the credential is applied to all WiFi traffic.

Improve this question
8
  • 1
    It would help a lot if you could provide the certificate and the documentation where you are asked to install it.
    – Esa Jokinen
    Commented Apr 11, 2020 at 12:15
  • Google only finds one article on eduroam_WPA_EAP_TTLS_PAP, and the certificate linked there is the T-TeleSec GlobalRoot Class 2 root CA that is probably already installed on your computer - it's even on Mozilla's Included CA Certificate List.
    – Esa Jokinen
    Commented Apr 11, 2020 at 12:17
  • 7
    I have used eduroam on multiple universities on both linux and android, using the system certificates, without the need to install any new ones. Your school has probably either messed by their installation or their instruction page.
    – user000001
    Commented Apr 12, 2020 at 4:57
  • 1
    "I know CA certificates are used to decrypt TLS/SSL traffic" — Even if this were a CA cert (and it doesn't seem that it is), that wouldn't mean that Eduroam could directly "decrypt" your traffic. It would mean that Eduroam could, if it wanted, issue bogus end-entity certs for foo.com or whatever, and then decrypt traffic that used those particular certs. Any CA, e.g. GeoTrust, has that power. This blog post might help clarify.
    – Quuxplusone
    Commented Apr 13, 2020 at 17:04
  • 1
    @Quuxplusone: this cert has BC.CA=true. Maybe it is intended only for 1x as the name suggests, maybe it is used only for 1x, but it absolutely is capable of issuing fake certs which could be used for decryption if trusted (which from the answers it appears Android won't in this case)
    – dave_thompson_085
    Commented Apr 14, 2020 at 2:56

5 Answers 5

Reset to default
31

First, Android provides two distinct import options for a reason.VPN and Apps is for general HTTPS traffic from all of your apps, including browsers. You can install your own CAs here if you want to intercept your own traffic, for example. WiFi is for identifying enterprise WiFi networks, but does not affect normal traffic, to my knowledge. This brings us to the next part.

You should always specify a CA certificate when you connect to enterprise WiFi networks. 802.1X supports a number of authentication protocols (e.g. EAP-TLS); the CA is typically used to verify the authentication server's certificate. If you do not specify a CA, your client will accept whatever server it talks to. The result, depending on authentication type, is that you may be handing over plaintext credentials (your credentials for your eduroam-participating organization) to an attacker. This can be done easily with an evil twin attack, using a tool such as EAPHammer. There is nothing stopping someone from performing this attack with the eduroam ESSID and stealing your credentials. For this reason, you should always specify a CA when connecting.

Improve this answer
9
  • That's the other side of the coin. This problem would not exist, if the WiFi was using a certificate signed by a proper CA instead of their own. If the OS supports limiting the use of a CA certificate, like Android here does, this is the correct answer.
    – Esa Jokinen
    Commented Apr 11, 2020 at 20:03
  • 1
    @Esa, unfortunately using a public CA would result in another problem: older Android versions had no other way of ensuring you got the right certificate from the EAP peer, they would literally accept any certificate issued by the CA – at least if you connected in the usual way. (Android 6 did have the "domain suffix match" field but it was only available through API, and only starting with Android 7 you could finally enter the TLS domain name in the UI.)
    – grawity
    Commented Apr 11, 2020 at 21:11
  • 2
    So, for someone slightly less technical you have to accept this certificate once (on first connect), but from then on, this certificate proves that you’re sending your login details to eduroam, not to a fake network with eduroam SSD. And the reason I have to accept this on first connection is because old operating systems would accept any CA issued certificate, rather than limiting to only those with a matching domain (as HTTPS does), I assume due to a WiFi network not really having a domain?
    – Tim
    Commented Apr 12, 2020 at 10:14
  • 1
    @Tim: No – eduroam uses your credentials to route all authentication packets to your home institution, and this includes everything from the first EAP packet, to the PEAP or TTLS handshake (where certificates are exchanged), to the final "Approved" response. So as long as you use credentials issued by (e.g.) University of Foobar, you're only talking to the EAP server hosted by U of Foobar and only see the certificate used by U of Foobar, no matter which institution you're physically visiting. The visited institution doesn't send its certificate and doesn't verify your password.
    – grawity
    Commented Apr 13, 2020 at 13:05
  • 2
    @Tim: This is why some WPA-Enterprise sign-in screens (e.g. on Android or Linux/GNOME) have separate fields for "Identity" and "Anonymous identity". The latter is sent in plaintext and used for routing the packets to the correct home institution (outside the envelope so to say), while the former is encrypted and used for the actual authentication check at the home institution.
    – grawity
    Commented Apr 13, 2020 at 13:16
41

This CA Root certificate skole.hr is not an official Eduroam certificate, but a CA certificate probably from the school that implements Eduroam WiFi. It's also plausible that this is a completely unrelated 3rd party CA certificate used for spying; we can't distinguish that with certainty.

While it might be used for WiFi authentication, as the WPA_EAP_TTLS_PAP suggests, installed as a trusted CA it might be used for signing any certificate. If you install the CA you trust whoever is behind it, and they could use it on an intercepting HTTPS proxy, among many things.

If your only intention is to connect to the WiFi, it would be possible to skip installing the certificate altogether, just trust any certificate for this connection, and use the Internet access with caution, just as you'd use any free WiFi. However, as this might compromise the account you are using for the WiFi, the best choice would be limiting the usage of the CA only for the WiFi authentication, as explained in the answers from multithr3at3d and Ángel.

Improve this answer
6
  • great explanation. so as POC, why don't use that certificate to perform a MITM attack and see if traffic can be decrypted?
    – Virgula
    Commented Apr 11, 2020 at 14:10
  • 2
    How would you perform a POC WITH that certificate, without having the private key? You could do that by creating an own certificate with the same features (namely CA:TRUE), but I already know how it behaves.
    – Esa Jokinen
    Commented Apr 11, 2020 at 14:17
  • Thanks for the answer. Is being connected to the school WiFi while having this certificate installed sufficient for them to decrypt my traffic (assuming that the school can view all the packets on their network)? Or would they need some additional software installed on my device to do that?
    – jan
    Commented Apr 11, 2020 at 14:22
  • 3
    An HTTPS interception requires terminating the connection i.e. encrypting separately both to your and to the servers direction. You can inspect (e.g. in your browser) the certificate of the site you are visiting. See whether it's issued by this CA or by the original CA.
    – Esa Jokinen
    Commented Apr 11, 2020 at 14:25
  • 1
    Please see my answer for some counterpoints.
    – multithr3at3d
    Commented Apr 11, 2020 at 19:56
16

is "Installed for Wi-Fi" which I assume means that the credential is applied to all WiFi traffic.

No. It doesn't mean this.

There are several ways in which a WiFi network may authenticate a user. The most common ones are:

  • WPA-PSK Both parties use a Pre-Shared Key to authenticate themselves. That is the mechanism for all those that use just a password. Anyone knowing the password may connect to the WiFi. As well as impersonating the WiFi by creating another one with the same name.
  • WPS (Wi-Fi Protected Setup) This allows the use of a short PIN to recover the full PSK password. Insecure.
  • WPA-802.1X (WPA-Enterprise) Users authenticate with a pair of User/Password against a RADIUS server.
  • Captive portal. Actually not a way for authenticating users to the WiFi network, but an authentication atop of an open WiFi.

Whenever you want to securely authorize a large number of users, you should be using WPA-802.1X - which is what Eduroam does. This will require that you send the Access Point (AP) a user and password. These credentials (which may be even the same that you use to authenticate to your University for e.g. email) should be protected. However, an evil actor could set up an AP named Eduroam in order to have your Computer/Phone connect to it (i.e. provide it your Eduroam credentials). The way for your device to identify that this is the legitimate AP is to check a certificate presented by it. Just like those used to authenticate a server in HTTPS. The certificate you were given is the one used by the AP (or, as in your case, a parent certificate that signs those of the AP).

Modern phones store these certificates separately from global CA, so you add the certificate to the WiFi connection, rather than installing a CA that could sign websites. This is why it shows it is "Installed for Wi-Fi". It doesn't mean it is allowed to sign the certificates of HTTPS pages when they are accessed through Wi-Fi. It means that it will only be used to certify the Wi-Fi connection.

Once you are connected to the Wi-Fi, your apps will use the normal CA bundle to validate server certificates (just as when not using Wi-Fi).

In summary, with this certificate, only installed for Wi-Fi on your device, will not allow them to snoop on your encrypted (HTTPS) traffic (any more than they could without the certificate installed), and in fact you should install it to avoid releasing your credentials to a rogue AP.

PS: As a side note, a 1024 bit RSA certificate using sha1 is considered dated nowadays, they should update it. Which they will be forced to do anyway before Nov 21 2021.

Improve this answer
4
  • 2
    Excellent explanation. There are two perspectives to this: as a network administrator it's only good that the users trust the certificate, and on corporate networks it's easy to force this in the background. At the same time, it's hard to trust others - especially if it seems that there are defects. Limiting the usage to WiFi authentication is indeed the best alternative.
    – Esa Jokinen
    Commented Apr 12, 2020 at 17:16
  • Second paragraph, fourth word sp/was/ways ... it's the only misspell I see and not enough for me to edit.
    – CGCampbell
    Commented Apr 13, 2020 at 22:40
  • Oops, thanks @CGCampbell! Fixed.
    – Ángel
    Commented Apr 14, 2020 at 2:40
  • 2
    Just for completeness, 802.1X does not necessarily mean a user+password pair, 802.1X (and the underlying EAP protocol) is extensible, and there are many other authentication methods, including... client certificates :-) Also, in the context of roaming, the server certificate should be that of the "home" network, not of the visited one, if they are different.
    – jcaron
    Commented Apr 14, 2020 at 9:53
3

Short answer:

If you want to know if your network decrypt SSL traffic - use firefox and see if it reports SSL problems (FF don't trust system certificates)

Long answer:

A. Eduroam uses a bit different authentication / verification scheme for each institute involved, I can't get the exact details from the information you provided.

B. the certificate you mention should be used by your machine to verify that are your credentials are sent to your university and not being used elsewhere (I'm not sure if and how the scheme verify the identity of the host institute.

C. I never installed a browser certificate for eduroam (especially not for Firefox - which do not trust system installed certificates) - that means they do not open SSL encryption.

Improve this answer
1
  • FF don't trust system certificates - Unless you have the firefox security.enterprise_roots.enabled setting enabled.
    – Zoredache
    Commented Feb 1 at 8:04
2

The certificate here is not for SSL traffic. It is solely for 802.1x authentication. Most of the universities use PEAP-TTLS. Which requires a certificate from the server. The client does not need to provide a certificate. Username and password are sufficient for authentication. Most of the universities do not bother buying an official certificate for authentication and push a self-signed certificate. This results in a security warning prompt saying "do you trust this certificate". This has nothing to do with your SSL traffic. Because once the authentication is done you got permitted to enter the eduroam wireless network and you are done with that certificate.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .