ALERT: WPA isn't necessarily secure
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
||||||||||||||||||||||||||||
|
Posted by John Navas on October 16, 2006, 4:59 pm
Please log in for more thread options SUMMARY: WPA-PSK is vulnerable to offline attack. TO AVOID THE PROBLEM: USE A PASSPHRASE WITH MORE THAN 20 CHARACTERS. Examples: BAD: "vintage wine" GOOD: "floor hiking dirt ocean" (pick your own words, even longer is better) FOR HIGH SECURITY, USE MORE THAN 32 CHARACTERS. BACKGROUND: Weakness in Passphrase Choice in WPA Interface By Glenn Fleishman By Robert Moskowitz Senior Technical Director ICSA Labs, a division of TruSecure Corp <http://wifinetnews.com/archives/002452.html>
... The offline PSK dictionary attack ... Just about any 8-character string a user may select will be in the dictionary. As the standard states, passphrases longer than 20 characters are needed to start deterring attacks. This is considerably longer than most people will be willing to use. This offline attack should be easier to execute than the WEP attacks. ... Using Random values for the PSK The PSK MAY be a 256-bit (64 hexadecimal) random number. This is a large number for human entry; 20 character passphrases are considered too long for entry. Given the nature of the attack against the 4-Way Handshake, a PSK with only 128 bits of security is really sufficient, and in fact against current brute-strength attacks, 96 bits SHOULD be adequate. This is still larger than a large passphrase ... ... Summary ... Pre-Shared Keying is provided in the standard to simplify deployments in small, low risk, networks. The risk of using PSKs against internal attacks is almost as bad as WEP. The risk of using passphrase based PSKs against external attacks is greater than using WEP. Thus the only value PSK has is if only truly random keys are used, or for deploy testing of basic WPA or 802.11i functions. PSK should ONLY be used if this is fully understood by the deployers. See also: Passphrase Flaw Exposed in WPA Wireless Security <http://www.technewsworld.com/story/32070.html>
Wi-Fi Protected Access. Security in pre-shared key mode <http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access>
Cracking Wi-Fi Protected Access (WPA) <http://www.ciscopress.com/articles/article.asp?p=369221>
<http://www.ciscopress.com/articles/article.asp?p=370636&rl=1> WPA Cracker <http://www.tinypeap.com/html/wpa_cracker.html>
| ||||||||||||||||||||||||||||
|
Posted by Warren Oates on October 16, 2006, 5:13 pm
Please log in for more thread options > USE A PASSPHRASE WITH MORE THAN 20 CHARACTERS. Examples:
> BAD: "vintage wine" > GOOD: "floor hiking dirt ocean" > (pick your own words, even longer is better) > FOR HIGH SECURITY, USE MORE THAN 32 CHARACTERS. There's some discussion here, and a pretty cool password generator: https://www.grc.com/passwords.htm I know that not everyone loves GRC, but I run a Mac anyway, so I don't care, and my router has all my ports stealthed. -- W. Oates Teal'c: He is concealing something. O'Neil: Like what? Teal'c: I am unsure, he is concealing it. | ||||||||||||||||||||||||||||
|
Posted by John Navas on October 16, 2006, 5:37 pm
Please log in for more thread options
On Mon, 16 Oct 2006 17:13:54 -0400, Warren Oates >
>> USE A PASSPHRASE WITH MORE THAN 20 CHARACTERS. Examples:
>> BAD: "vintage wine" >> GOOD: "floor hiking dirt ocean" >> (pick your own words, even longer is better) >> FOR HIGH SECURITY, USE MORE THAN 32 CHARACTERS. >
>There's some discussion here, and a pretty cool password generator: > >https://www.grc.com/passwords.htm > >I know that not everyone loves GRC, ... Count me among them -- Steve Gibson (aka GRC) is a shameless snake oil salesman with no real expertise in security, and the password generator on the GRC site is of dubious quality and value. Use Password Safe instead, created by noted cryptographer Bruce Schneier, and subjected to open source scrutiny. -- Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi> Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo> Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes> | ||||||||||||||||||||||||||||
|
Posted by Warren Oates on October 16, 2006, 7:28 pm
Please log in for more thread options
> Count me among them -- Steve Gibson (aka GRC) is a shameless snake oil
> salesman with no real expertise in security, and the password generator > on the GRC site is of dubious quality and value. > > Use Password Safe instead, created by noted cryptographer Bruce > Schneier, and subjected to open source scrutiny. Looks good, but it's a Windows program. I've got XP running in a VM, but I really hate it. -- W. Oates Teal'c: He is concealing something. O'Neil: Like what? Teal'c: I am unsure, he is concealing it. | ||||||||||||||||||||||||||||
|
Posted by Neill Massello on October 16, 2006, 9:37 pm
Please log in for more thread options
> Looks good, but it's a Windows program. I've got XP running in a VM, but
> I really hate it. Here are a couple of Mac utilities. <http://www3.autistici.org/rpg/>
<http://macpasswordgenerator.com/password_generator> | ||||||||||||||||||||||||||||
| Similar Threads | Posted |
| ALERT: WPA isn't necessarily secure | September 1, 2006, 11:26 am |
| ALERT: WPA isn't necessarily secure | September 18, 2006, 12:25 pm |
| ALERT: WPA isn't necessarily secure | October 3, 2006, 1:04 pm |
| ALERT: WPA isn't necessarily secure | October 16, 2006, 4:59 pm |
| ALERT: WPA isn't necessarily secure | November 6, 2006, 10:18 am |
| ALERT: WPA isn't necessarily secure | November 20, 2006, 11:47 am |
| ALERT: WPA isn't necessarily secure | December 4, 2006, 8:30 pm |
| ALERT: WPA isn't necessarily secure | December 20, 2006, 9:51 pm |
| ALERT: WPA isn't necessarily secure | January 2, 2007, 1:43 am |
| ALERT: WPA isn't necessarily secure | January 16, 2007, 12:53 am |
| ALERT: WPA isn't necessarily secure | February 5, 2007, 10:43 am |
| ALERT: WPA isn't necessarily secure | March 5, 2007, 9:23 am |
| ALERT: WPA isn't necessarily secure | March 19, 2007, 9:53 am |
| ALERT: WPA isn't necessarily secure | April 2, 2007, 8:29 pm |
| ALERT: WPA isn't necessarily secure | April 18, 2007, 3:07 pm |