ALERT: WPA isn't necessarily secure
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||||||||||||||||||||||||||
|
Posted by John Navas on December 4, 2006, 8:30 pm
Please log in for more thread options SUMMARY: WPA-PSK is vulnerable to offline attack. TO AVOID THE PROBLEM: USE A PASSPHRASE WITH MORE THAN 20 CHARACTERS. Examples: BAD: "vintage wine" GOOD: "floor hiking dirt ocean" (pick your own words, even longer is better) FOR HIGH SECURITY, USE MORE THAN 32 CHARACTERS. BACKGROUND: Weakness in Passphrase Choice in WPA Interface By Glenn Fleishman By Robert Moskowitz Senior Technical Director ICSA Labs, a division of TruSecure Corp <http://wifinetnews.com/archives/002452.html>
... The offline PSK dictionary attack ... Just about any 8-character string a user may select will be in the dictionary. As the standard states, passphrases longer than 20 characters are needed to start deterring attacks. This is considerably longer than most people will be willing to use. This offline attack should be easier to execute than the WEP attacks. ... Using Random values for the PSK The PSK MAY be a 256-bit (64 hexadecimal) random number. This is a large number for human entry; 20 character passphrases are considered too long for entry. Given the nature of the attack against the 4-Way Handshake, a PSK with only 128 bits of security is really sufficient, and in fact against current brute-strength attacks, 96 bits SHOULD be adequate. This is still larger than a large passphrase ... ... Summary ... Pre-Shared Keying is provided in the standard to simplify deployments in small, low risk, networks. The risk of using PSKs against internal attacks is almost as bad as WEP. The risk of using passphrase based PSKs against external attacks is greater than using WEP. Thus the only value PSK has is if only truly random keys are used, or for deploy testing of basic WPA or 802.11i functions. PSK should ONLY be used if this is fully understood by the deployers. See also: Passphrase Flaw Exposed in WPA Wireless Security <http://www.technewsworld.com/story/32070.html>
Wi-Fi Protected Access. Security in pre-shared key mode <http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access>
Cracking Wi-Fi Protected Access (WPA) <http://www.ciscopress.com/articles/article.asp?p=369221>
<http://www.ciscopress.com/articles/article.asp?p=370636&rl=1> WPA Cracker <http://www.tinypeap.com/html/wpa_cracker.html>
| |||||||||||||||||||||||||||||||||||||
|
Posted by Peabody on December 5, 2006, 12:59 am
Please log in for more thread options John Navas says... > Just about any 8-character string a user may select will
> be in the dictionary. As the standard states, > passphrases longer than 20 characters are needed to > start deterring attacks. This is considerably longer > than most people will be willing to use. FWIW: I know some here are not thrilled with Steve Gibson, but he has a password generating function on his site that might be useful: HTTP://www.grc.com/passwords.htm It gives you somthing like this: 63 random printable ASCII characters: $lH`aw</`=<Tw-<<V,I4Rjq[=0Zk&$_h/6%]&a'r|J^Mv l>>4`4zp++%9^{L\a
Of course, you would have to copy and paste something like this, and give up the idea of remembering your password, but it would surely qualify as a strong password. It could be transferred to other computers in the LAN with a USB drive, or CDR. Also given there are HEX strings, and alpha-numeric strings. You get different versions every time you refresh the page. | |||||||||||||||||||||||||||||||||||||
|
Posted by John Navas on December 5, 2006, 1:44 pm
Please log in for more thread options
On Mon, 04 Dec 2006 23:59:11 -0600, Peabody >John Navas says...
> > > Just about any 8-character string a user may select will
> > be in the dictionary. As the standard states, > > passphrases longer than 20 characters are needed to > > start deterring attacks. This is considerably longer > > than most people will be willing to use. >
>FWIW: > >I know some here are not thrilled with Steve Gibson, but he >has a password generating function on his site that might >be useful: > >HTTP://www.grc.com/passwords.htm Really, really bad idea. Steve Gibson (aka GRC) is a shameless snake oil salesman with no real expertise in security who has been discredited numerous times (e.g., <http://www.grcsucks.com/>), and the password
generator on the GRC site is of dubious quality, value and real
security. Instead use: * Diceware words * Good open source, peer-reviewed software like Password Safe, originally created by noted cryptographer Bruce Schneier -- Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi> Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo> Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes> | |||||||||||||||||||||||||||||||||||||
|
Posted by Axel Hammerschmidt on December 5, 2006, 6:46 pm
Please log in for more thread options
<snip>
> >HTTP://www.grc.com/passwords.htm
>
> Really, really bad idea. Steve Gibson (aka GRC) is a shameless snake > oil salesman... What do you think of Paris Hilton? | |||||||||||||||||||||||||||||||||||||
|
Posted by John Navas on December 5, 2006, 8:27 pm
Please log in for more thread options
On Wed, 6 Dec 2006 00:46:57 +0100, hlexa@hotmail.com (Axel >
> ><snip> > >> >HTTP://www.grc.com/passwords.htm
>>
>> Really, really bad idea. Steve Gibson (aka GRC) is a shameless snake >> oil salesman... >
>What do you think of Paris Hilton? Slut? ;) -- Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi> Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo> Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes> | |||||||||||||||||||||||||||||||||||||
| Similar Threads | Posted |
| ALERT: WPA isn't necessarily secure | September 1, 2006, 11:26 am |
| ALERT: WPA isn't necessarily secure | September 18, 2006, 12:25 pm |
| ALERT: WPA isn't necessarily secure | October 3, 2006, 1:04 pm |
| ALERT: WPA isn't necessarily secure | October 16, 2006, 4:59 pm |
| ALERT: WPA isn't necessarily secure | November 6, 2006, 10:18 am |
| ALERT: WPA isn't necessarily secure | November 20, 2006, 11:47 am |
| ALERT: WPA isn't necessarily secure | December 4, 2006, 8:30 pm |
| ALERT: WPA isn't necessarily secure | December 20, 2006, 9:51 pm |
| ALERT: WPA isn't necessarily secure | January 2, 2007, 1:43 am |
| ALERT: WPA isn't necessarily secure | January 16, 2007, 12:53 am |
| ALERT: WPA isn't necessarily secure | February 5, 2007, 10:43 am |
| ALERT: WPA isn't necessarily secure | March 5, 2007, 9:23 am |
| ALERT: WPA isn't necessarily secure | March 19, 2007, 9:53 am |
| ALERT: WPA isn't necessarily secure | April 2, 2007, 8:29 pm |
| ALERT: WPA isn't necessarily secure | April 18, 2007, 3:07 pm |