ALERT: WPA-TKIP isn't secure - use WPA2 instead

SUMMARY:

WPA-PSK is vulnerable to offline attack. WPA-TKIP has been cracked.

TO AVOID THESE PROBLEMS:

  1. USE WPA-AES or WPA2 instead of WPA-TKIP (or WEP)

  1. USE A PASSPHRASE WITH MORE THAN 20 CHARACTERS. Examples: BAD: "vintage wine" GOOD: "floor hiking dirt ocean" (pick your own words, even longer is better) FOR HIGH SECURITY, USE MORE THAN 32 CHARACTERS.

BACKGROUND:

Weakness in Passphrase Choice in WPA Interface

Practical attacks against WEP and WPA

A Practical Message Falsi cation Attack on WPA

New attack cracks common Wi-Fi encryption in a minute

Passphrase Flaw Exposed in WPA Wireless Security

Cracking Wi-Fi Protected Access (WPA)

Cracking WEP and WPA Wireless Networks

Reply to
John Navas
Loading thread data ...

Why do you even recommend a phrase made of dictionary words? Just insert a few random non-alphabetic characters in a word and one is way better off anyway.

BETTER: Jul4iet&Hora!tio

BEST: SiuOvcsdf2394DFSKJFH (and let Keychain, or your local equivalent, remember it).

Steve

Reply to
Steve Fenwick

On Tue, 06 Oct 2009 18:37:40 -0700, Steve Fenwick wrote in :

Because it's much easier to enter than random characters.

Key entropy with diceware words can be just as good as random characters.

Reply to
John Navas

[SNIPPAGE REVERSED]

I disagree.

One of my recommendations was for characters inserted in and around dictionary words or proper names. Quite easy; been doing it for years. And good practice for good password usage for other uses (e.g., web sites that need a password) where long passphrases can't be used.

Steve

Reply to
Steve Fenwick

On Tue, 06 Oct 2009 20:29:38 -0700, Steve Fenwick wrote in :

Your BEST is too painful to be practical for most users. Your BETTER is no better than diceware words. Read up on "password entropy" and diceware (and grow up). To get you started:

Reply to
John Navas

John Navas wrote in news: snipped-for-privacy@4ax.com:

So I've read those pages, and it's still a mystery to me why using 4 words that *are* in a dictionary are better than: Jul4iet&Hora!tio

And why anyone needs a list to select x amount of completely unrelated words to put in a passphrase is beyond me......

Here: Putty Skank Jesus FuManChu Nucleus

Reply to
DanS

On Wed, 07 Oct 2009 11:41:47 -0500, DanS wrote in :

It's "better" because it's easier for average people to use.

One of the biggest obstacles to real security is passwords too painful for average people, resulting in frequent security lapses.

That the words are in a dictionary just means the passphrase has to be longer for comparable key entropy.

What's important is that the words are truly random by virtue of using dice to select them. They are not truly random if you make them up yourself, thereby (unknowingly) reducing key entropy.

Common sense is another big obstacle to real security, how we got the dangerously false security of WEP.

Reply to
John Navas

I promised not to get involved in any more security discussions, but this is too much of a temptation. Methinks you're both wrong. The pass phrase under discussion is for a pre-shared key used between wireless access points, not a password that needs to be typed every time the user logs in. There's no reason why the user needs to remember this phrase, type it in more than once, or otherwise make it easy or convenient. As long as it can't be easily cracked by brute force, any key will work. Short keys are easier to crack by brute force, so a minimum length (20 characters) is a good idea.

As for the degree of security, pre-shared keys suck. They can be extracted from the Windoze registry. All the users of the system need to know the key, so leaks are almost inevitable. Most users write them down somewhere, which can be found. Discussing the relative merits of how the key is generated is much like discussing whether single cut or double cut car door keys are more secure, when the car windows are left wide open.

For what it's worth, I use a compromise between obscurity and ease of typing. I take a common phrase and concatenate it (join strings) without spaces. Brute force and keyword attacks tend to rely on knowing the word spacing. Jamming them all together makes key word extraction far more difficult. Something like: LittleRedRidingHood TheQuickBrownFoxJumpedOver IHateComputers MaBellIsACheapMother Incidentally, I once tested this method various password crackers. Most could easily crack phrases with spaces, but rarely were able to deal with 3 or more concatenated words.

Yes, it can be made more secure with additional obfuscatory characters. No, I don't think it's worth the effort.

Reply to
Jeff Liebermann

On Wed, 07 Oct 2009 12:38:23 -0700, Jeff Liebermann wrote in :

What a shock. :)

The user needs to deal with it for each and every wireless device; whenever wireless devices are changed; when giving access to guests; and when changing passphrases, which should be done regularly.

What matters is password entropy.

20 non-random keys aren't secure!

All true.

That's like saying, "Driving is dangerous even with seatbelts, so discussing the merits of wearing seatbelts is pointless".

Sorry, but you've fallen into yet security common sense trap -- your method is definitely _not_ secure.

That doesn't mean it can't or won't be done, and thus leads to a false sense of security.

Just like wearing a seatbelt?

No offense intended, but you're wrong on this one and (worse) handing out bad advice.

Reply to
John Navas

Really, John, you of the "snip to suit my point" fame?

There, now you're into ad hominems. Loss of game, set, and match.

Letting a trusted source store the key is fine. How often do you really give it out to guests?

"Better" is still better than diceware (really? Can't find that in M-W) words, per Mr. Lieberman's comments.

Steve

Reply to
Steve Fenwick

On Wed, 07 Oct 2009 17:11:41 -0700, Steve Fenwick wrote in :

Never, because my wireless router has a guest service that's completely isolated, not only from my own LAN, but with guests isolated from each other. But that's me -- I know of quite a few friends and clients that routinely give out their wireless passwords.

Reply to
John Navas

I lied. However, that's ok because nobody listens to me anyway.

Good point. Do you know anyone that changes their wireless WPA/WPA2 phrase regularly? There's one person in ba.internet that claims he does it for his coffee shop customers. Every time I tried to do it with business customers, I immediately run into "support issues" and other euphemisms for "total hell". The worst is Wireless Zero Config, which fails to connect, announces that it has "limited connectivity" but doesn't offer a dialog box to change the WPA pass phrase. The only way I can make it work for WZC is to also change the SSID, so that the user will be forced to create a new saved profile. Other connection managers are more friendly, but just barely.

Ok, I'll bite. What's the dividing line between secure and not-secure? Obviously, it varies by the type of customer. HIPPA security is far more demanding than the local coffee shop. The average home user is probably somewhere in between and closer to the coffee shop. What metric shall I used to determine if I'm secure, or not secure?

Note: This is a rhetorical question and somewhat of a trap. As I'm going to hard to find for a few daze, I'll answer my own question. The dividing line is where a casual hacker, with limited resources, generally not in possession of a degree in computer science, and with no pecuniary motives involved, can break in. In other words, if it's safe from the script kiddies, it's good enough for me. Nothing is going to stop the NSA or a determined hacker from gaining access (one way or other).

I just looked at my own LCD monitor. There are 4 post-it notes plastered around the edge, all with various users passwords in plain sight. I should clean up my act.

All analogies eventually fall apart, especially analogies of analogies. My point is that most wireless systems are insecure in many ways and that a more secure WPA pass phrase selection is not going to improve overall system security very much. If want access or sniff traffic, I don't bother cracking the WPA-PSK key. I just wire tap the ethernet connection, which is usually exposed and unencrypted. How many routers have a secure WPA pass phrase, but use the default password for configuration access? For those, I just "backup" the settings, and in about half the routers I've looked at, the WPA key is available in plain text in the saved config file. The ones that are compressed, usually use a common compression algorithm (usually Huffman). Think of this as only being as secure as the weakest link.

Drivel: There was a bank near my house when I was a delinquent in Smog Angeles. The vault door was truly impressive and formidable. However, I noticed that one inside wall of the bank vault nothing more than a stud wall covered with drywall and plaster. I pointed this out to one of the bank employees, who suggested I mind my own business. Several months later, someone rammed a stolen pickup through the back wall, grabbed everything handy, and drove away in another car. I was telling the story to all my friends until the police investigators arrived asking questions about how I knew so much about the bank construction. Oops.

Here we go again. Where's the border line between secure and not secure? My method is certainly not secure enough for some applications (i.e. HIPAA wireless), but for the average home user, it's good enough. Where I've used it, and nailed down the other barn doors, I haven't had any security problems beyond idiots posting the WPA key on the office bulletin board.

I think the common phrase is "It's not the odds, it's the risks". That was the catch phrase for Y2K bugs, which were never a real problem. Certainly, a qualified hacker, mathemagician, or aspiring criminal gang, can crack just about anything. There's always a risk of code and cipher cracking. However, in my humble opinion, it's a far smaller risk than social engineering, scripted exploits, bad password management, and simple leaks. Optimizing the password generation algorithm will have no effect on either the odds or the risks, as the other security problems are far greater.

Instead of wearing a seat belt, I'm wearing a bungi cord. While not effective for a small number of high risk collisions, it's totally effective for just about anything under about 15 mph, where something like 90% of the accidents occur.

I'll stand on my (bad) advice.

Reply to
Jeff Liebermann

On Wed, 07 Oct 2009 22:13:12 -0700, Jeff Liebermann wrote in :

I'm the only one I know! You? ;)

Yep, it's ugly, part of why I push WPA2 Enterprise, which minimizes the damage of a compromised password (but is too much hassle for most -- I'd really like to see a PEAP server in DD-WRT).

I personally use seven (7) diceware words, although I agree with the five (5) word recommendation for most users.

The problem is that cracking tools are widely available, and it's dangerous to assume your "script kiddies" don't have access to serious cracking tools. It's also so easy to have more robust security (e.g., my 7 diceware words) that I don't think it makes sense (cost/benefit) to compromise.

I use Password Safe, created by noted cryptographer Bruce Schneier, free, open source, and highly recommended.

"Security is a process." -Bruce Schneier

That you know of! And "past performance is not indicative of future results"!

With all due respect, that's not valid -- risk is the _product_ of all the risk factors, not a limit, so improving any one factor _does_ have a material effect on security. So by all means pay attention to the biggest risk factors, but don't use that as an excuse to ignore cheap and easy improvements to other risk factors.

Even though you lack security expertise? ;)

Reply to
John Navas

Not me. Worse, I tend to use the same WPA pass phrase on multiple systems. Recycling passwords is generally a lousy idea. However, the systems I've seen that really do require good wireless security seem to favor VPN's and S-key dongles. Employees have a credit card size key generator. They login with the usual user name and intentionally trivial password. It then asks for the number displayed on the credit card one time key generator. Wireless access is literally wide open as the real security is through the VPN tunnel. Also works well at home, in a coffee shop, and at the office.

Right. However, I don't think you'll see it in the RAM limited WRT54G implementations. It's also the type of feature that Brainslayer will probably add to the commercial version of DD-WRT. I'm still tempted to do it myself, as we previously discussed, but lack the time and inspiration. (I also lack the talent, but we won't go there).

Wrong answer. That's a good measure of how secure is the password. That's important but is only a component of how secure I am, or how secure is my system? It doesn't matter how many deadbolts I install on my front door. If I leave the back door or windows wide open, I'm not secure, and neither is my system.

Sure, but if my password key management system is the typical pre-shared key mess, where everyone in the company knows the password, the availability of cracking tools doesn't do much. A cracker would do as well just borrowing a laptop, extracting the hashed WPA key out of the registry, and using the hash code to connect and decrypt sniffed traffic. For typed in passwords, a video camera or binoculars works well for finger hacking.

Again, you're only securing the password. I'm talking about securing the entire password system, including distribution. A better password doesn't do much when the distribution system leaks badly.

I use an Excel spreadsheet and a USB dongle. The dongle is encrypted. Perhaps if I added an explosive device, I might further enhance the security.

Yep. Exactly my point. Think of it this way.... If you were to break into a typical office or home wireless system, would you attack the strongest point, which is the encryption? I wouldn't. I would look for the weakest point, which is (IMHO) the password key management. That can usually be compromised with social engineering or post-it notes.

True. Detection intrusions is difficult. I've gone so far as to leave messages on people Windoze desktops announcing that I've broken into their machines (usually via open shares) and they don't notice. Like most companies, when a breaking does occur, they patch the problem, and blunder onward in the same manner as before. When my crystal ball is able to predict future results, I'll stop relying on my past performance as an indicator. Meanwhile, it's all I have to work with.

Play it by the numbers. There's little difference in overall security between a 1 part per million and a 1 part per billion chance in cracking a password, when the same system has a one chance in 100 of being cracked by social engineering, shared password management, and just plain sloppiness. Once the password security component has become sufficiently small, additional efforts to make it even smaller have a negligible effect on overall probability of cracking the system.

I wouldn't call it an excuse. I would suggest it's a logical calculation based upon probability of having the system compromised by various means. Despite the availability of cracker tools and monitoring hardware, the few real wi-fi breakins that I've seen were perpetrated by means other than sniffing and cracking. Most common are well known WPA-PSK keys. For the home user, it's the post it note on the router with the WPA key included.

Please note that I'm not directly offering advice. I charge for that. I simply expounded on what *I* do for security and explained why *I* do it that way. I won't claim expertise, but I do claim some useful experience. After all, I've never attended a security convention, am not on any of the security related mailing lists, and don't read the security proceedings.

Next time we get into a security discussion, remind me to stay out of it.

Reply to
Jeff Liebermann

On Thu, 08 Oct 2009 09:45:22 -0700, Jeff Liebermann wrote in :

It's a great system, but of course impractical for average folks, SOHO, and most small businesses.

I'm tempted to do it myself -- doubt it would be all that hard, and WRT54GL with that firmware would be a great product IMHO -- but don't want to end up competing with Brainslayer.

To repeat what I wrote earlier... With all due respect, that's not valid -- risk is the _product_ of all risk factors, not a limit, so improving any one factor _does_ have a material effect on security. So by all means pay attention to the biggest risk factors, but don't use that as an excuse to ignore cheap and easy improvements to other risk factors.

How good is the encryption? Is it really secure? How do you know it's not just another WEP? I personally don't trust security that hasn't been vetted by peer review or at least a genuine expert.

I respectfully disagree. You're assuming a perfect attack, something that rarely happens in practice. A burglar may well be turned away by a securely bolted front door even when the back door is standing ajar, or even by a fake security system sign. Again, you're applying "common sense" and making critical assumptions without any real foundation, the kind of thinking that lead to WEP.

Would you prefer "rationalization"? ;)

With all due respect, anecdotal experience isn't a good foundation. I know lots of smokers that haven't died (yet). That doesn't make it a good idea.

Reply to
John Navas

Not at all. Windows registry - not on my linux network. Users need to know - er, no - I set up all the clients. write them down - users don't know the key so...

I agree.

Reply to
Mark McIntyre

Here we go again; I remember getting reamed last year in this exact same discussion for suggesting the wide-open WAP with VPN as a cheap and easy solution (I've been doing it for years and it ain't rocket science) and for promoting it in the newsgroups. Thanks Jeff for making your point.

Michael

Reply to
msg

That's an interesting micro-managed approach; what happens if you get the swine flu, or get run over by a bus? Or your user loses his connection and has to log in at 3 am, what? He wakes you up?

Nice long obscure alpha-numeric passwords written down on stickies _is_ in fact good IT security. Physical security is someone else's problem, as is social security.

Reply to
Warren Oates

Press the reset button and set up a new key of keys to give to the users.

When I did that sort of thing for a living on mainframes, I made sure that the DP manager had a copy of the necessary password(s) locked in his filing cabinet. You have to trust somebody. If I got run over by the bus, my replacement always had access to what was needed, if he could do his job - whether it was a VM sysgen or an directory update.

The worst thing is to force users to change passwords regularly.

At one place I worked the security manager knew all about it in theory but not in practice.

Because the company business including field systems, sales and marketing were all on MVS he enforced new passwords every month that hadn't been used previously. End result: everybody wrote their password down somewhere, usually on their white boards.

He tried to extend this to the internal email system (also on MVS). After three failed attempts to log on the ID would get suspended and you had to phone corporate security to get it reset.

It took the workforce logging onto the CEO's ID with invalid passwords before they got their act together.

Reply to
Christopher A. Lee

On Fri, 09 Oct 2009 19:45:39 -0500, msg wrote in :

That only works if non-VPN is blocked.

Reply to
John Navas

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.