WPA/PSK

"Kevin" wrote in news:cmrld8$b5s$1 @sparta.btinternet.com:

OK.

Magic. Or some technical stuff.

No because "It says with WPA/PSK it changes it for you".

Taking a moment's reflection, Kevin mused: | | It says in WEP that you have to change the key.It says with WPA/PSK it | changes it for you. How? And do I have to change it?

The change that is referenced is the key to each packet. The key is a function of the passphrase you select. The problem with WEP is that this is a static key that never changes. So, if you collect enough meaningful packets, you can eventually reconstruct (software "guess") what the key is. However, WPA corrects this by negotiating the initial connection with the original passphrase based key, but then changes the key automagically at the specified interval (setting in router or AP). You should still change your WPA-PSK passphrase periodically, however.

Why? and exactly how often?

Regards,

On Wed, 10 Nov 2004 10:29:32 +0100, Misiek spoketh

Because the passphrase is used for initial authentication, and if someone can figure out your passphrase, then they can connect to your WLAN... How often? Well, that depends on how secure you think your passphrase is.

Lars M. Hansen

Taking a moment's reflection, Misiek mused: | | Why? and exactly how often?

In addition to Lars' comments, while WPA is more secure than WEP, WPA-PSK is still subject to so-called "dictionary" attacks. If someone has the time and resources, they can simply try known and random combinations of characters to try and crack your WPA-PSK passphrase. The more complicated the passphrase, the longer it will take. Changing it every so often decreases the likelihood of someone cracking it in this manner.

On Fri, 12 Nov 2004 11:19:47 +0000, Simon Pleasants spoketh

Assuming there's enough activity, about 1 hour.

Since it would be essentially brute force cracking, that would mean that they'd have to try every possible combination. Now, there's 26 letters and 52 counting upper case, plus 10 numbers and let's say 18 special characters just to make it easy on me ... With 56 characters, that would be 60^56, which is 3.77e99 combinations. According to my sources, Lopht takes about 10 minutes to brute-force crack a four character password (26 characters, 4 letters = 26^4 = 456,976) on a 450MHz computer. Using that as a guideline, it would take 8.25e92 minutes to crack a 56 character password. Even if you consider todays computers are 5-6 times faster, dividing the following numbers by 5 doesn't make the picture any prettier.

That is 1.93e91 hours, or

Software firewalls on all LAN computers may or may not factor in here at all, because they would normally be configured in such as manner that access is allowed for LAN computers to resources that are needed. That means, that if one computer shares files that other computers need, then a hacker who has gained access to your LAN will be considered just another LAN computer. However, there may be authentication involved, so just having your computer on a LAN doesn't automatically give you rights to read files on the network, so the hacker would also have another obstacle of getting a valid username and password to actually gain access to files...

Lars M. Hansen

I'd be interested in knowing time periods on this.

Supposing someone uses 128bit WEP. They use their connection only in the evenings (I make that point on the assumption that capturing network traffic requires there to be plenty of traffic to capture) and only for web browsing, writing documents etc. How long, realistically, would it actually take someone to capture enough information to allow them to determine the key (and how long would determining the key itself take?).

Now, what about the same question as above but using WPA-PSK with a 56 character key including upper and lower case, letters, numbers and some ascii characters such as underscores, dashes, asterisks etc (the final result being an unintelligable jumble.

Weeks, days.... hours?

Add to that software firewalls on all LAN computers, access only to files only by particular usernames yadda yadda yadda. My hacking abilities are nil, so I find all of this stuff interesting.

Really? That seems VERY quick. All previous posts I had read suggested that it would take days to crack a 128bit WEP key. By 1hr, did you mean just cracking the key AFTER all the packets had been captured because surely on a low usage network like the one described it would at least take days to capture enough information to have a go at the key?

I am not disputing your figures, just surprised.

Okay, it's the end of the working week for me and most of that went straight over my head, but it sounds like a long time anyway.

In my case, because I know what the IP addresses are of the other computers the software firewall on the server only allows access from the two IP addresses used by the client machines. The hacker would need to work out which IP addresses are allowed access. I understand this information could be determined from the very same packets captured to crack the key - as would the information necessary to bypass the MAC address restrictions but will extend the time necessary to compromise the system - even if only by minutes.

Furthermore, correct me if I am wrong, but the software firewall would prevent any information being transmitted back from that machine, so trying to take it over to send information out to the internet would not work.

That's exactly it. Since only two users are ever likely to need access to the server's resources the shares are available only to those two and even then with increasing restrictions on the more "interesting" files.

There's a certain amount of FUD in the answer. Its true that using weak IVs a cracker could penetrate the WEP key in an hour or so, provided he could capture enough data traffic. Most home LANs don't generate enough, so its likely to take days or longer. This is uneconomic for a cracker. Techniques do exist to force your network to generate extra packets but again this is more work. Its not really likely to be worth it to hack a 512K ADSL line.

Once they're through your encryption, this is trivial - the IP address is in the header of every packet (it has to be, otherwise the recieving machine couldn't send the reply back to the right box...).

You're wrong - your firewall is almost certainly configured to allow machines on your local network to have normal access to each other. So any machine masquerading as one of yours is in.

Yes, if you have another layer of security, eg NTFS permissioning, thats good.

Security is like an Ogre remember.

Well I'm not wrong - but I didn't word my question very well.

As you say, cracking a WEP key on a low volume network, such as mine, to use a 512 DSL line is hardly worth it. Besides I use a gibberish 56 character WPA key anyway. But supposing someone thinks I'm worth the effort and successfully cracks the encryption and then jumps the minor hurdles of the MAC addresses and IP restrictions they can log into the network. Once there they won't have any access to my files because they are all stored within two or three master folders, each of which is shared, but all "everybody" permissions have been removed and replaced simply with access available only to the two usernames which will need access. Only one of those actually has "full control", the other having read only, or read-write access to some sub-folders and no access at all to others.

But supposing they'd even managed to capture enough information that they can determine the username and the password of the network's master user (i.e. me) then now they have the ability to access the files. The firewall will not interfere with traffic from what is believed to be a recognised IP address. It will, however, prevent anyone from trying to take control of the machine to issue vast amounts of traffic out to the internet because any trojans should be spotted by the AV and anything trying to transmit to the internet will be blocked by ZA.

-- Simon Pleasants "Keep a dream in your pocket.... ....never let it fade away"

But it won't - ZA is running on /your/ PC. The cracker will copy your stuff to his pc, using standard windows protocols which you set ZA to permit. Then he directly sends the stuff to the net from his own PC, but using your router, or more likely downloads a zillion tons of illegal pron to his PC, using your network.....

Fair enough - but for that he would need to remain connected to my network. As it does not extend beyond the end of my driveway or even to the back of the back garden he'd have to be parked on my front lawn to be able to use it. Of course he might be able to rig up a super long distance antenna and connect to it but even that would be a fight because there are countless other wireless networks eminating from nearby houses and inevitably there are a lot of overlapping channels in use.

But at the end of the day, why bother? First he'd have to locate my network amongst all the others (several of which are unencrypted). Then he'd have a crack a long gibberish WPA key. Then he'd have to break into the server itself as all of the share permissions are very tightly controlled and, having done all that, congratulations he now has control of a single 512kbps ADSL line. Seems a lot of work for very little reward. From my house alone I can detect six other AP's, four of which use no encryption, the other two using WEP. Whilst I am certainly not saying my network could never be compromised I believe I've done enough to make it look a rather less attractive proposition than some readily available alternatives.

I appreciate this conversation on the basis that the more you understand about a potential threat the better equipped you are to do something about it.