ALERT: WPA can be less secure than WEP


SUMMARY:
WPA-PSK is vulnerable to attack, and can be even worse than WEP!
TO AVOID THE PROBLEM:
USE A PASSPHRASE WITH MORE THAN 20 CHARACTERS. Examples:
BAD: "vintage wine"
GOOD: "floor hiking dirt ocean"
(pick your own words, even longer is better)
BACKGROUND:
Weakness in Passphrase Choice in WPA Interface
By Glenn Fleishman
By Robert Moskowitz
Senior Technical Director
ICSA Labs, a division of TruSecure Corp

...
The offline PSK dictionary attack
...
Just about any 8-character string a user may select will be in the
dictionary. As the standard states, passphrases longer than 20 characters
are needed to start deterring attacks. This is considerably longer than
most people will be willing to use.
This offline attack should be easier to execute than the WEP attacks.
...
Using Random values for the PSK
The PSK MAY be a 256-bit (64 hexadecimal) random number. This is a large
number for human entry; 20 character passphrases are considered too long
for entry. Given the nature of the attack against the 4-Way Handshake, a
PSK with only 128 bits of security is really sufficient, and in fact
against current brute-strength attacks, 96 bits SHOULD be adequate. This is
still larger than a large passphrase ...
...
Summary
...
Pre-Shared Keying is provided in the standard to simplify deployments in
small, low risk, networks. The risk of using PSKs against internal attacks
is almost as bad as WEP. The risk of using passphrase based PSKs against
external attacks is greater than using WEP. Thus the only value PSK has is
if only truly random keys are used, or for deploy testing of basic WPA or
802.11i functions. PSK should ONLY be used if this is fully understood by
the deployers.
See also:
Passphrase Flaw Exposed in WPA Wireless Security

Wi-Fi Protected Access. Security in pre-shared key mode

Cracking Wi-Fi Protected Access (WPA)


WPA Cracker

Reply to
John Navas
Loading thread data ...
I find myself wondering if the same post every month from the same person, with nothing new, is that spamming a newsgroup?
fundamentalism, fundamentally wrong.
Reply to
Rico
[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]
Not spam, per relevant FAQs.
Instead of just wondering, you might want to inform yourself. ;)
Reply to
John Navas
No, but it sure is annoying. Especially when its basic premise is wrong. Yes, it's vulnerable to attack - but in the worst case scenario its only _as bad as_ WEP.
Reply to
Derek Broughton
That's why I asked.
fundamentalism, fundamentally wrong.
Reply to
Rico
[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]
Just your opinion, or do you have an expert citation? According to Robert Moskowitz, Senior Technical Director, ICSA Labs (well-regarded expertise), as quoted in my original post:
The risk of using passphrase based PSKs against external attacks is GREATER than using WEP. [emphasis added]
Reply to
John Navas
And he was describing what, 128 bit passphrases or 4 letter words? Your quote here is totally meaningless without a bit of context.
fundamentalism, fundamentally wrong.
Reply to
Rico
never heard of him
Context is everything. A poorly chosen short PSK is potentially worse than WEP.
The risk is real, but don't overstate it. Mark McIntyre
Reply to
Mark McIntyre
[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]
The context is right there in my post.
Reply to
John Navas
[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]
I suggest you actually read the article before dissing it.
Reply to
John Navas
I suggest you read my other posts in the last couple of days, before assuming I'm dissing the article.
Mark McIntyre
Reply to
Mark McIntyre
[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]
No assumption -- I was simply taking you at your word.
Reply to
John Navas
So you have no idea if he was talking 128bit passphrases or even single letter passphrases?
fundamentalism, fundamentally wrong.
Reply to
Rico
Or perhaps some advanced form of masturbation?
Reply to
optikl
Given that my word was:
"Context is everything. A poorly chosen short PSK is potentially worse than WEP. The risk is real, but don't overstate it. "
I consider your remark to be a lie.
Mark McIntyre
Reply to
Mark McIntyre
Howdy, I'm the guy who runs wifinetnews.com and posted Robert Moskowitz's paper years ago.
I'm not sure why this devolved into an argument ("I didn't come here for an argument!" "Yes, you did!"), but I can probably cut through this a bit.
What Robert was highlighting was the fact that it's extremely simple to force a WPA system to redo its handshake and provide its keying material again. Even though that keying material is secured, it can be analyzed offline. He estimated that maybe 90 seconds or less would be needed. With WEP, you have to capture from hundreds of thousands to millions of packets and analyze it to break it. So breaking a 128-bit WEP key is relatively trivial given an arbitrary amount of time from a few minute on an active network with weak initialization vectors (unpatched 802.11b firmware, for instance), up to potentially hours on a network with strong IVs and not much traffic at all. There are ways to spur traffic, of course, but that might be noticed.
So you can grab the WPA keying material really quickly and try to crack it off line. That couples with the fact that the algorithm that protects the actual underlying encryption keys requires a strong passphrase as described in the article. With WEP, it didn't matter how strong your key was--a weak key could be broken somewhat faster, but a strong key was still easy to break.
With WPA, a very weak key using dictionary words could be broken in an offline crack in some number of hours or days. There are tools that do this.
I don't know why this article keeps getting reposted here or elsewhere, but the pertinent detail isn't that WPA is weaker than WEP; that's a very particular case in which you can say that. Rather, that choosing a very weak WPA key provides somewhat less security than a strong 128-bit WEP key. Both are bad choices. A strong WPA key is always better.
There are several attempts now to have one-button or click-and-secure options in home gateways and NICs, and that should come to fruition later this year, according to the head of the Wi-Fi Alliance, who I spoke to two weeks ago at the Consumer Electronics Show. Major chipmakers and major Wi-Fi product manufacturers want users to click a button and have a strong key generated for them and managed for them using out-of-band methods to ensure that key is wrapped in encryption as it's exchanged among devices.
Reply to
glenn
[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]
Of course I do -- I actually read the article. And you?
Reply to
John Navas
[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]
Suit yourself.
Reply to
John Navas
Wouldn't it be easier for the manufactures to ship their products secure by default rather than insecure? At this time, all vendors, except 2wire.com, ship their routers wide open. Wireless enabled by default. No encryption. No router password or a commonly known default password. Great for the out-of-box experience but doesn't do much for security. Adding another layer to the installation ordeal process is only a band-aid as any one-button security fix doesn't do much if it isn't used. In my never humble opinion, arm twisting the manufacturers to deliver secure by default products is far more effective than an optional run-once utility. See 2wire.com for details on how it should be done.
Also, you might want to ask members of the Wi-Fi certification group why they test for WEP key functionality using Hex keys, but allow the vendors of the various WEP enabled devices to default to using ASCII keys. The problem is that there are apparently two different algorithms for converting WEP keys from ASCII to Hex. Microsloth Wireless Zero Config only supports one of these. The result is encryption key exchange failure, with Microsoft aggrivates by not producing any useful diagnostics on a key exchange failure (i.e. limited connectivity error). Some users ask questions of support or in this newsgroups. However, most of them just notice that WEP doesn't work and just run their wireless network with no encryption. Instead of hunting for band-aids to fix the security problems, tell them to fix the stuff that already exists.
Reply to
Jeff Liebermann
[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]
With all due respect, Robert Moskowitz is actually saying something much different, that PSK (not WPA per se) is vulnerable to offline attack, which leads to his conculsion: "The risk of using passphrase based PSKs against external attacks is greater than using WEP." (Note the lack of "weak" or "strong" qualifiers.)
As Jeff Liebermann comments, this is a disingenuous case of talking about slamming the barn door after way too many cows have left the barn. There's no good excuse for shipping products with security turned off, and no new mechanisms are needed to implement decent security.
The sloppiness and naivete of the Wi-Fi Alliance and most Wi-Fi vendors has made the notion of "secure Wi-Fi" into a shameful, painful oxymoron.
Reply to
John Navas

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.