ALERT: WPA can be less secure than WEP

I find myself wondering if the same post every month from the same person, with nothing new, is that spamming a newsgroup?

fundamentalism, fundamentally wrong.

Not spam, per relevant FAQs.

Instead of just wondering, you might want to inform yourself. ;)

No, but it sure is annoying. Especially when its basic premise is wrong. Yes, it's vulnerable to attack - but in the worst case scenario its only _as bad as_ WEP.

That's why I asked.

fundamentalism, fundamentally wrong.

Just your opinion, or do you have an expert citation? According to Robert Moskowitz, Senior Technical Director, ICSA Labs (well-regarded expertise), as quoted in my original post:

The risk of using passphrase based PSKs against external attacks is GREATER than using WEP. [emphasis added]

And he was describing what, 128 bit passphrases or 4 letter words? Your quote here is totally meaningless without a bit of context.

fundamentalism, fundamentally wrong.

never heard of him

Context is everything. A poorly chosen short PSK is potentially worse than WEP.

The risk is real, but don't overstate it. Mark McIntyre

The context is right there in my post.

I suggest you actually read the article before dissing it.

I suggest you read my other posts in the last couple of days, before assuming I'm dissing the article.

Mark McIntyre

No assumption -- I was simply taking you at your word.

So you have no idea if he was talking 128bit passphrases or even single letter passphrases?

fundamentalism, fundamentally wrong.

Or perhaps some advanced form of masturbation?

Given that my word was:

"Context is everything. A poorly chosen short PSK is potentially worse than WEP. The risk is real, but don't overstate it. "

I consider your remark to be a lie.

Mark McIntyre

Howdy, I'm the guy who runs wifinetnews.com and posted Robert Moskowitz's paper years ago.

I'm not sure why this devolved into an argument ("I didn't come here for an argument!" "Yes, you did!"), but I can probably cut through this a bit.

What Robert was highlighting was the fact that it's extremely simple to force a WPA system to redo its handshake and provide its keying material again. Even though that keying material is secured, it can be analyzed offline. He estimated that maybe 90 seconds or less would be needed. With WEP, you have to capture from hundreds of thousands to millions of packets and analyze it to break it. So breaking a 128-bit WEP key is relatively trivial given an arbitrary amount of time from a few minute on an active network with weak initialization vectors (unpatched 802.11b firmware, for instance), up to potentially hours on a network with strong IVs and not much traffic at all. There are ways to spur traffic, of course, but that might be noticed.

So you can grab the WPA keying material really quickly and try to crack it off line. That couples with the fact that the algorithm that protects the actual underlying encryption keys requires a strong passphrase as described in the article. With WEP, it didn't matter how strong your key was--a weak key could be broken somewhat faster, but a strong key was still easy to break.

With WPA, a very weak key using dictionary words could be broken in an offline crack in some number of hours or days. There are tools that do this.

I don't know why this article keeps getting reposted here or elsewhere, but the pertinent detail isn't that WPA is weaker than WEP; that's a very particular case in which you can say that. Rather, that choosing a very weak WPA key provides somewhat less security than a strong 128-bit WEP key. Both are bad choices. A strong WPA key is always better.

There are several attempts now to have one-button or click-and-secure options in home gateways and NICs, and that should come to fruition later this year, according to the head of the Wi-Fi Alliance, who I spoke to two weeks ago at the Consumer Electronics Show. Major chipmakers and major Wi-Fi product manufacturers want users to click a button and have a strong key generated for them and managed for them using out-of-band methods to ensure that key is wrapped in encryption as it's exchanged among devices.

Of course I do -- I actually read the article. And you?

Suit yourself.

Wouldn't it be easier for the manufactures to ship their products secure by default rather than insecure? At this time, all vendors, except 2wire.com, ship their routers wide open. Wireless enabled by default. No encryption. No router password or a commonly known default password. Great for the out-of-box experience but doesn't do much for security. Adding another layer to the installation ordeal process is only a band-aid as any one-button security fix doesn't do much if it isn't used. In my never humble opinion, arm twisting the manufacturers to deliver secure by default products is far more effective than an optional run-once utility. See 2wire.com for details on how it should be done.

Also, you might want to ask members of the Wi-Fi certification group why they test for WEP key functionality using Hex keys, but allow the vendors of the various WEP enabled devices to default to using ASCII keys. The problem is that there are apparently two different algorithms for converting WEP keys from ASCII to Hex. Microsloth Wireless Zero Config only supports one of these. The result is encryption key exchange failure, with Microsoft aggrivates by not producing any useful diagnostics on a key exchange failure (i.e. limited connectivity error). Some users ask questions of support or in this newsgroups. However, most of them just notice that WEP doesn't work and just run their wireless network with no encryption. Instead of hunting for band-aids to fix the security problems, tell them to fix the stuff that already exists.

With all due respect, Robert Moskowitz is actually saying something much different, that PSK (not WPA per se) is vulnerable to offline attack, which leads to his conculsion: "The risk of using passphrase based PSKs against external attacks is greater than using WEP." (Note the lack of "weak" or "strong" qualifiers.)

As Jeff Liebermann comments, this is a disingenuous case of talking about slamming the barn door after way too many cows have left the barn. There's no good excuse for shipping products with security turned off, and no new mechanisms are needed to implement decent security.

The sloppiness and naivete of the Wi-Fi Alliance and most Wi-Fi vendors has made the notion of "secure Wi-Fi" into a shameful, painful oxymoron.