WPA-PSK is vulnerable to attack, and can be even worse than WEP!
TO AVOID THE PROBLEM:
USE A PASSPHRASE WITH MORE THAN 20 CHARACTERS. Examples:
BAD: "vintage wine"
GOOD: "floor hiking dirt ocean"
(pick your own words, even longer is better)
Weakness in Passphrase Choice in WPA Interface
By Glenn Fleishman
By Robert Moskowitz
Senior Technical Director
ICSA Labs, a division of TruSecure Corp
The offline PSK dictionary attack
Just about any 8-character string a user may select will be in the
dictionary. As the standard states, passphrases longer than 20 characters
are needed to start deterring attacks. This is considerably longer than
most people will be willing to use.
This offline attack should be easier to execute than the WEP attacks.
Using Random values for the PSK
The PSK MAY be a 256-bit (64 hexadecimal) random number. This is a large
number for human entry; 20 character passphrases are considered too long
for entry. Given the nature of the attack against the 4-Way Handshake, a
PSK with only 128 bits of security is really sufficient, and in fact
against current brute-strength attacks, 96 bits SHOULD be adequate. This is
still larger than a large passphrase ...
Pre-Shared Keying is provided in the standard to simplify deployments in
small, low risk, networks. The risk of using PSKs against internal attacks
is almost as bad as WEP. The risk of using passphrase based PSKs against
external attacks is greater than using WEP. Thus the only value PSK has is
if only truly random keys are used, or for deploy testing of basic WPA or
802.11i functions. PSK should ONLY be used if this is fully understood by
Passphrase Flaw Exposed in WPA Wireless Security
Wi-Fi Protected Access. Security in pre-shared key mode
[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]
Just your opinion, or do you have an expert citation? According to Robert
Moskowitz, Senior Technical Director, ICSA Labs (well-regarded expertise), as
quoted in my original post:
The risk of using passphrase based PSKs against external attacks is
GREATER than using WEP. [emphasis added]
Howdy, I'm the guy who runs wifinetnews.com and posted Robert
Moskowitz's paper years ago.
I'm not sure why this devolved into an argument ("I didn't come here
for an argument!" "Yes, you did!"), but I can probably cut through this
What Robert was highlighting was the fact that it's extremely simple to
force a WPA system to redo its handshake and provide its keying
material again. Even though that keying material is secured, it can be
analyzed offline. He estimated that maybe 90 seconds or less would be
needed. With WEP, you have to capture from hundreds of thousands to
millions of packets and analyze it to break it. So breaking a 128-bit
WEP key is relatively trivial given an arbitrary amount of time from a
few minute on an active network with weak initialization vectors
(unpatched 802.11b firmware, for instance), up to potentially hours on
a network with strong IVs and not much traffic at all. There are ways
to spur traffic, of course, but that might be noticed.
So you can grab the WPA keying material really quickly and try to crack
it off line. That couples with the fact that the algorithm that
protects the actual underlying encryption keys requires a strong
passphrase as described in the article. With WEP, it didn't matter how
strong your key was--a weak key could be broken somewhat faster, but a
strong key was still easy to break.
With WPA, a very weak key using dictionary words could be broken in an
offline crack in some number of hours or days. There are tools that do
I don't know why this article keeps getting reposted here or elsewhere,
but the pertinent detail isn't that WPA is weaker than WEP; that's a
very particular case in which you can say that. Rather, that choosing a
very weak WPA key provides somewhat less security than a strong 128-bit
WEP key. Both are bad choices. A strong WPA key is always better.
There are several attempts now to have one-button or click-and-secure
options in home gateways and NICs, and that should come to fruition
later this year, according to the head of the Wi-Fi Alliance, who I
spoke to two weeks ago at the Consumer Electronics Show. Major
chipmakers and major Wi-Fi product manufacturers want users to click a
button and have a strong key generated for them and managed for them
using out-of-band methods to ensure that key is wrapped in encryption
as it's exchanged among devices.
Wouldn't it be easier for the manufactures to ship their products
secure by default rather than insecure? At this time, all vendors,
except 2wire.com, ship their routers wide open. Wireless enabled by
default. No encryption. No router password or a commonly known
default password. Great for the out-of-box experience but doesn't do
much for security. Adding another layer to the installation ordeal
process is only a band-aid as any one-button security fix doesn't do
much if it isn't used. In my never humble opinion, arm twisting the
manufacturers to deliver secure by default products is far more
effective than an optional run-once utility. See 2wire.com for
details on how it should be done.
Also, you might want to ask members of the Wi-Fi certification group
why they test for WEP key functionality using Hex keys, but allow the
vendors of the various WEP enabled devices to default to using ASCII
keys. The problem is that there are apparently two different
algorithms for converting WEP keys from ASCII to Hex. Microsloth
Wireless Zero Config only supports one of these. The result is
encryption key exchange failure, with Microsoft aggrivates by not
producing any useful diagnostics on a key exchange failure (i.e.
limited connectivity error). Some users ask questions of support or
in this newsgroups. However, most of them just notice that WEP
doesn't work and just run their wireless network with no encryption.
Instead of hunting for band-aids to fix the security problems, tell
them to fix the stuff that already exists.
[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]
With all due respect, Robert Moskowitz is actually saying something much
different, that PSK (not WPA per se) is vulnerable to offline attack, which
leads to his conculsion: "The risk of using passphrase based PSKs against
external attacks is greater than using WEP." (Note the lack of "weak" or
As Jeff Liebermann comments, this is a disingenuous case of talking about
slamming the barn door after way too many cows have left the barn. There's no
good excuse for shipping products with security turned off, and no new
mechanisms are needed to implement decent security.
The sloppiness and naivete of the Wi-Fi Alliance and most Wi-Fi vendors has
made the notion of "secure Wi-Fi" into a shameful, painful oxymoron.