1. Home
  2. Wireless Networking
  3. relative security risks for WEP & WPA?

relative security risks for WEP & WPA?

Okay, I typically use WEP in the higher 128-bit mode on my Dlink routers. The new Dlink router I just upgraded to offers WPA, but my older Dlink PC-CARD 11b wifi card doesn't have WPA capabilities, so I'm sticking to 128-bit WEP.

Now, I've been curious, I know that WEP has been cracked, but is that only referring to the default 64-bit WEP? How secure is 128-bit WEP? Also my Dlink router and PC-CARD both offer a proprietary 256-bit WEP. How secure would that be? Is any WEP secure? Can I enable WPA and still use my WEP-only network card?

Yousuf Khan

Reply to
YKhan
Loading thread data ...

Wep is wep, the reasons it is crackable at 64 is the same at 128. Keep in mind that it takes about 10,000,000 packets or more captured to get a wep key, so if you are a casual user, the chances of someone breaking in are slim. To my humble knowledge, you ought to be able to run WPA on certain devices and WEP on others at the same time,, but,, this makes WPA as insecure as WEP. WPA using rc4 encrytion is supposed to be backward compatible with wep.

Reply to
Airhead

I'm in exactly the same boat. My GemTek WL-350 doesn't support WPA.

The short answer is "not particularly." See below.

"Making matters even worse, the cracking techniques most frequently used will work equally well no matter what WEP key length you're using. Thus, a 128-bit key is just as vulnerable as a 64-bit key. Indeed, even if a WEP key was 1,204 bits, it still as crackable by today's methods as one's that the minimal 64-bits."

formatting link
"As a rule of thumb, shoot for a minimum of 200,000 for a 64 bit [WEP] key and 500,000 for a 128 bit key..."

formatting link

No, I don't think so. Hence why I'm looking for a new mini PCI for the laptop.

Reply to
Jean

According to one of those articles, the latest techniques let you crack WEP in 200,000 to 500,000 packets (64- and 128-bit respectively), not

10 million!

Yousuf Khan

Reply to
YKhan

Maybe my specs are out of date but still for a casual user 200,000 packets is quit a bit. Considering if all packets were maxed at 2346 bytes thats about 46 gigabytes of data. I dont do anything important enough at home to worry about it. Most important or critical stuff I do over the web is encrypted using https. If people want to see what I type in newsgroups then by all means, crack my wep key and have at it.

Reply to
Airhead

Yes, exactly. From the SecurityFocus article:

"[T]he KoreK attacks [implemented in, for example, aircrack] change everything. No longer are millions of packets required to crack a WEP key; no longer does the number of obviously "weak" or "interesting" IVs matter. With the new attacks, the critical ingredient is the total number of unique IVs captured, and a key can often be cracked with hundreds of thousands of packets, rather than millions."

Reply to
Jean

Airhead schrieb:

Strange...

I end up with 200,000 * 2346 byte = 469.2 MegaByte.

In reality, IP packets have an average size of maybe a few hundred byts (consider all the TCP management packets, login stuff ...).

Probably one shouldn't count MegaBytes, but sth. like TCP transactions... (or simply packets).

Michael

Reply to
Michael Schmidt

Thanks, my calculator must of had to much wine.

Reply to
Airhead

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.