rooftop antenna range

I seriously doubt that -- I'd guess finger-pointing would offset any benefits, if nothing else.

The actual cost of the pipe is relatively low compared to other costs, especially support.

A panel antenna mounted to the top cover of a notebook computer can be very good *if* you're willing to aim your computer toward the access point.

FWIW, I've found the built-in Wi-Fi antenna in the ThinkPad T30 to be far more sensitive than even the best PC Card. It even connects in places where a PC Card doesn't see any signal. My guess is that I could only beat it with an external antenna with much better gain than 2 dBi.

>

Your point is well-taken in general, but WPA with a strong passphrase is quite secure.

>>

I'll agree, with one small change.

s/strong passphrase/64-random-hex-digits/

Choosing English words or phrases instead of a truly random 64-digit hex number will significantly shorten the search space crackers have to try. It may still be ok, but one isn't going to get the full benefits of the 256-bit key design strength.

A cryptographic key is only as strong as the uniformity of the random number generator used to generate it. If some part of that key-space isn't used (say by virtue of limiting oneself to printable or even worse, easily type-able letters) and the attacker knows this, then their job just bot quite a bit easier. Each bit they can knock off the search space doubles their speed.

Lets try a back of the envelope calculation for a passphrase that is

20 letters long (which is more than I assume most people will use). We have 4 to 5 bits of randomness for each letter. Because the letters aren't uniformly distributed in the English language we end up getting quite a bit less than log-base-2 of 24 bits per letter. One can generate letter frequency histograms but lets just guess it at 4 bits of key search space per typed letter. With 20 letters of 4 bits each we are only talking ~80bits of keying material. While that is probably still unsearchable, it is quite a bit weaker than the design goal of 256-bits.

So we do come back to the its not at all as strong as they say it is. ;-) We've cut the search space in half 76 times. Thats a big speed up.

-wolfgang

On Tue, 06 Jun 2006 13:44:34 -0700, "Wolfgang S. Rupprecht" wrote in :

[shrug] Not terribly important, since we can calculate the effort needed to crack the key, and a much smaller key provides more than enough security.

Sure, but again, not terribly important as long as we keep the needed effort far beyond their capabilities.

That's actually below the recommended minimum.

[shrug] Again, not terribly important. From the Diceware Passphrase FAQ :

------------------------------------------------------------------------ In their February 1996 report, "Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security" a group of cryptography and computer security experts -- Matt Blaze, Whitfield Diffie, Ronald Rivest, Bruce Schneier, Tsutomo Shimomura, Eric Thompson, and Michael Weiner -- stated:

"To provide adequate protection against the most serious threats... keys used to protect data today should be at least 75 bits long. To protect information adequately for the next 20 years ... keys in newly-deployed systems should be at least 90 bits long."

A five-word Diceware passphrase has an entropy of at least 64.6 bits; six words have 77.5 bits, seven words 90.4 bits, eight words 103 bits, four words 51.6 bits. Inserting an extra letter at random adds about 10 bits of entropy. Here is a rough idea of how much protection various lengths provide, based on updated estimates by A.K. Lenstra (See

Needless to say, projections for the far future have the most uncertainty.

• Four words are breakable with a hundred or so PCs. * Five words are only breakable by an organization with a large budget. * Six words appear unbreakable for the near future, but may be within the range of large organizations by around 2014. * Seven words and longer are unbreakable with any known technology, but may be within the range of large organizations by around 2030. * Eight words should be completely secure through 2050.

------------------------------------------------------------------------

Not really. It's a bit like saying that a car capable of 500 MPH is a lot slower than a car capable of 2000 MPH. From a highway point of view, both numbers are so big as to be essentially the same.

>

I don't know. I think (1) is a no-brainer, because you can't actually transmit bits at the signalling rate, but I get much greater distance than "they" say I should (~1000' between a WRT54G and a Dell laptop), basic setup was as easy as "they" said (making it secure wasn't) and it _is_ secure - but then I'm relying on vpn.

The effort to crack is isn't the issue I'm talking about.

The issue is whether one gets 256-bit crypto strength as the advertisements lead one to believe. One is most certainly not, not by a far shot, unless one uses a random 64-hex digit key.

-wolfgang

On Wed, 07 Jun 2006 07:55:16 -0700, "Wolfgang S. Rupprecht" wrote in :

Key entropy doesn't determine "crypto strength" -- it only determines the effort needed in a brute force attack.

WPA TKIP uses the RC4 stream cipher, with a 128-bit key and a 48-bit Initialization Vector.

WPA2 uses AES block cipher, with a fixed block size of 128 bits and a key size of 128 bits.

Got any examples of such misleading advertisements?

Both the crypto algorithm and the key size can limit how hard it is to break the encryption.

I'm not sure if you realize, but the hobbled version of WEP with the

40-bit keys was done by simply mashing all but 40 of the keying bits to known values. The government agreed that this effectively reduced the cryptosystem to one that passed the rules for only allowing "40-bit" crypto out of the country.

Enter WPA and what is the first thing the consumer wifi manufacturers do? They encourage folks to choose their keys from a set of English words. That not going to get them anywhere near the protection levels that the underlying AES (or TKIP) is capable of.

-wolfgang

Again, not a real issue, since the recommend passphrase length is enough to ensure robust security for the typical home user.

According to Robert Moskowitz, Senior Technical Director, ICSA Labs (a division of TruSecure Corp), a highly qualified expert, in :

... a PSK with only 128 bits of security is really sufficient, and in fact against current brute-strength attacks, 96 bits SHOULD be adequate. ...

Eight diceware words (about 34 characters) have 103 bits of entropy, more than enough to satisfy this recommendation. And that's assuming a sophisticated all-out offline attack with the most powerful computing hardware available -- much shorter passphrases (at or above the recommended minimum of 20 characters) still provide sufficient security for the typical home user.

I would be very surprised to hear NIST say that keying AES (or anything that requires a 128-bit key) with english phrases is an approved keying method.

The quote you supplied is Moskowitz saying "its good enough for the home user". That is not the issue. The issue is will one get the full advertised strength of the underlying AES by setting up the unit using the manufacturer's recommendation of keying it with english words? The diceware method is a bit better than the manufacturer's method since the words chosen by rolling die are going to be truly random. The manufacturers just say something along the lines of "choose a secret phrase". The latter is going to have very questionable levels of entropy.

"The complete [diceware] list contains 7776 short English words, abbreviations and easy-to-remember character strings."

Lets see, we have 7776 words, so the entropy for each one is log2(7776.0).

(log 7776.0 2.0) 12.92481250360578 ; entropy per diceword word

Total entropy for 8 words.

(* 8.0 (log 7776.0 2.0)) 103.39850002884624 ; entropy for 8 diceware words

It is still short of the 128 bits of entropy one needs to not make the key entropy the weakest link in the chain. One would need 10 diceware words for that (for 129 bits of entropy). Or is Moskowitz implying that AES only takes 2**103 operations to break?

It is also short of the 256 bits of entropy one would have gotten by using a random number input as 64 hex digits. One would need to go to

20 diceware words to get to that level. It's not clear to me (without learning more about how that key is used) to understand what the other bits are used for. IV maybe?

I guess I'm just flabbergasted at the corners people choose to cut. To do it right, one only has to input a single 64 digit hex number into each piece of equipment, once. Why screw around?

-wolfgang

Oh, c'mon, key management isn't nearly that simple, and I dunno about you, but typing that many digits in without error is going to be really time-consuming. I dunno what the answer is (USB keychain dongle interfaces?), but it's not simple or easy (or it'd be done already).

Well, I wouldn't want to use a random 64 bit hex string as my login password, but typing it once or twice isn't going to kill anyone.

Weren't the microsoft product id's one had to key in to install their crap about that length? I'm sure people all hated it, but they seemed to be able to deal.

Burning it to CD or DVD also works. USB flash is good. What I did for some of the computers was use the ethernet (via ssh/putty) to cut-and-paste the key.

-wolfgang

On Fri, 09 Jun 2006 13:14:02 -0700, "Wolfgang S. Rupprecht" wrote in :

The authority in question is the Wi-Fi Forum -- AFAIK, NIST hasn't taken any position on encryption key length for typical home users. What we do have in support of that, in addition to Moskowitz, who specially cites the 20 character passphrase recommendation, is the following by recognized experts in the field :

| How long should my passphrase be? | ... | In their February 1996 report, "Minimal Key Lengths for Symmetric | Ciphers to Provide Adequate Commercial Security" a group of | cryptography and computer security experts -- Matt Blaze, Whitfield | Diffie, Ronald Rivest, Bruce Schneier, Tsutomo Shimomura, Eric | Thompson, and Michael Weiner -- stated: | | "To provide adequate protection against the most serious threats... | keys used to protect data today should be at least 75 bits long. To | protect information adequately for the next 20 years ... keys in | newly-deployed systems should be at least 90 bits long."

That's for "commercial" security, a higher standard than home security.

| A five-word Diceware passphrase has an entropy of at least 64.6 bits; | six words have 77.5 bits, seven words 90.4 bits, eight words 103 | bits, four words 51.6 bits. Inserting an extra letter at random adds | about 10 bits of entropy. Here is a rough idea of how much protection | various lengths provide, based on updated estimates by A.K. Lenstra | (See

Needless to say, projections for the far | future have the most uncertainty. | | * Four words are breakable with a hundred or so PCs. | * Five words are only breakable by an organization with a large budget. | * Six words appear unbreakable for the near future, but may be within the | range of large organizations by around 2014. | * Seven words and longer are unbreakable with any known technology, but | may be within the range of large organizations by around 2030. | * Eight words should be completely secure through 2050.

And that's not what Moskowitz is saying. He's talking in absolute terms, not just "good enough for the home user"

The strength of AES is the strength of AES, and has nothing to do with key strength, which is only pertinent in the context of a brute force attack, which can be mounted against *any* key-based cipher. There is no known attack on AES that's related to key strength. Thus the real issue here is what key strength is needed for adequate home network security, not the best possible security with AES.

That's speculation -- a practical phrase dictionary attack of sufficient size has yet to be demonstrated.

There's no need to make key entropy the weakest link in the chain -- that's massive overkill.

That's also not what he's saying.

Because:

1. Long clumsy passwords greatly increase the chances of compromise because they increase the likelihood that people will do such things as carelessly write them down (or not use them at all).

1. It's often not a one-time thing -- it has to be done each time any change is made, and such changes are not uncommon.

2. There's simply no need.

On Fri, 09 Jun 2006 14:19:03 -0700, "Wolfgang S. Rupprecht" wrote in :

Long clumsy passwords greatly increase the chances of compromise because they increase the likelihood that people will do such things as carelessly write them down (or not use them at all).

And it's often not a one-time thing -- it has to be done each time any change is made, and such changes are not uncommon.

Know of any SOHO routers with CD or DVD drives? I didn't think so. So program OTA on an unencrypted link? :)

Know of any SOHO routers with USB ports? ;)

Still probably the best for a complex key *if* it's fully erased afterwards, but of course that probably won't happen. ;)

That's well beyond what typical users will do.

John, your arguments are getting sillier and sillier.

My AP also doesn't have an LCD or keyboard, yet I'm able to type a password into it and read a password out of it. I'll leave you to ponder how I did this magic.

If you want to recommend someone choose a password that limits their security to a lower value than they could be getting, fine. It is no skin off my nose.

-wolfgang

But it's not once or twice, as you are going to want to change it when employees leave, or your neighbor who was sharing with your permission starts doing BitTorrent, or something.

And adding USB or SD card slots to routers wouldn't be rocket science. IIRC, someone had a hack for a WRT54G that added an SD card and Linux drivers...

But again, key management isn't just about generating a random

64-character hex string and entering it into a few devices. Besides changes, there's a whole security rathole around keeping the 'place you wrote the keys down' secured.

Using a group key for a large number of people is a really bad idea. Giving everyone their own key is what the radius version of WPA is meant to address.

You don't really need the flash card on the router right? One can just as well copy the key to a flash card on the local computer. (Although just displaying the key in a way that can be copy-and-pasted is good enough.)

Personally, I would rather see folks choose hard to remember passwords and keep them in their wallets than use mothers-maiden-name/pets-name/birthday type losing passwords that they can easily remember.

Well, in a real company one hopefully has a cheap safe for that sort of thing. In a home type situation (the only place where wpa-psk is appropriate) one needs to worry about the pesky kiddie trying to prove how smart they are.

-wolfgang

Whoopie. Words suck as a source of randomness, and limiting it to a source that small is nuts.

That smells like a *BSD...

--------------------------------- # @(#)README 8.1 (Berkeley) 6/5/93 # $FreeBSD: src/share/dict/README,v 1.13 2003/01/24 20:51:03 wollman Exp $

WEB ---- (introduction provided by jaw@riacs) -------------------------

Welcome to web2 (Webster's Second International) all 234,936 words worth. The 1934 copyright has lapsed, according to the supplier. The supplemental 'web2a' list contains hyphenated terms as well as assorted noun and adverbial phrases. The wordlist makes a dandy 'grep' victim.

---------------------------------

Why? In early 2003, there was the marvelous 'W32/Deloder' worm that went through the windoze community like a dose of selenium salts - by trying just 87 passwords to the Administrator account. Find a copy of CERT Advisory CA-2003-08 (Tue, 11 Mar 2003 22:05:22 UTC) for the list of really "great" passwords. 19 of the 87 were three characters OR LESS (including "xp", "123", "abc", "win" and the very secure "").

If you're just trying to generate a nice long string that you DON'T have to remember, wander over to news://sci.crypt/ with your asbestos undies on - there are regular flame wars over the problem. Or see RFC1750

1750 Randomness Recommendations for Security. D. Eastlake 3rd, S. Crocker, J. Schiller. December 1994. (Format: TXT=73842 bytes) (Obsoleted by RFC4086) (Status: INFORMATIONAL)

and it's replacement

4086 Randomness Requirements for Security. D. Eastlake, 3rd, J. Schiller, S. Crocker. June 2005. (Format: TXT=114321 bytes) (Obsoletes RFC1750) (Also BCP0106) (Status: BEST CURRENT PRACTICE)

This really has been kicked around before.

Old guy

On Sat, 10 Jun 2006 21:31:24 -0500, snipped-for-privacy@painkiller.example.tld (Moe Trin) wrote in :

Actually not, if you read the article and follow the mathematics -- diceware words can easily provide sufficient passphrase strength to defeat whatever level of attack might concern you. You might as well complain that passwords are limited to the very small set of ASCII characters, or that binary keys are limited to only 0 and 1. ;)

One of the beauties of diceware words is that they are truly random, unlike the vast majority of computer algorithms.