Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Wireless Security Standard Has Old Problem?

simoniker posted more than 10 years ago | from the it's-always-something dept.

Wireless Networking 249

eggboard writes "Wireless security expert Robert Moskowitz, who sits on IEEE and IETF committees on that subject, sent me a short paper on a glaring weakness in the Wi-Fi Protected Access (WPA) protocol that's replacing the weak and broken WEP system well discussed here at Slashdot. His paper, which I've posted here, proves definitively that while WPA itself remains robust and secure, the interface for choosing consumer passwords makes it simple to snarf a tiny bit of network traffic and perform an offline dictionary attack. For Slashdot readers, this probably seems trivial, but because Linksys, Apple, and others are letting users enter My Dog Has Fleas as their passphrase, WPA might be less secure for home users than WEP."

cancel ×

249 comments

Sorry! There are no comments related to the filter you selected.

Secure THIS (-1, Redundant)

Anonymous Coward | more than 10 years ago | (#7402608)

Firstest Postus.

Posted using the old Wireless Security Standard.

1st (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7402609)

FIRST

FAIL (0)

Anonymous Coward | more than 10 years ago | (#7402961)

YOU

(IT)

Userfriendly.org (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#7402628)

Who is that old FAT-ASS dork on userfriendly.org [userfriendly.org] ?

PS, the comic strip is about as funny as British Humor -- NOT FUNNY AT ALL!

Oh, thanks. (5, Funny)

Anonymous Coward | more than 10 years ago | (#7402630)

Way to tell everybody my password.

Man, now I have to change it.

Re:Oh, thanks. (0)

crazysim (669230) | more than 10 years ago | (#7402947)

Theres a password on Anonymous Coward?

Re:Oh, thanks. (0)

Anonymous Coward | more than 10 years ago | (#7403012)

The root password to a rather important machine on my campus used to be "cat dog goat" ;)

Re:Oh, thanks. (1, Flamebait)

orthogonal (588627) | more than 10 years ago | (#7403051)

The root password to a rather important machine on my campus used to be "cat dog goat" ;)

Chinese guy, right?

I've noriced that Chinese people do often use for their passwords the names of their favorite dishes.

My Dog Has Fleas? (4, Interesting)

Trillan (597339) | more than 10 years ago | (#7402631)

My Dog Has Fleas is a positively fantasic password compared to the usual choice of a middle name, spouse's name, child's name or birthdate.

Or, of course, the infamous "password."

Re:My Dog Has Fleas? (4, Funny)

Tumbleweed (3706) | more than 10 years ago | (#7402651)

Yeah, but what if your does doesn't HAVE fleas? Or if you don't even have a dog? Then your security is based on nothing but LIES! And how secure can THAT be? Think before you ask these questions, Mitch.

Re:My Dog Has Fleas? (0)

Anonymous Coward | more than 10 years ago | (#7402668)

Of course, I will stay anonymous to make this question/point - what is the matter with challenge response ciphers and all that sort of stuff? Perhaps that is still vulnerable to this attack but it wouldnt seem as though it is ....

Ie - I thought we all knew any access to a password - be it encrypted or not - was potentially unsecure, and thus /etc/shadow was born, and thusly why ssh uses diffe-helman etc. What gives .. I havent thought of this problem so much but perhaps Access Control is required to secure these damned things, and so what if it is? At the very least it could offer a 3rd option - wide-open, WEP/xxx, ACL...

Re:My Dog Has Fleas? (2, Funny)

DeltaSigma (583342) | more than 10 years ago | (#7402706)

What is this infamous "password?"

Everyone's always talking about it, but noone will ever tell me!

Re:My Dog Has Fleas? (2, Funny)

sweetooth (21075) | more than 10 years ago | (#7402746)

That's because it's a "secret"

Re:My Dog Has Fleas? (1)

Trillan (597339) | more than 10 years ago | (#7402775)

A study a year or so back indicated that the most popular choice for a password is, in fact, the word password.

one for the crypto/math freaks (2, Interesting)

nehril (115874) | more than 10 years ago | (#7402807)

I think this problem is present in *any* system that relies on user passwords. according to the article, each character in a password is equivalent to about 2.5 "bits" of encryption (since you can't use the entire ascii bitspace and some words/letters are more common, etc). this is a higher number than I saw referenced in one of bruce schneier's books (he said 1.3 bits of entropy per char I think.).

so, if your 128 bit or 256 bit or bit security system is ultimately based from a human-rememberable (and thus probably short) password, is there ANYTHING that can be done short of requiring 30 character passwords?

Re:one for the crypto/math freaks (0)

Anonymous Coward | more than 10 years ago | (#7402857)

Yeah, only let the user try x number of passwords within y minutes.

Re:one for the crypto/math freaks (1)

captain_craptacular (580116) | more than 10 years ago | (#7402903)

I prefer to simplify things and only allow x number of attempts in x minutes. The y is just too confusing ;)

Re:one for the crypto/math freaks (2, Informative)

nehril (115874) | more than 10 years ago | (#7402944)

a good point, but that doesn't help against the offline dictionary attack listed in this paper: sniff some data, crack the password offline, THEN connect/spoof/raise hell. it will appear succeed on the first *visible to you* attempt.

Re:My Dog Has Fleas? (4, Interesting)

IM6100 (692796) | more than 10 years ago | (#7402868)

Something that amused me recently was when I installed IRIX on a cool SGI box I bought at auction.

It refused to let me use a password longer than 8 characters.

I am talking about a release of IRIX that was pressed to CD in the year 2002.

Re:My Dog Has Fleas? (2, Interesting)

Trillan (597339) | more than 10 years ago | (#7402902)

Similiar problem with a Windows 2000 server using Services for Macintosh. Microsoft uses an old authentication model which doesn't support long passwords... unless you install Microsoft's client-side authentication model, which is too buggy to use (i.e. authentication windows pop up BELOW everything else).

Re:My Dog Has Fleas? (5, Funny)

stefanlasiewski (63134) | more than 10 years ago | (#7402882)

My Dog Has Fleas is a positively fantasic password compared to the usual choice of a middle name, spouse's name, child's name or birthdate.

Well, not really.

Using your child's name for a password is a million times more secure then posting it on Slashdot :)

And with the Slasdot crowd, maybe someone really does have a kid named "j3Nn!f3r". What could be more secure then that? It's so secure that those poor kindergarteners can't even pronounce it!!!

Re:My Dog Has Fleas? (1)

DraKKon (7117) | more than 10 years ago | (#7402891)

I kinda like the password of 'pass' myself...

Re:My Dog Has Fleas? (1)

Trillan (597339) | more than 10 years ago | (#7402999)

You've reached new heights (or lows?) of laziness. :)

Re:My Dog Has Fleas? (3, Funny)

jamesh (87723) | more than 10 years ago | (#7402915)

'My Dog Has Fleas' is indeed fantastic. I'm changing all my passwords to that right now. I encourage you all to do the same.

Major sky show and new North America speed record (-1, Offtopic)

Triquint (683143) | more than 10 years ago | (#7402638)

Off topic but relevant to Slashdot in general. Earlier today I submitted a story about a speed record attempt over North America this afternoon that people could go out and look at. It came out around 1pm that a coast-to-coast supersonic passenger jet - one of the final Concorde flights - was just about to start. I posted to Slashdot, and it still isn't up. The flight has now landed. Given all the excitement the plane has generated recently - see:

Mystery Fireball a Concorde Contrail?
http://science.slashdot.org/article.pl?sid=03/10/1 6/1320233&mode=thread&tid=134&tid=160

it could have been serious for slashdotters in Canada and possibly northern US States incl Washington State to check out possible sonic booms and contrails/fireball appearance overhead, knowing there was a world speed record attempt on. Also, see the flast flight of a supersonic passenger plane over North America for who knows how long. How many times do you get to see that as it happens with your own eyes?

The story had not made it to any news outlets I'm aware of yet. It only came to light through various plane aficionados keeping in touch with what North America air traffic control and airlines are planning. It went out on JFK air traffic control at 1pm, and hence became public knowledge. This would have been a Slashdot Internet scoop.

So - question - if you know of something major about to happen, and want to alert slashdotters who are obviously interested given prior threads - how do you let everyone on Slashdot know about it while it is still happening? How do you get it through the submissions process before the story is dead? What about the next time something seriously interesteing is about to happen?

Update - just posted on Seattle Museum of Flight website
Page updated 4:00 p.m. PST, November 5, 2003
http://www.museumofflight.org/visit/concorde.html
Concorde has landed and set a new World's Record for New York to Seattle.

Re:Major sky show and new North America speed reco (0)

Anonymous Coward | more than 10 years ago | (#7402874)

Uh oh, looks like you should have posted AC

Re:Major sky show and new North America speed reco (0)

Anonymous Coward | more than 10 years ago | (#7403004)

I'd like to have seen this story. This happened live, right now, and I have friends that could have seen it. Liked the earlier /. on the sky meteor, and would have been way better if /. could have posted in advance to go look at it!!! The guy posted as a story and a OT thread, but that gets dumped to the dregs here, so we still don't hear about it.

/. has good filter people. Must be a better way to handle OT major announces. That Guy Fawks story today is fun, but I could have heard it tomorrow with no difference, and still have friends get to see the record breaking today.

first greased yoda doll post shizznogg! (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7402641)

THE GREASED YODA DOLL GREASED YODA !

8 steps to greasing your anus for yoda doll insertion

1) defecate. preferably after eating senna, ex lax, prunes, cabbage and hot sauces.
2) wipe ass with witch hazel, soothes horrific burns
3) prime anus with anal ease.
4) slather richly a considerable amount of vaseline or other anal lubricants into your rectum at least until the bend and also take your yoda doll or yoda soap on a rope and liberally apply it.
5) pucker your ballon knot several times actuating the sphincter muscle in order to work it in
6) slowly rest yourself onto your yoda figurine
7) make sure to have a mechanism by which to fish yoda out of your rectum, the soap on the rope is especially useful because that is built in.
8) gyrate gleefully in your computer chair while your fat sexless geek nerd loser fat shit self enjoys the prostate massage you'll be getting. Read slashdot. Masturbate to anime. Email one of the editors hoping they will honor you with a reply. Join several more dating services - this time, you dont check the (desired - speaks english) and (desired - literate). You figure you might get a chance then. Order some fucking crap from Think Geek. Get Linux to boot on a Black And Decker Appliance. Wish you could afford a new computer. Argue that IDE is better than SCSI because you cant afford SCSI. Make claims about how Linux rules. Compile a kernel on your 486SX. Claim to hate windows but use it for Everquest. Admire Ghyslain's courage in making that wonderful star wars movie. Officially convert to the Jedi religion. Talk about how cool Mega Tokyo is. Try and make sure you do your regular 50 story submissions to Slashdot, all of which get rejected because people who arent fatter than CowboyNeal can't submit. Fondle shrimpy penis while making a yoda voice and saying, feel the force, padawan, feeel the foooorce, hurgm. Yes. Yes. When 900 years you reach, a dick half as big you will not have.

All in a days work with a yoda figurine rammed up your ass.

Ground Control to Yoda Doll
Ground Control to Yoda Doll
Take your ass grease pills and put your helmet on
Ground Control to Yoda Doll
Commencing countdown, engines on
Check ignition and may God's love shove up you
Ten, Nine, Eight, Seven, Six, Five, Four, Three, Two, One, Shove Up
This is Ground Control to Yoda Doll
You've really made the grade
And the papers want to know whose butts you tear
Now it's time to leave the suppository if you dare
"This is Yoda Doll to Ground Control
I'm stepping through the door
And I'm stinking in a most peculiar way
And the ass look very different today
For here am I sitting in an ass can
Far inside the butt
My face is turning blue
And there's nothing I can do
Though I'm past one hundred thousand bowels
I'm feeling very still
And I think my buttship knows which way to go
Tell my wife I ream her very much, she knows"
Ground Control to Yoda Doll
Your circuit's dead, there's something wrong
Can you hear me, Yoda Doll?
Can you hear me, Yoda Doll?
Can you hear me, Yoda Doll?
Can you....
"Here am I floating in my ass can
Far inside his Moon
My face is turning blue
And there's nothing I can do."

Re:first greased yoda doll post shizznogg! (-1, Offtopic)

floodo1 (246910) | more than 10 years ago | (#7402943)

im dead from laughing :)

Some security is better than no security (5, Insightful)

Dancin_Santa (265275) | more than 10 years ago | (#7402654)

If all it took were a dictionary attack to sniff a password, at least it took that much.

This isn't some simple passthrough that can be gotten through by knowing a couple backdoor passwords, it's a real live algorithm.

But in the end, it's up to the user to enter a password and as long as humans remain humans easy to remember passwords will always be chosen over #HrS2sWmNw/()LggDwMn.

passphrases kick password ass (1)

cheezus (95036) | more than 10 years ago | (#7402684)

yeah, but #HrS2sWmNw/()LggDwMn.
is easier to crack than
"I bought 2 bags of frozen peas at the store"
which is much easier to remember

Re:passphrases kick password ass (2, Insightful)

Muerte23 (178626) | more than 10 years ago | (#7402858)

actually, your passphrase has much lower entropy than your random password. assuming there are about 10K words in common vocabulary, and you use 10 words, that's about 10,000^10. pretty large, but only about 23 bits. now consider the deterministic ordering of words in an english sentence, and you knock off a few more bits.

but your 20 character password has a huge entropy. you have 26 lowercase letters, 26 uppercase letters, 10 numbers and about 10 punctuation marks. that's 66 possibilities per character. now 72^20 is a lot. that's about 26 bits.

so it may be easier to remember, but it's not more secure.

Cryptography is not for the math-impared (2, Informative)

Anonymous Coward | more than 10 years ago | (#7403021)

Where are you getting this stuff?!?

assuming there are about 10K words in common vocabulary, and you use 10 words, that's about 10,000^10. pretty large, but only about 23 bits.

10,000^10 ~ (2^13.3)^10 = 2^133 = 133 bits of encryption.

but your 20 character password has a huge entropy. you have 26 lowercase letters, 26 uppercase letters, 10 numbers and about 10 punctuation marks. that's 66 possibilities per character. now 72^20 is a lot. that's about 26 bits.

66 possibilities * 20 chars ~ (2^6)^20 = 2^120 = 120 bits of encryption.

Re:Some security is better than no security (2, Interesting)

Carnildo (712617) | more than 10 years ago | (#7402769)

In general, if someone has the ability to run a dictionary attack on a password, it's as good as giving them access. From personal experience as a sysadmin, 65%-75%(1) of all passwords can be found by a dictionary attack.

(1) From running dictionary attacks against three sets of passwords.
Computer science students: 75%
Public forum #1: 65%
Public forum #2: 75%

Re:Some security is better than no security (0)

Anonymous Coward | more than 10 years ago | (#7402816)

I used worked for a porn site that had about 200,000 registered users. The passwords were stored in plain text in the DB. Once, I selected out the top ten most common passwords. The top ten accounted for 35% or 45% (can't remember which it was) of the passwords. 'password' was #1. 1234 and 12345 were also in the top ten.

Re:Some security is better than no security (0)

Anonymous Coward | more than 10 years ago | (#7402834)

Makes the Spaceballs Presidents luggage seem secure.

Along with Druidia's air.

Re:Some security is better than no security (1)

Minderbinder106 (663468) | more than 10 years ago | (#7402802)

You wouldn't believe all the people at my school who have shared drives with read/write access that use the username guest and the password guest.

Re:Some security is better than no security (2, Insightful)

Minna Kirai (624281) | more than 10 years ago | (#7402917)

But that's no security violation. If someone wants to run the equivalent of an anonymous FTP server, let him. (I assume these are on separate disks than the main OS install, right?)

Occasionally in the lose college environment like that, you find students leaving text files on other people harddrives, things like "Hey I like your MP3s, where do you live? I'm in Kenmore 402!", because they find shares but have no knowledge of the owner.

PS. What I don't believe is the number of administrators at your school collecting $1,800,000 severance after zero days of work!

At least use WEP! (5, Insightful)

jolyonr (560227) | more than 10 years ago | (#7402658)

It doesn't matter how easy to break a new system is, it's better than having no security.

I recently took my laptop on a trip across Toronto and in a couple of hours spotted around 60 wireless networks. Around 80% had NO encryption enabled at all. And yes, the most common SSIDs are 'default' and 'linksys'.

So make a system more complex and people won't use it - which defeats the whole object of it.

Jolyon

Re:At least use WEP! (2, Insightful)

Xerithane (13482) | more than 10 years ago | (#7402820)

I recently took my laptop on a trip across Toronto and in a couple of hours spotted around 60 wireless networks. Around 80% had NO encryption enabled at all. And yes, the most common SSIDs are 'default' and 'linksys'.


How many of those were open intentionally? Probably quite a few. I don't leave the default SSID on, just so they can get an idea where they are connecting to, but I leave my access point open. It's on a different network segment, and I figure if someone has an 802.11 card I'll help out with their bandwidth. If it ever becomes a problem on my bandwidth, I'll just regulate that segment.

Don't assume that because they are open without encryption it is due to naivity.

Re:At least use WEP! (0)

floodo1 (246910) | more than 10 years ago | (#7402959)

yeah word up, thats exactly why my wap is wide open...if you're in my neighborhood hook it up!

Re:At least use WEP! (5, Informative)

WuphonsReach (684551) | more than 10 years ago | (#7403028)

We don't use WEP on our wireless net at the office. Too often, the interaction between the card and the access-point doesn't work well if WEP is enabled (different vendors for the two products).

Instead, we've segregated all of the WAPs onto a dead-end network where the users have to VPN into our LAN through a border server. (Basically treating them as if they were outside the office and coming in from an external ISP.)

Works pretty well, other then having to remember to VPN into the network. The traffic ends up encrypted (inside of the VPN tunnel), so it's not possible to sniff passwords.

There will always be stupid users... (3, Insightful)

mackman (19286) | more than 10 years ago | (#7402663)

The important thing here is that this allows for actual security for users smart enough to use good passwords. Even in hex users can enter dumb passwords ("AA AA AA AA AA...").

Re:There will always be stupid users... (0)

Anonymous Coward | more than 10 years ago | (#7402759)

What if your password is aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ?

Wouldn't that be tough to crack?

Re:There will always be stupid users... (0)

Anonymous Coward | more than 10 years ago | (#7402923)

I think your left pinky would crack first...

Re:There will always be stupid users... (1)

pegr (46683) | more than 10 years ago | (#7402973)

Nah, my fav hex password? 042CDEADBEEF It's my MAC address too!

taco is adicted to self fellatio (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7402665)

treos rock

I hope you choke on your own spunk you smarmy fuck

<P> <A> <LI> <OL> <UL> <EM> <BR> <TT> <STRONG> <BLOCKQUOTE> <DIV> <ECODE>
Important Stuff:
Please try to keep posts on topic.
Try to reply to other people's comments instead of starting new threads.
Read other people's messages before posting your own to avoid simply duplicating what has already been said.
Use a clear subject that describes what your message is about.
Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
If you want replies to your comments se

Re:taco is adicted to self fellatio (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7402766)

if yuo could do it, you would be to.

regardes,
CmdrTaco

Article Text (-1, Redundant)

Anonymous Coward | more than 10 years ago | (#7402667)

Weakness in Passphrase Choice in WPA Interface
By Robert Moskowitz
Senior Technical Director
ICSA Labs, a division of TruSecure Corp

Use of PSK as the key establishment method

WPA and 802.11i provide for a Pre-Shared Key (PSK) as an alternative to 802.1X based key establishment. A PSK is a 256 bit number or a passphrase 8 to 63 bytes long. Each station MAY have its own PSK, tied to its MAC address. To date, vendors are only providing for one PSK for an ESS, just as they do for WEP keying.

When a PSK is used instead of 802.1X, the PSK is the Pairwise Master Key (PMK) that is used to drive the 4-way handshake and the whole Pairwise Transient Key (PTK) keying hierarchy. There is a straightforward formula for converting a passphrase PSK to the 256-bit value needed for the PMK.

This paper will look into the risks of using a PSK and particularly the risk associated with a passphrase-based PSK.

How the PSK is used in WPA and 802.11i

The PSK provides an easily implemented alternative for the PMK as compared to using 802.1X to generate a PMK. A 256bit PSK is used directly as the PMK. When the PSK is a passphrase, the PMK is derived from the passphrase as follows:

PMK = PBKDF2(passphrase, ssid, ssidLength, 4096, 256)

Where the PBKDF2 method is from PKCS #5 v2.0: Password-based Cryptography Standard. This means that the concatenated string of the passphrase, SSID, and the SSIDlength is hashed 4096 times to generate a value of 256 bits. The lengths of the passphrase and the SSID have little impact on the speed of this operation.

The PTK is a keyed-HMAC function using the PMK on the two MAC addresses and the two nonces from the first two packets of the 4-Way Handshake. This is why the whole keying hierarchy falls into the hands of anyone possessing the PSK, as all the other information is knowable.

The Intra-PSK attack

The normal practice is to have a single PSK within an ESS. To generate any PTK, a device only needs to learn the two MAC addresses and nonces (and the selected ciphersuite). All of this is available in the initial exchange, from the ASSOCIATE through the 4-Way Handshake. Any device can passively listen for these frames and then generate the PTK. If the device missed these frames, it can send a DISASSOCIATE against the STA and force the STA to perform the ASSOCIATE through the 4-Way Handshake again.

Thus even though each unicast pairing in the ESS has unique keys (PTK) there is nothing private about these keys to any other device in the ESS.

The offline PSK dictionary attack

A station that does not know a passphrase-based PSK can attack it with an offline attack. This is effective for an outsider where there is a single PSK in the ESS, or an insider where there are unique PSKs.

The 802.11i standard points out that:

A passphrase typically has about 2.5 bits of security per character, so the passphrase of n bytes equates to a key with about 2.5n + 12 bits of security. Hence, it provides a relatively low level of security, with keys generated from short passwords subject to dictionary attack. Use of the key hash is recommended only where it is impractical to make use of a stronger form of user authentication. A key generated from a passphrase of less than about 20 characters is unlikely to deter attacks.

The PTK is used in the 4-Way handshake to produce a hash of the frames. There is a long history of offline dictionary attacks against hashes. Any of these programs can be altered to use the information in the 4-Way Handshake as input to perform the offline attack. Just about any 8-character string a user may select will be in the dictionary. As the standard states, passphrases longer than 20 characters are needed to start deterring attacks. This is considerably longer than most people will be willing to use.

This offline attack should be easier to execute than the WEP attacks.

Using Random values for the PSK

The PSK MAY be a 256-bit (64 hexadecimal) random number. This is a large number for human entry; 20 character passphrases are considered too long for entry. Given the nature of the attack against the 4-Way Handshake, a PSK with only 128 bits of security is really sufficient, and in fact against current brute-strength attacks, 96 bits SHOULD be adequate. This is still larger than a large passphrase, but is unlikely to be in a dictionary attack. Using a relatively small random value represented in hexadecimal, and entering it as a passphrase will expand it to a proper 256-bit PSK.

Summary

Anyone with knowledge of the PSK can determine any PTK in the ESS through passive sniffing of the wireless network, listening for those all-important key exchange data frames. Also, if a weak passphrase is used, for example, a short passphrase, an offline dictionary attack can readily guess the PSK. Since the common usage will be a single PSK for the ESS, once this is learned by the attacker, the attacker is now a member of the ESS, and the whole ESS is compromised. The attacker can now read and forge any traffic in the ESS.

Pre-Shared Keying is provided in the standard to simplify deployments in small, low risk, networks. The risk of using PSKs against internal attacks is almost as bad as WEP. The risk of using passphrase based PSKs against external attacks is greater than using WEP. Thus the only value PSK has is if only truly random keys are used, or for deploy testing of basic WPA or 802.11i functions. PSK should ONLY be used if this is fully understood by the deployers.

MOD PARENT DOWN.. IT IS A TROLL (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7402736)

The text of the parent has been edited. Mod it down. It is a troll.

Using a relatively small random value represented in hexadecimal, Rob Malda's relatively small dick, and entering it as a passphrase will expand it to a proper 256-bit PSK.

My cat's breath smells like cat food. (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7402674)

My cat's breath smells like cat food.

Big deal (4, Informative)

WolfWithoutAClause (162946) | more than 10 years ago | (#7402677)

Just about any protocol allows dictionary attacks. Whilst some techniques, like salt, help, ultimately they make the problem for the bad guys only slightly harder.

Only long passwords and encouraging the users to use good quality passwords/phrases really helps.

Ultimately though, these passphrases are flawed anyway- they are a form of shared password. History has shown this to be a thoroughly bad idea, one passphrase per user/machine is a far better idea; and even the user shouldn't know what it is (that way it can't get beaten out of them- black cosh crytography works pretty darn well.) These standards organisations aren't even trying.

Re:Big deal (2, Insightful)

timeOday (582209) | more than 10 years ago | (#7402801)

Ultimately though, these passphrases are flawed anyway- they are a form of shared password. History has shown this to be a thoroughly bad idea, one passphrase per user/machine is a far better idea... These standards organisations aren't even trying.
Well, the second sentence in the article does say that the standard provides for each MAC address to be given a different key. In fact it's called a "Pairwise Master Key."

but... (0, Flamebait)

edrugtrader (442064) | more than 10 years ago | (#7402700)

but my dog DOES have fleas...

Improvement over WEP?! (3, Insightful)

hobbesmaster (592205) | more than 10 years ago | (#7402721)

Hold it, someone correct me if I'm wrong, but doesn't this mean that instead of collecting thousands of weak packets in RFMon you just need to collect one packet from each network and brute force it?

Which method is harder to crack? I'd take WEP. Simply because its takes longer to collect the necessary packets; especially on a smaller network. On a larger network it may work out to be better from a security standpoint for the cracker to start a brute force attack on the packet on a spare computer and let it sit for a few days instead of having him hide a pocket PC with a wifi card in range of the AP for a few days.

Re:Improvement over WEP?! (1)

YOU LIKEWISE FAIL IT (651184) | more than 10 years ago | (#7402812)

but doesn't this mean that instead of collecting thousands of weak packets in RFMon you just need to collect one packet from each network and brute force it?

If I understand correctly, WEP is vulnerable to this as well. You can capture one packet, decode it against a given passphrase, and then see if the IP header on the decoded packet has a correct checksum. Rinse, lather, repeat.

Lets just say that it takes a lot less time to find a set of weak ISV values.

YLFI

Re:Improvement over WEP?! (1)

hobbesmaster (592205) | more than 10 years ago | (#7402839)

That depends. If its an underutilized network, it would be more time efficient to dictionary attack it than airsnort it.

Thats my experience anyways. If its a corporate wide network perhaps it could be owned far more easily by cracking WEP.

WEP newbie question - how bad is it? (2, Interesting)

frostman (302143) | more than 10 years ago | (#7402732)

I've just bought my first wireless kit (DLink 802.11b wireless router plus card for $60).

I did some reading on WEP and it sounds pretty frightening. Today I'm going over to set up the same kit for a friend who's NOT a slashdot type. I'm pretty-well used to data protection issues, and I take reasonable precautions and would also not freak out if something Bad happened. But I'm wondering what I should tell my non-techie friend.

Practically speaking, just how vulnerable is WEP? If my friend has a good non-dictionary password and uses "256 bit" encryption, is he reasonably safe from casual hijacking?

That's certainly what the manufacturers would have us believe, and the low prices and ubiquitous Starbucks access points seem to be causing a lot of folks to adopt wireless, at least out here in silicon valley.

Having read up on the security problems, I'm now hoping some of you can provide or point to real-world scenarios.

Hope this isn't too off-topic...

Re:WEP newbie question - how bad is it? (1)

wfberg (24378) | more than 10 years ago | (#7402787)

Practically speaking, just how vulnerable is WEP? If my friend has a good non-dictionary password and uses "256 bit" encryption, is he reasonably safe from casual hijacking?

He's save for about 6 million packets worth of traffic - a few hours. After that any kid with a laptop, a wireless card, and wepcrack 0wnz0rs his 455.

paper here [rice.edu]

Re:WEP newbie question - how bad is it? (3, Informative)

hobbesmaster (592205) | more than 10 years ago | (#7402821)

It takes far longer than that. Getting thousands of interesting packets takes weeks for a 256bit WEP network being used by only one person.

And yes, this is from experience. I will neither confirm nor deny that I was given permission to try this...

Re:WEP newbie question - how bad is it? (4, Informative)

Dusty (10872) | more than 10 years ago | (#7402822)

Ars Technica has a good summary of what you can do with SSID's and WEP to improve your wireless network's security:-

Security Practicum: Essential Home Wireless Security Practices [arstechnica.com]

Re:WEP newbie question - how bad is it? (1)

Shakrai (717556) | more than 10 years ago | (#7402855)

Practically speaking, just how vulnerable is WEP? If my friend has a good non-dictionary password and uses "256 bit" encryption, is he reasonably safe from casual hijacking?

Vulnerable enough that I won't use it at work without it being on the other side of our firewall and forcing the "Road-Warriors" to VPN into the network. I also have it setup (at work) so they can't access the Internet... only the VPN. Lot's of paranoia there, but why take chances?

At home I use my dinky little Linksys WAP11 (using a Cisco Aironet Card to connect to it). I run WEP and (more importantly imho) MAC address filters. The MAC for my Cisco card (and my friends D-Link card) is entered into the Linksys. In theory it will only allow those clients with that MAC to associate. So even (again in theory) if they break the WEP encryption, they won't be able to use my bandwidth. Of course they will be able to see and record all my packets... for this reason I still use ssh on my internal network.

To answer your original question, for home networks I think it's secure enough. Of course it helps my setup that I live out in the middle of nowhere and don't have to worry about the guy in the apartment next door :)

Note that the above theory is rendered moot if you leave the AP password set to "admin" and they can log into it and change it ;)

Re:WEP newbie question - how bad is it? (1)

Shakrai (717556) | more than 10 years ago | (#7402887)

To answer your original question, for home networks I think it's secure enough. Of course it helps my setup that I live out in the middle of nowhere and don't have to worry about the guy in the apartment next door :)

I should also point out however, that when I worked for a WISP, we were out doing site surveys one time. I happened to point a 24db directional antenna towards my house and was able to associate (granted I had the WEP settings and knew what the SSID was) from about 1/2mi away going through a line of trees (and the walls of my house). And that's with the Linksys using the dinky stock antennas! Only my end (the Aironet card) had the big 24db rig on it. I had about 30-35% signal strength (more then ample in my experience). Surfed on it for a few minutes for the novelty :)

Re:WEP newbie question - how bad is it? (1)

Lukey Boy (16717) | more than 10 years ago | (#7403002)

You know under Linux it's pretty trivial to change the MAC address of an Ethernet device, right?

Re:WEP newbie question - how bad is it? (3, Informative)

timeOday (582209) | more than 10 years ago | (#7402866)

The threat is way overblown. I'm willing to bet that fewer than 1% of WEP-protected access points fall to cryptographic weakness (but my guesstimate will yield immediately to anybody with ACTUAL DATA that agrees or disagrees). Any sensitive data you send, you should be (and probably are) sending over ssl (when the little lock appears in your browser window), using ssh instead of telnet, etc. As for Starbucks access points, they're not protected by WEP anyways.

Just enable the WEP, use secure applications for sensitive data, and quit worrying about it.

Re:WEP newbie question - how bad is it? (3, Informative)

ch-chuck (9622) | more than 10 years ago | (#7402879)

Don't worry, set him up, turn on wep, make some keys, and also use MAC filtering so only known stations can get in. To get around both those someone has to be fairly determined, just like someone determined to get in your house can probably do so, no matter what locks and alarms you install. That'll keep out the accidental neighbors and casual drive by scanners. Anything important like credit card numbers should be encrypted from browser to server with SSL anyway.

Now, if a bank or hospital was going to install a wireless wep on a campus with account passwords etc in the air in the parking lot, then you'd have good reason to worry.

Not New Hat (0)

Anonymous Coward | more than 10 years ago | (#7402741)

This and many other security concerns were voiced years ago in the IEEE. Unfortunately, the buffoons who pushed the standard through were not interested in hearing about them.

Misdirected karma: they screw up, consumers get hit.

Re:Not New Hat (0)

floodo1 (246910) | more than 10 years ago | (#7402986)

wow your post is sooo useful when you post it as AC :(

Article, the other one is a troll (-1, Redundant)

AnnieCoulter (720399) | more than 10 years ago | (#7402743)

Weakness in Passphrase Choice in WPA Interface
By Robert Moskowitz
Senior Technical Director
ICSA Labs, a division of TruSecure Corp

Use of PSK as the key establishment method

WPA and 802.11i provide for a Pre-Shared Key (PSK) as an alternative to 802.1X based key establishment. A PSK is a 256 bit number or a passphrase 8 to 63 bytes long. Each station MAY have its own PSK, tied to its MAC address. To date, vendors are only providing for one PSK for an ESS, just as they do for WEP keying.

When a PSK is used instead of 802.1X, the PSK is the Pairwise Master Key (PMK) that is used to drive the 4-way handshake and the whole Pairwise Transient Key (PTK) keying hierarchy. There is a straightforward formula for converting a passphrase PSK to the 256-bit value needed for the PMK.

This paper will look into the risks of using a PSK and particularly the risk associated with a passphrase-based PSK.

How the PSK is used in WPA and 802.11i

The PSK provides an easily implemented alternative for the PMK as compared to using 802.1X to generate a PMK. A 256bit PSK is used directly as the PMK. When the PSK is a passphrase, the PMK is derived from the passphrase as follows:

PMK = PBKDF2(passphrase, ssid, ssidLength, 4096, 256)

Where the PBKDF2 method is from PKCS #5 v2.0: Password-based Cryptography Standard. This means that the concatenated string of the passphrase, SSID, and the SSIDlength is hashed 4096 times to generate a value of 256 bits. The lengths of the passphrase and the SSID have little impact on the speed of this operation.

The PTK is a keyed-HMAC function using the PMK on the two MAC addresses and the two nonces from the first two packets of the 4-Way Handshake. This is why the whole keying hierarchy falls into the hands of anyone possessing the PSK, as all the other information is knowable.

The Intra-PSK attack

The normal practice is to have a single PSK within an ESS. To generate any PTK, a device only needs to learn the two MAC addresses and nonces (and the selected ciphersuite). All of this is available in the initial exchange, from the ASSOCIATE through the 4-Way Handshake. Any device can passively listen for these frames and then generate the PTK. If the device missed these frames, it can send a DISASSOCIATE against the STA and force the STA to perform the ASSOCIATE through the 4-Way Handshake again.

Thus even though each unicast pairing in the ESS has unique keys (PTK) there is nothing private about these keys to any other device in the ESS.

The offline PSK dictionary attack

A station that does not know a passphrase-based PSK can attack it with an offline attack. This is effective for an outsider where there is a single PSK in the ESS, or an insider where there are unique PSKs.

The 802.11i standard points out that:

A passphrase typically has about 2.5 bits of security per character, so the passphrase of n bytes equates to a key with about 2.5n + 12 bits of security. Hence, it provides a relatively low level of security, with keys generated from short passwords subject to dictionary attack. Use of the key hash is recommended only where it is impractical to make use of a stronger form of user authentication. A key generated from a passphrase of less than about 20 characters is unlikely to deter attacks.

The PTK is used in the 4-Way handshake to produce a hash of the frames. There is a long history of offline dictionary attacks against hashes. Any of these programs can be altered to use the information in the 4-Way Handshake as input to perform the offline attack. Just about any 8-character string a user may select will be in the dictionary. As the standard states, passphrases longer than 20 characters are needed to start deterring attacks. This is considerably longer than most people will be willing to use.

This offline attack should be easier to execute than the WEP attacks.

Using Random values for the PSK

The PSK MAY be a 256-bit (64 hexadecimal) random number. This is a large number for human entry; 20 character passphrases are considered too long for entry. Given the nature of the attack against the 4-Way Handshake, a PSK with only 128 bits of security is really sufficient, and in fact against current brute-strength attacks, 96 bits SHOULD be adequate. This is still larger than a large passphrase, but is unlikely to be in a dictionary attack. Using a relatively small random value represented in hexadecimal, and entering it as a passphrase will expand it to a proper 256-bit PSK.

Summary

Anyone with knowledge of the PSK can determine any PTK in the ESS through passive sniffing of the wireless network, listening for those all-important key exchange data frames. Also, if a weak passphrase is used, for example, a short passphrase, an offline dictionary attack can readily guess the PSK. Since the common usage will be a single PSK for the ESS, once this is learned by the attacker, the attacker is now a member of the ESS, and the whole ESS is compromised. The attacker can now read and forge any traffic in the ESS.

Pre-Shared Keying is provided in the standard to simplify deployments in small, low risk, networks. The risk of using PSKs against internal attacks is almost as bad as WEP. The risk of using passphrase based PSKs against external attacks is greater than using WEP. Thus the only value PSK has is if only truly random keys are used, or for deploy testing of basic WPA or 802.11i functions. PSK should ONLY be used if this is fully understood by the deployers.

Posted by Glenn Fleishman at November 4, 2003 09:37 AM | TrackBack

Mirror (1, Informative)

Anonymous Coward | more than 10 years ago | (#7402748)

Thought i would put up a mirror [ackbar.org] as it looks like the site is really slowing down and might die soon.

Tubgirl warning (0)

Anonymous Coward | more than 10 years ago | (#7403045)

Above is tubgirl link. why do they want us to see it?

rob malda fucks goats (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7402754)

ghh mportant Stuff: Please try to keep posts on topic. Try to reply to other people's comments instead of starting new threads. Read other people's messages before posting your own to avoid simply duplicating what has already been said. Use a clear subject that describes what your message is about. Offtopic,mportant Stuff: Please try to keep posts on topic. Try to reply to other people's comments instead of starting new threads. Read other people's messages before posting your own to avoid simply duplicating what has already been said. Use a clear subject that describes what your message is about. Offtopic,

Hey (1)

Bendebecker (633126) | more than 10 years ago | (#7402755)

1..2..3. Hey that is the same combination I use on my luggage!

Re:Hey (0, Flamebait)

damiam (409504) | more than 10 years ago | (#7402800)

That joke was kind of funny the first few times it was posted on /., roughly five years ago. Now, it's just lame.

Re:Hey (0)

Anonymous Coward | more than 10 years ago | (#7402850)

You should try 0 0 0. Nobody ever guesses that one.

My Solution.. (0)

Anonymous Coward | more than 10 years ago | (#7402762)

Basically they are claiming that this protocol is insecure becase users choose bad passwords. Duh. Why not just let the user enter as pass phrase, then make an MD5 from the user supllied passphrase, then use the sum as the wireless passphrase. It's difficult to do a dictionary attack, and the user gets to stick with his chosen easy to remember pass phrase.

Re:My Solution.. (1)

Drishmung (458368) | more than 10 years ago | (#7402870)

So, instead of guessing the PSK and plugging it into the formula to see if it works (dictionary attack), you run the PTK through a one way hash (MD5), and...do the same thing.

If you know or can guess that the equipment has this extra step, you can do it too.

Did you mean instead to suggest that the equipment should take the pass-phrase, permute it in some random fashion (i.e., use it as the seed to a random number generator), and then use the resultant output as the PSK? Of course, if you do this, you have to enter the generated output as the PSK on the other stations (or else an attacker could just do a dictionary attack).

But, if you do that, you might as well just get the system to generate a random key in the first place---which is his point.

My Dog Has Fleas (2, Interesting)

Anonymous Coward | more than 10 years ago | (#7402771)

...my wireless router has a first name
it's l-i-n-k-s-y-s

my router has a SSID
it's l-i-n-k-s-y-s

RE: password security -- what about the old technique of using an acronym for something that wouldn't be hit by a dictionary attack? Um, like:

My Dog Has Fleas And Your Mom Does Too would create a password of "mdhfaymdt" ? Secure enough...and probably not in someone's best interest to share with anyone else.

Re:My Dog Has Fleas (4, Informative)

shird (566377) | more than 10 years ago | (#7402892)

Actually, a dictionary attack is inlikely to break 'My Dog has Fleas' because it is composed of multiple words, is fairly long, and has mixed case. Dictionary attacks typically involve just one or possibly two words strung together. Anymore and it becomes pretty impratical.

The only pratical way to find that password is through brute force. In this scenario, the longer the password and more possible different characters (ie lowercase and uppercase, and spaces) makes it more difficult. Thus, 'My Dog has Fleas' would be more secure than 'mdhfaymdt' against a brute force attack. The latter could be broken in a matter of hours through brute force.

Re:My Dog Has Fleas (1)

ps_inkling (525251) | more than 10 years ago | (#7403017)

Thus, 'My Dog has Fleas' would be more secure than 'mdhfaymdt' against a brute force attack. The latter could be broken in a matter of hours through brute force.

'my dog has fleas and you're my dog too?'

MY BEST FREND IS A WHORE (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7402789)


This has nothing to do with anything remotely Slashdot related, but I need to do something before my head explodes...

As I type this, my roomate and my best friend/recent lover are fucking in the next room over. WHAT THE FUCK. After 10 years of friendship and built-up sexual tension, we finally hooked up and now less than a week later she's banging my roomate. I am so fucking incensed right now I can't think straight. I wouldn't mind if they went to a hotel or otherwise didn't make it known, but she just FUCKING WALKED PAST MY ROOM TOPLESS AND SHUT THE DOOR IN MY FUCKING FACE. How fucking insensitive can you be?!

This sucks. It's 3AM and I'm telling strangers (GEEK strangers, no less) about my personal problems. I am a big pussy and will most likely not say anything to either one of them so I expect this to go on for a while. Fuck.

Feeling low? There's someone else out there that's having a worse day than you. Trust me.

Re:MY BEST FREND IS A WHORE( +1 Informative) (-1, Troll)

Organized Konfusion (700770) | more than 10 years ago | (#7402825)

hahaha thanks for that

Re:MY BEST FREND IS A WHORE (0)

Anonymous Coward | more than 10 years ago | (#7402832)

Try not being a fat linux loving asshole.
She was bored, get over it.

Re:MY BEST FREND IS A WHORE (0)

floodo1 (246910) | more than 10 years ago | (#7403005)

umm yeah stfu, saying things like "ima not do anything about it cept complain" is useless

This is *Supposed* to be hard (5, Informative)

TechyImmigrant (175943) | more than 10 years ago | (#7402799)

The idea here (I know, I was there when we voted it into the standard) is that the PBKDF2 is computationally significant.

Thus when you perform your offline dictionary attack, for each lookup in the dictionary, you must perform 4096 HMAC_SHA1s and this might take some time if you are looking up a large number of dictionary entries.

The basic conflict is the wide disparity between the power of processors in low end 802.11 transceivers and high end computers. The time to compute the 4096 HMAC-SHA1s is significant on say a slow ARM7TDMI and the 4096 value is a compromise to limit the delay in computing this. This delay affects the time from pressing return on the keyboard, to the time the PTK can be known and communications can begin.

However the attacker can apply his cluster of 3GHz PCs, or his FPGA HMAC_SHA1 parallel processor, or his supercomputer array, and make the speed of dictionary lookups relatively insignificant compared against the strength of the passwords being used.

The wise people asked for a much higher number than 4096. Some implementation types beat it down to 4096, and here we are..

sec issue (1)

segment (695309) | more than 10 years ago | (#7402809)

256bit PSK is used directly as the PMK. When the PSK is a passphrase, the PMK is derived from the passphrase as follows:

PMK = PBKDF2(passphrase, ssid, ssidLength, 4096, 256)

---------
Now I see where the problem is. Easily solvable...

alias passphrase = write "enter you MSG" \
read $MSG \
echo "$MSG" | rot13 | rot13 |mail -s Passphrase luzer@name.com

That wasn't so hard now was it?

wget -qO - kungfunix.net/fatality|sed -n '1!G;h;$p'

Shorter Version of the Article (3, Insightful)

f1f2f3 (66764) | more than 10 years ago | (#7402810)

"Poorly choosen passwords lead to insecurity."

Well, duh. I didn't need three pages of dense, TLA-obscured claptrap to tell me that.

Re:Shorter Version of the Article (1)

TechyImmigrant (175943) | more than 10 years ago | (#7402831)

No, its worse than that.

It is the fact that an OFFLINE dictionary attack is possible. If the protocol did not enable an offline attack, then you would be able to see the attacker attempting to guess the password with a live attack and then countermeasuers could be imposed.

most home users don't care. (0, Flamebait)

seibed (30057) | more than 10 years ago | (#7402827)

really, I have to re-install windows about once every omnth or month and a half (maybe I could stretch it out a little bit longer, but with increasing issues and difficulties) I have long since abandoned my PC as a platform for any kind of critical information. If someone wants to use it, fine, go ahead. I prefer it if no one were malicious, but hey, i'd just be re-installing anyway. What about my bandwidth you say? have at that too. I'm not using it all anyway. I might be a little peeved when I am playing games, but its not going to kill me (well it might when I am in a game, but not in real life) These are the reasons I love knoppix... a nice clean start every time!

News flash! Easily cracked passwords easy to crack (1)

rainwalker (174354) | more than 10 years ago | (#7402828)

After reading the article (gasp!), this guy is saying that if you (the user) choose a passphrase that is susceptible to a dictionary attack, your passphrase could be compromised by someone using a dictionary attack. No kidding? I would have thought that choosing a passphrase of common words would make it HARDER for a brute-force program using a dictionary of common words to crack! Slow news day, or what?

He also points out that WPA is perfectly secure with a good shared key (such as generating 256 bits of random characters) or using the built-in 802.1X authentication system. So....what's the point here?

What's that? (5, Funny)

dswensen (252552) | more than 10 years ago | (#7402844)

perform an offline dictionary attack

What, you sneak up behind the sysadmin and brain him with a copy of Webster's?

Common Passwords (1)

MikeDawg (721537) | more than 10 years ago | (#7402853)

Dark Helmet: So the combination is 1,2,3,4,5 ... That's the stupidest combination I've ever heard in my life! That's the kind of thing an idiot would have on his luggage.

President Skroob: . . . 1,2,3,4,5. That's amazing I've got the same combination on my luggage.

How to generate a good 8 byte PSK (1)

PureFiction (10256) | more than 10 years ago | (#7402867)

hexdump -e "\"%04x%04x\n\"" -n 8 /dev/random

Pre shared key auth/keying is a bad idea. Public key based authentication with random session keys via integration with RADIUS or Kerberos is much more secure (and should be supported by any WPA capable AP)

Re:How to generate a good 8 byte PSK (1)

PureFiction (10256) | more than 10 years ago | (#7402885)

Arg, I should proofread. The above will not print leading zeros. Try this instead:

hexdump -e "\"%4.4x%4.4x\n\"" -n 8 /dev/random

Re:How to generate a good 8 byte PSK (1)

AnotherBlackHat (265897) | more than 10 years ago | (#7402998)


hexdump -e "\"%04x%04x\n\"" -n 8 /dev/random

I prefer;
head /dev/urandom | md5sum

morons raise bounty on corepirate nazi felons (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7402869)

that's right. talk about malicious behaviour? these fauxking payper liesense stock markup FraUD billyonerrors, have done more damage to US, with their felonious softwar gangster crimewave/shoddy products, than can be measured accurately.

so, in typical ?pr? ?firm? hypenosys gangster fashion, rather than repair the infactdead BugWear(tm) blight, they endeavor to shift the focus from their owned greed/fear/ego based foibles, to place the bullame (with the support of the georgewellian fuddite murderers) onto some vandals who did not much more than to eXPose the ongoing shoddiness of the felons' 'products'.

they know J. Public has no clue as to the facts, & they continue (pretending) to deny the very existence of the creators, & the newclear power plan.

lookout bullow. the daze of the greed/fear/ego based felonious payper liesense ?pr? ?firm? hypenosys stock markup fraud execrable, is WANing into coolapps/the abyss, at the (increasing) speed of right.

pay no mind/money to the felonious payper liesense corepirate nazi softwar gangster stock markup FraUD execrable. they are self-dissolving by their owned MiSdeeds/whoreabull motives.

that's won way to help to disempower unprecedented evile.

consult with/trust in yOUR creator... get ready to see the light.

WPA dictionary attack (5, Insightful)

uucpbrain (541924) | more than 10 years ago | (#7402893)

Speaking as a cryptographer and longtime security geek, this weakness is about as damning as... using a 128 bit cipher that only gives 120 bits of protection. Look at the big picture. Most people don't even use WEP, let alone limit access by MAC address. The average user is SO oblivious to security, sharing passwords, opening .EXE attachments... I'd hate to recall how many times I found things like .rhosts files with '++' in them among career Unix programmers who must have known better. WEP was a semi-broken protocol, TACACS+ was a totally broken protocol, there was no way one could use them without compromising security. Just as nobody can use a number of commercial software products without compromising security.

WPA, on the other hand, is a very well-designed protocol. It is only as weak as its users are careless. And one need not choose "h^Ne#b8SV@,4g%yP" as a password to avoid this attack, any semi-uncommon phrase of 4 or 5 words will do.

I will deal with this problem by threatening users with a nasty note in their personnel file if they choose a sh*t passphrase -- and terminate their wireless access. And yes, I will try cracking the passwords myself, just as I have done with operating system passwords for several years.

I sure wish all my security problems were so simple! At least WPA *can* be secure, unlike the steaming heap of offal that most folks call a desktop operating system.

WPA itself remains robust and secure (2, Insightful)

frovingslosh (582462) | more than 10 years ago | (#7402911)

WPA itself remains robust and secure

Boy, some peole just want to find things to complain about. I just read another "you have to protect us from ourselves" article today [theonion.com] , perhaps this should have been included in their list. Personally, I think if people want to hurt themsleves this way they should be allowed to do so. If they do it as part of their job then better qualified technical people should take their place.

It has been, (1)

infonick (679715) | more than 10 years ago | (#7402930)

and always will be that computer security is a deturrent for script-kiddies. if someone wants your computer to be a smoldering pile of has-been, it will happen no matter how much money you "invest".

From the Minutes of the IEEE 802.11i meeting (1)

TechyImmigrant (175943) | more than 10 years ago | (#7403007)

Presentation - Tim Moore, Doug Whiting, Jesse Walker - doc 02/545r0 - Mapping Password to PSK
Standardize a method to generate a 256 bit PSK from an ASCII password.
PSK = PBKDF2(password, ssid, ssidlen, 4096, 256)

Jesse: Only do this if you have to. Security is bad.
Tim: Use hard to guess passwords. Also change SSID from default.
Jesse: I would suggest that every AP ship with a different SSID.
Comment: This forces the administrator to set them to a common value in order to roam.

Comment: Why so big (4096)
Doug: Increases the number of effective bits by that amount.
Comment: How long does this take?
Tim: 17ms on my machine.
Comment: There is a Unicode problem here with UTF8. Results will be different based on code page used.
Comment: Will a 1 byte SSID cause a problem with this?
Tim: This will work, but won't be very good.
Doug: Doc says don't use this in the corporate environment. Suggested for home use.

Comment: Apple had a concept of pass phrase. Is this the same?
Chair: I don't believe they ran it through a function.
Tim: How much time to people want to review the draft?
Chair: If we postpone a motion, will anybody look at it?
Jesse: Do you want it incorporated as normative?
Comment: It could be normative for optional.
Tim: Either we make it normative or WECA does.
Jesse: We could put it in an informative annex.

Motion by Russ Housley
Motion to incorporate document 02/545r0 as an informative annex.
Second: Jesse Walker

Discussion:
Comment: Request to change document to use passphrase instead of password.

Motion to amend by Donald Eastlake.
Change motion to be:
Motion to incorporate document 02/545r0 as an informative annex with password replaced by passphrase.
Second: Paul Lambert.

Discussion:
Comment: We have not properly defined "passphrase". Does the editor know this definition?
Jesse: I have seen it before.
Comment: Call the question
Chair: Any objection?
None

Vote on motion to amend: 22-1-2 Passes

New main motion:
Motion to incorporate document 02/545r0 as an informative annex with password replaced by passphrase.

Any discussion on new main motion?
None

Vote on new main motion: 24-0-1 Passes

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?