×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Stronger Encryption for Wi-Fi

michael posted more than 9 years ago | from the huff-and-puff-and-blow-the-house-down dept.

Wireless Networking 175

sp00 writes "The first products certified to support Wi-Fi Protected Access 2, the latest wireless security technology, were announced by the Wi-Fi Alliance on Wednesday. The Wi-Fi Alliance says WPA2 is a big improvement on earlier wireless security standards, such as Wired Equivalent Privacy (WEP), which hackers have found easy to circumvent. It includes Advanced Encryption Standard, which supports 128-bit, 192-bit and 256-bit keys."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

175 comments

Sssssh! (4, Funny)

FooAtWFU (699187) | more than 9 years ago | (#10134603)

Please don't tell my neighbors about this technology. Thanks. :)

Re:Sssssh! (1)

the_denman (800425) | more than 9 years ago | (#10134629)

the ones I like the best are the "dlink" points
where they haven't even set the admin password yet

Re:Sssssh! (1)

LnxAddct (679316) | more than 9 years ago | (#10135370)

Linksys APs are sweet too, no WEP by default, no firewall, and if you can root a wired computer on the network,the passwords on all the routers are "admin" (IIRC) and the username is blank. I'm pulling that from memory, it may be slightly off. The Metasploit project along with ettercap is really great too for such cases. Using those tools you can be a white hat and enable WEP for them, leave them a message explaining what you did and how to set their laptops up to use it, and then sleep well at night :)
Regards,
Steve

Re:Sssssh! (2, Funny)

Anonymous Coward | more than 9 years ago | (#10134893)

The subject is misleading :P I thought it was secure-secure-secure-secure shell

Re:Sssssh! (2, Funny)

Hobadee (787558) | more than 9 years ago | (#10134901)

Haha! Join the club!

I went over to my friends house and was surprised that I was getting a WiFi signal. I asked my friend, "Dude, when did you get wireless?" He was like "We didn't."

Cue a slow grin growing over my and his faces.

Re:Sssssh! (1)

Nyder (754090) | more than 9 years ago | (#10135422)

too late, I know now.

=)

(at least the person I "borrow" my wifi from doesn't use any protection...)

AES-256 (0)

Anonymous Coward | more than 9 years ago | (#10134605)

Be sure to use AES-256.

awww yeah (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#10134608)

i gots da skillz dat make da benjamins
da benjis pay da billz

fuck a bunch of slashbots

Does this means... (-1, Troll)

Shivaji Maharaj (692442) | more than 9 years ago | (#10134609)

The 64 bit encryption I set on my brand new Dlink access point is not sufficient ?

Re:Does this means... (2, Insightful)

bloo9298 (258454) | more than 9 years ago | (#10134903)

The number of bits used by the key is not enough to judge the security of the system. You could have a crap cryptographic algorithm or, more likely, a crap protocol.

Re:Does this means... (3, Informative)

brain159 (113897) | more than 9 years ago | (#10134953)

Sufficient for what?

Keeping a serious attacker away from your data, if it's specifically you he's after? Possibly not.

Keeping a casual war(mode-of-transport)'er out of your WLAN to stop him leeching your bandwidth? Probably.

Re:Does this means... (1)

presmike (754040) | more than 9 years ago | (#10135487)

AES if implemented correctly is 10 time better then having an open ethernet port outside your house. For the love of God people, please understand cryptography before making un-informed comments about how weak this will be.

http://home.ecn.ab.ca/~jsavard/crypto/co040801.h tm

"As of 2004, no successful attacks against AES have been recognised" http://en.wikipedia.org/wiki/AES

fpfp (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#10134610)

fp

fp2 (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#10134612)

fp.

I am cool.

upgrades to old equipment (4, Insightful)

the_denman (800425) | more than 9 years ago | (#10134613)

The real question is will the manufacturers come out with new drivers/firmware to take advantage of this new technology?

Mods on crack! (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#10134625)

This isn't redundant, its the first post asking this question!.

You people really have problems..

Re:upgrades to old equipment (4, Insightful)

aredubya74 (266988) | more than 9 years ago | (#10134647)

Nope. They'll come out with new equipment, which we will buy. Sigh.

Re:upgrades to old equipment (1)

pfunkmallone (89539) | more than 9 years ago | (#10134868)

Yup, another technology where the first incarnation was buggy, and they charge you to upgrade to what you SHOULD have gotten the first time around.

I agree...it's highly unlikely Linksys will be releasing firmware for their older equipment.

Re:upgrades to old equipment (2, Insightful)

sadler121 (735320) | more than 9 years ago | (#10135021)

Unless you have a Linksys WRT54G router, where there are already open source firmware projects. Once the standerd is settle on, (which sounds like it is pretty much settled on now, from RTFA), I would expect these various projects to upgrade to WPA2.

Linksys may not like this, and may attempt to sue these projects into oblivian, (using our "friend" the DMCA). But it shouldn't be to hard to implimate.

Re:upgrades to old equipment (2, Insightful)

afidel (530433) | more than 9 years ago | (#10135233)

uh, is the hardware capable of doing multiple AES-128 conversations in real time with changing keys all without an ASIC? I doubt it. So new hardware will almost assuradly be needed.

Re:upgrades to old equipment (2)

ksilebo (134470) | more than 9 years ago | (#10135000)

Manufacturers may not release the firmware, but others may develop their own firmware. OpenWRT is a good example, for Linksys WRT54G(S) routers. Perhaps a nice little package for it.

but--- but... (-1, Troll)

Anonymous Coward | more than 9 years ago | (#10134615)

Isn't encryption supposed to be dead already??

Question (1, Interesting)

etymxris (121288) | more than 9 years ago | (#10134631)

I hear that the various encryption protocols are easy to hack. But what about MAC filters? They have the advantage of putting all the security work on the server side. And though MAC addresses are easy enough to spoof, you have to know which MAC address to spoof, and there is quite a large address space.

So, are MAC filters any less/more secure than WEP?

Re:Question (3, Informative)

ericpi (780324) | more than 9 years ago | (#10134654)

I believe MAC filters are inherently less secure than encryption: The MAC addresses, I believe, are sent in the clear (i.e., not encrypted), so all someone has to do is listen to which devices are already operating on the network, then spoof their MAC to match.

Re:Question (1)

etymxris (121288) | more than 9 years ago | (#10134682)

Yes, but as far as I've seen, a (whitelist) MAC filter prevents anything not on the list from receiving any acks. So you wouldn't be able to listen to see what MACs are available, right?

Re:Question (0)

Anonymous Coward | more than 9 years ago | (#10134716)

No. You don't need permission from the AP to look at stuff sent out cleartext.

Re:Question (4, Informative)

ericpi (780324) | more than 9 years ago | (#10134725)

At first, you don't trasmit anything. (Since, as you point out, the whitelist would prevent the access point from responding to you, anyway.) However, you just listen to the existing legitimate traffic. Then clone your device with the same MAC as one of these legitimate (and already on the whitelist) devices.

Re:Question (1)

etymxris (121288) | more than 9 years ago | (#10135065)

Yes, OK, I understand now. You would need special equipment, I imagine, unless there is a way to get a standard card to listen to all traffic on a given channel. But this would still make it easier than WEP. So I guess that answers my question.

Re:Question (1)

Erik Hollensbe (808) | more than 9 years ago | (#10135190)

As I understand it (I'm not really a network geek, so I could be wrong here), arp poisoning is an easy tactic to start getting data from any machine with a signal strength that can reach you.

Here [securitywarnings.com] is a description of what it entails.

AES protects entire frame (4, Interesting)

jonabbey (2498) | more than 9 years ago | (#10134799)

I believe the AES implementation they are using actually does encrypt the ethernet (MAC) address, unlike WEP. (See Tying It All Together in this article [windowsecurity.com] for corroboration of that.)

WPA2 with AES is the real deal.

Re:AES protects entire frame (1)

mbvgp (624905) | more than 9 years ago | (#10134943)

If AES encrypts the Mac address it would make base 802.11 not work. So it sends the mac address normally.
But it uses the mac address and some other header fields along with the encryption key to make the encryption more tight.

Re:AES protects entire frame (1)

ThisNukes4u (752508) | more than 9 years ago | (#10135078)

So what your saying, is that they are creating another layer ontop of Ethernet? Well then I don't see how it could be backwards compatiable, unless this behavior could be turned off when it is being used with older equipment.

Re:AES protects entire frame (2, Interesting)

Erik Hollensbe (808) | more than 9 years ago | (#10135177)

The negotiation is done in hardware, so if drivers are implemented correctly all the OS sees is another ethernet device with a possible extra set of status information and twiddles.

This is how some hardware SSL accelerators work as well.

Although you are correct in the fact that the encryption standards are not compatible with each other.

The real question is (0, Redundant)

dreamer8815 (757752) | more than 9 years ago | (#10134632)

How long is it going to take my neighbor to upgrade and lock me out of my stol^^^^borrwed internet access.

Good (3, Funny)

ergo98 (9391) | more than 9 years ago | (#10134633)

I feel I speak for wireless users everywhere when I say "Good". What more is there to say?

Re:Good (3, Insightful)

SoSueMe (263478) | more than 9 years ago | (#10134952)

I feel I speak for wireless users everywhere when I say "Wha?"

Sadly, this is more prevalent than we like to think.

overhead (4, Interesting)

a3217055 (768293) | more than 9 years ago | (#10134634)

All these new ways of encrypting data over wireless is great. Security of data is a good service. But how much will it cost, do you need more expensive hardware to create such encryption, will there be a loss of performance and other related factors. These are important and must be tested before we start saying that wap2 is the world's greatest thing for wireless encryption.

Re:overhead (2, Interesting)

The Islamic Fundamen (728413) | more than 9 years ago | (#10134649)

Secure Wireless Network is pretty much an oxymoron. Just by nature, a Wireless Network is unsecure. I bet a WAP hacking group has already intercepted some packets that use this newfangled encryption and is already working on cracking it. Well, thats just my 2 cents.

WPA2? (3, Informative)

Trygve (75999) | more than 9 years ago | (#10134645)

Correct me if I'm wrong, but isn't WPA2 just the WiFi Alliance being stuborn about what to call 802.11i? I mean, WPA was just supposed to be 802.11i minus everything that required hardware upgrades. WPA2 is just 802.11i, only not a real standard, ooh boy!

Re:WPA2? (5, Informative)

lizrd (69275) | more than 9 years ago | (#10134856)

Not exactly. Wi-Fi/WPA/WPA-2 are all industry standards based on the various 802.11? IEEE standards. The difference is that WECA (Wireless Ethernet Compatability Alliance) actually does testing rather than just publishing standards like IEEE does. In order to get the fancy sticker on the package you need to pay a couple of grand and get your product tested to the standards. The benefit of certification is that you have some idea that the product was actaully implemented to the standard correctly.

That said, WPA-2 provides basically zero benefit over WPA. WPA relies on the same RC-4 algorithm as WEP, but has a few patches put in place to resolve the problems it had. The most important one is using a new key for each frame. Given a choice between an algorithm that can be broken given 11MB of data and one that has no known attacks, do you think that it matters which you use to encrypt 1500 bytes? Not really.

The good news about WPA-2/802.11i (same thing, just certified and a less scary name for the PHBs) is that it breaks hardware compatibility, and that means there's a chance that things have been done right this time.

WHY WONT SLASHDOT POST THIS STORY? (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#10134650)

Re:WHY WONT SLASHDOT POST THIS STORY? (1)

pilot1 (610480) | more than 9 years ago | (#10134706)

That's obviously BS - just look at who wrote it.
Lyons doesn't exactly have a reputation for writing accurate, nonbiased, intelligent pieces.

Re:WHY WONT SLASHDOT POST THIS STORY? (0)

Anonymous Coward | more than 9 years ago | (#10134758)

Which part is BS? The one where he directly quotes the people who chose Windows over Linux because it is cheaper?

That doesnt explain it... (1)

nmoog (701216) | more than 9 years ago | (#10134801)

Cause Slashdot doesn't exactly have a reputation for posting accurate, nonbiased, intelligent pieces.

Re:That doesnt explain it... (0)

Anonymous Coward | more than 9 years ago | (#10134881)

That's not true of the pieces they post.. I wish I could say the same for some of the comments.

Re:That doesnt explain it... (0)

Anonymous Coward | more than 9 years ago | (#10134954)

Um.. you're living in a strange world if you think Slashdot's journalistic itegrity approaches that of any respectable media outlet. How many times are we going to see Michael or Taco comment on a story (hint, is this a news site, or an opinion section?). Or what about stories that get duped several times per month? Or when someone like Pudge posts some "cool" thing from Apple just because he is an Apple sealot? Or what about the stories of a "Tactile Digitial Assistant" that doesn't exist posted by a known troll that Slashdot accepted twice and posted as real news?

I'm sorry but you are full of shit.

Re:WHY WONT SLASHDOT POST THIS STORY? (1, Interesting)

Anonymous Coward | more than 9 years ago | (#10134794)

As slashdot is becoming more "mainstream" you can expect more fluff and less punch. Hell, half the "science" articles are just ads [slashdot.org] now.

Re:WHY WONT SLASHDOT POST THIS STORY? (0)

Anonymous Coward | more than 9 years ago | (#10134827)

6th paragraph:
Add in the cost of retraining users and IT staff, rewriting applications to run on Linux, and the cost of
paying separately for programs like application servers, Web servers and directories (which come bundled with Windows)...

HAHAHAHA!

IS LINUS A SECRET AMERICAN GAY NIGGER? (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#10134831)

Just think about it a while, he is known to live in the United States and friends confirm he often uses the terms "bro", "posse" and "bling-bling" in his private conversations.
In addition his cd collection is rumoured to contain Jackson 5 and 50-cents CDs.

Re:IS LINUS A SECRET AMERICAN GAY NIGGER? (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#10134931)

OMG I KNEW IT!! LINUX TORFLAND IS ONE OF US!! w00t!!!

--
DON'T USE SO MANY CAPS. IT'S LIKE yelling yalling yolling yulling yilling y@lling y4lling.

"Easy to circumvent"? (5, Informative)

Anonymous Coward | more than 9 years ago | (#10134658)

All of the known WEP attacks are based on receiving weak IV frames (usually after sifting through gigabytes of data). Modern WiFi chipsets (i.e., those made within the last 2 years or so) do not send weak IV frames all that often, if at all.

It is not as easy as everyone says. Try it with some brand-new, high quality equipment and you may be surprised at the result.

Re:"Easy to circumvent"? (-1, Troll)

ConsumedByTV (243497) | more than 9 years ago | (#10134905)

Hi,
You're wrong.

2001 called, they want you to shut up [lava.net].

Vendors make mistakes outside of WEP that directly affect WEP. A system isn't strong simply because it uses AES or because it doesn't have weak IVs.

Many systems still send weak frames, you're wrong.

I have cracked WEP many many times and there are multiple methods.

You don't know what you're talking about.

Re:"Easy to circumvent"? (1, Insightful)

Anonymous Coward | more than 9 years ago | (#10135032)

Obviously you don't know what YOU are talking about. Just because you have a buunch of scripts that is capable of cracking WEP does not mean you have a knowledge of why WEP is vunerable. WEP cannot be made totally secure (the claim was not made by me or the grandparent), however, many vendors have highly reduced the vulnerability of WEP.

Please come back with an argument once you become a little more knowledgeable in this area. A**hole script kiddies need not apply.

Re:"Easy to circumvent"? (0)

Anonymous Coward | more than 9 years ago | (#10135212)

your parent is right. weak IVs are no longer required to compromise WEP keys. so the efforts of the vendors you are talking about are void. WEP is inherently insecure.

google for "korek" and his ideas of WEP attacks and you will know what i mean.

Re:"Easy to circumvent"? (0)

Anonymous Coward | more than 9 years ago | (#10135428)

Sadly, you do not know what you are talking about. I mentioned nothing about IV.

Serious answer form geeks in the know...? (2, Interesting)

aardwolf204 (630780) | more than 9 years ago | (#10135283)

I just setup a wireless access point in the conference room at my company's headquarters. Not my idea but when the CEO wants to use his centrino notebooks wireless its move or be moved. Anyway, they wanted to leave it open and just turn it on when needed but I talked them out of that. Instead I set it up with 64bit WEP. The AP supports 128 bit but getting them to all key in a huge hex pass isnt going to fly. Havent figured out how to get the passphrase to parse on XP SP1. SP2 looks nicer. Anyway all the wifi equipment is new, within the last year or two, and as netstumbler has shown me we're not the only kids on the block to have wifi with WEP in the building. I've read conflicting reports about how easy it is to crack WEP with tools as simple as those included with knoppix std, so I think what I'm asking is, is 64bit enough, and should I be more paranoid, setting up VPNs and the like?

Were talking about light traffic (email, little browsing) from 5 or 6 users about 8 hours a day.

Re:"Easy to circumvent"? (0)

Anonymous Coward | more than 9 years ago | (#10135412)

Why do you think you are smarter than FMS? Read the paper. Then read the Wagner post reference in the paper. FMS published an attack knowing the Wagner attack, and the Wagner attack is three time more effective. Now does the new equipment filter those weak IVs. I don't know. But they have been selling crippled encryption for at least 3 years now, so I guess you could trust them:
http://it.slashdot.org/comments.pl?sid=118626&cid= 10018785 [slashdot.org]

Hmm (3, Interesting)

Mattwolf7 (633112) | more than 9 years ago | (#10134659)

I doubt this is going to take off. Since we have enough problems with people enabling protection in the first place. Unless companys start requiring it, which won't happen because my local ISP gives you a wireless access point with service. But they do not enable WEP or any encryption on the devices.

Oh well mine is enabled

----
Free IPods [freeipods.com]

Re:Hmm (4, Insightful)

gad_zuki! (70830) | more than 9 years ago | (#10134763)

>Unless companys start requiring it

That's a bit out there. Do you really want the ISP doing what they think is best for you (or them)? "Oh, so you're running a webserver." Block port 80. "Oh, so you aren't using Microsoft's Firewall?" It gets installed by a tech and they charge you 50 bucks for the trouble, even though you have a hardware firewall, etc. Trust me, you don't want to be punished by rules set for the lowest common denominator.

The problem here is the problem we see everywhere when it comes to computers: usability. WEP is counter-intuitive to implement. WPA is a step in the right direction with a single password (as people understand the concept of passwords). The new MS wireless manager in SP2 goes a lot way to simplifying wifi also.

Make no mistake about it, there are lot of people who tried to get WEP to work only to have it fail. I know I've had bizarre issues with WEP that could only be fixed with a hard reset on the device and falling back to default settings, a firmware downgrade, upgrading firmware on the card, generating new keys every so often because the thing just didn't like the old ones, playing around with advanced wireless settings, etc. I don't think that level of troubleshooting should be expected from a typical end user.

Re:Hmm (1)

afidel (530433) | more than 9 years ago | (#10135302)

Yes, Yes I do. I WANT the default to be secure. I want them to block outgoing port 25 traffic except when asked by a customer with a listed SMTP server. I WANT them to setup WEP at a minimum, and preferably WPA by default. People who know well enough to turn off the security features will do so when they feal it is apropriate and the great unwashed masses will be protected from their ignorance. It's the same reason I applaud Microsoft for turning off almost all services by default in Server 2003, and turning on the firewall by default in XP SP2. If there are stupid technical glitches with an implementation then fix it and support your clients, that is afterall what you are paid to do. The spam problem is one rooted in default permissiveness and trust, we don't need more similar problems.

So... (3, Interesting)

NETHED (258016) | more than 9 years ago | (#10134661)

So now instead of just a few hours with a current computer, it will take a bit longer, maybe a week or something. Then someone will figure out that the key string is MAC dependent based on time signitures, or something, and there we go, no more security.

I have no illusions about the "security" of WiFi, no matter how encrypted it may be. The signal is traveling through open space for anyone to look at, and if you look at enough of the signal, you can find the pattern. This just increases the processing power needed by the AP and Card, further pushing the development of more advanced, procs. (Don't get me wrong, I'm all for this)

I understand that corperations are interested in this for security, but for an average joe like me, I keep my access point wide open for anyone to use. If you want to look at my GF's reciepe's or our photos, go right ahead.

Security is only as important as you make it to be.

Re:So... (2, Funny)

Anonymous Coward | more than 9 years ago | (#10134855)

The signal is traveling through open space for anyone to look at, and if you look at enough of the signal, you can find the pattern.
Thanks for letting us know you don't have the slightest clue how encryption works. Now go play in your room, we're talking about grown-up things.

;)

Re:So... (1)

Bruiser2B27 (780913) | more than 9 years ago | (#10134960)

While this might be a long shot, what if your neighbors decide to steal Internet access from you? What if they decide to use that access for illegal activies? If and when the FBI/police trace that stuff back to your IP, it will be you in custody, and your PC(s) taken away. Do you really trust your neighbors?

Re:So... (1)

spectral (158121) | more than 9 years ago | (#10135089)

Then point to the logs the AP prolly keeps as to when various people connected using it, and say "Hey, wasn't me." There's at least an easy way to deny it.

If you have the thing encrypted up the wazoo, and they break it, then the courts are going to say "Sorry, not possible. It's using really good encryption."

If you're really worried about trusting your neighbors, then give them free access to it, and limit their speed somehow so it doesn't bother you. Voila, you're a carrier with no knowledge of what they did on your wires, and you can't be held responsible for their actions.

Re:So... (2, Insightful)

Vellmont (569020) | more than 9 years ago | (#10134968)

Wow. You certainly have put the security researchers in their place with that "or something". The truth is that if implemented properly you can have highly secure communications while anyone can monitor those signals.

It remains to be seen if this is the case, but if you really want security use proven technology like SSH or a well implemented VPN.

Who mods this crap up? (0)

Anonymous Coward | more than 9 years ago | (#10135044)

Seriously. You don't know what the purpose of encryption is.

The purpose of encryption is to make it so that information cannot be decoded by third parties who may intercept your information. There are years of mathematical proof and basis to prove that properly done encryption to be not capable of being cracked but simply so exceedingly difficult and time consuming that it is considered to be tantamount to being secure.

Re:So... (2, Funny)

Agent Green (231202) | more than 9 years ago | (#10135413)

If you want to look at my GF's reciepe's or our photos, go right ahead.

Actually, we just want to see her photos. :)

Wait... (1)

rmdir -r * (716956) | more than 9 years ago | (#10134664)

Is this a software protection? A firmware protection? Will older devices be able to connect to WPA2 networks? That article is a bit... scarce on the details.

Why not get users to use what they have (3, Insightful)

the_denman (800425) | more than 9 years ago | (#10134667)

Using 128 bit encription on most residental points will take several weeks of listening to break (correct me if I am wrong here) Shouldn't we concentrate on convinceing users on just doing something.

Re:Why not get users to use what they have (1)

howlatthemoon (718490) | more than 9 years ago | (#10134733)

It depends on the access point, some older ones from a few major manufacturers are vulnerable to a Newsham (I think I got that right) attack, you can get a key off of those with relatively few data packets, not that I have ever done that ;-). That said, you are right, a 128 bit key changed weekly will be very hard to crack given the light usage by most residential users.

Re:Why not get users to use what they have (4, Insightful)

gad_zuki! (70830) | more than 9 years ago | (#10134790)

> on most residental points will take several weeks

Try months (and thats on old equipment with no firmware upgrade to filter out weak frames). Try not getting spotted sitting there with your laptop and running airsnort all day.

Do these WEP fatalists also refuse to lock their cars/house doors because anyone with some skill and one easily gotten tool can open their doors? Do these people also make their own padlocks in their basement because every manufacturer has a master key? Do these people also use blank passwords because cracking NTLM or most passwd files is very doable, etc.

AES is good, FIPS 140 AES is better... (1)

xxxJonBoyxxx (565205) | more than 9 years ago | (#10134672)

If there's one place closed source is on the level with open source, its when the entire package has been validated by the folks at NIST under the FIPS 140 program.

http://csrc.nist.gov/focus_areas.html#cryptograp hi c

Flaw fixed? (3, Interesting)

sploo22 (748838) | more than 9 years ago | (#10134692)

One of WEP's biggest design flaws has been that all data is encrypted with the same key. Sure, there needs to be some shared secret for authentication, but the actual data transfer should use a negotiated key known only to the user and the AP. WEP is all right for authentication, but when it comes to security it's useless against other authenticated users.

It wouldn't be a bad idea to use something like this for non-broadcase Ethernet either, now that I think of it.

Re:Flaw fixed? (1)

JavaNerd (805503) | more than 9 years ago | (#10135009)

For a small or home network with trusted users, sharing the key works just fine. For larger networks, you would still want to secure the wireless access itself and also use IPSec [webopedia.com] to secure users from each other. This is as true for a wired network with a large user population as it is for a wired network (remember packet sniffers and switch hacks?) IPSec is standard with IPv6 [wikipedia.org] and can also work with IPv4 (the "regular" internet).

Re:Flaw fixed? (1)

afidel (530433) | more than 9 years ago | (#10135340)

Cisco LEAP fixed that flaw a long time ago by using per user dynamic WEP keys, so does WPA 1 and 802.1x. Hell WPA provides for per packet keys if the hardware can do it, so cracking the WEP is basically impossible and superfelous. Btw 802.1x is not specific to the 802.11 suite, it can be used on 802.3 wired ethernet as well (hell it can be applied to just about any medium).

802.1x (3, Interesting)

Anonymous Coward | more than 9 years ago | (#10134693)

Our network uses a 802.1x system with dynamic WEP keys.. the system requires you to re-authenticate (handled automatically by 802.1x client software) with a randomly generated key every 15 minutes.

What is the real advantage to WPA here?

Can we upgrade firmware ? (1, Redundant)

phoxix (161744) | more than 9 years ago | (#10134700)

Or do we have to buy new products ?

I'm finding those wireless encryption thing to be a load of bullshit.

It seems like everytime they finally seem to get the crypto part down (WPA), we get something new (WPA2). I think I'll wait for WPA12938491849034 before upgrading any of my hardware.

Thankfully we have IPsec. (if only the OS-X version didn't suck so much)

Sunny Dubey

Re:Can we upgrade firmware ? (2, Informative)

ctime (755868) | more than 9 years ago | (#10134757)

the original design specks for WPA included the ability to flash/bios upgrade the code on the wireless adaptor to support these new fangled protocols...pending the original hardware has the processing ability to support the new stuff (256 bit aes encryption for eg. might be difficuilt on really early adaptors)..although i might add aes encryption is actually less cpu intensive than say wep, but it could remain a problem.

hers the deal (1)

ctime (755868) | more than 9 years ago | (#10134708)

WPA-2 with AES 256bit encryption and Protected Extensible authentication protocol (PEAP).

Deal.

I still prefer a wired connection.

Re:hers the deal (1)

presmike (754040) | more than 9 years ago | (#10135350)

why... did you just figure out a way to break AES that your not sharing with everyone else?

Pointless.. (5, Insightful)

mcknation (217793) | more than 9 years ago | (#10134735)


As long as these acess points are shipped with encryption turned *OFF* by default this is like pissing in the wind. It could be 1 billion bit one time pads and woulnd't make any difference. In my neighboorhood there are 10 unencrypted networks....all on the default channels. Out of the box straight onto the network is how they are set up. Joe Sixpack doesn't have time to deal with encryption.

*don't worry much residential war drivers..there will still be free lunch for a long time to come... /-McK

Re:Pointless.. (1)

lavorgeous (191087) | more than 9 years ago | (#10134898)

All of the 2Wire routers I've seen, which are, I think, distributed by DSL providers, seem to have WEP turned on.

So some provider is doing something right.

Re:Pointless.. (3, Insightful)

subreality (157447) | more than 9 years ago | (#10135059)

Not pointless.

Even if it's turned off by default, the ability to turn on good crypto is perfectly useful.

Missing a point here... (3, Insightful)

z3021017 (806883) | more than 9 years ago | (#10134913)

People talk about WPA security and how it's important, but the fact is most home users don't even change the default password for their wireless routers.

Re:Missing a point here... (1)

KillerCow (213458) | more than 9 years ago | (#10135095)

People talk about WPA security and how it's important, but the fact is most home users don't even change the default password for their wireless routers.

There is a difference between not having a technology and not using it. The difference is that people who want to use it can if it's available, while no one can if it's not.

So I have to upgrade...again? (4, Interesting)

Powertrip (702807) | more than 9 years ago | (#10134917)

So this means to take advantage of the latest security, I would again have to upgrade all my AP's and Clients... $ $ $ When will this whole industry be commoditized enough that we have 'soft' radios for wireless (Like AC97 Audio) that allow us more flexibility in upgrading older hardware to newer standards? Heck, with a true soft-wireless chipset we could use one RF device for WiFi and Bluetooth and whatever they dream up next...

Anyone getting 503's? (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#10135070)

Anyone else getting error 503 when you try to load slashdot? I got them in Mozilla (version 1.1, I know it's old..) but not in lynx (where I am now).

Even in lynx, slashdot seems unusually slow...

scratch that (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#10135088)

It's working in moz now.

Link level security is fairly useless. (2, Insightful)

pingus (542585) | more than 9 years ago | (#10135114)

Link level security is fairly useless. It's fine for the average user, but the average user doesn't know how to turn it on. It would be great if there was some kind of auto-negotiated application layer security. Like IPSeC that has the user transport a USB dongle with the keys or something. This is just frivilous.

WPA 2? How about WPA 1 support? (2, Interesting)

Anonymous Coward | more than 9 years ago | (#10135238)

There are still so many devices that don't support WPA one.. Tivo, I'm looking at you. All this nonsense about a supplicant this and that. When is Tivo going to get on the WPA 1 train?

To me the chief advantage of WPA is a human readable password.

its about time (3, Insightful)

presmike (754040) | more than 9 years ago | (#10135368)

you guys can piss and moan all you want but AES is rock solid. This is a great solution for those who don't have time resources or knowledge to use 802.11x with RADIUS. Finanaly a secure encruption scheme for home users who know absolutely nothing about encryption and how it works. I give it 2 thumbs up :)

LEAK length? (1, Funny)

Anonymous Coward | more than 9 years ago | (#10135408)

How many bits is the Law Enforcement Access component of the key?

NSA Encryption Restrictions (1)

Gumpmaster (756851) | more than 9 years ago | (#10135505)

I remember hearing that the NSA restricts the export of high level encryption protocols. Is this still in effect and does this new Wi-Fi encryption push the limits of this restriction?
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...