Stronger Encryption for Wi-Fi

sp00 writes "The first products certified to support Wi-Fi Protected Access 2, the latest wireless security technology, were announced by the Wi-Fi Alliance on Wednesday. The Wi-Fi Alliance says WPA2 is a big improvement on earlier wireless security standards, such as Wired Equivalent Privacy (WEP), which hackers have found easy to circumvent. It includes Advanced Encryption Standard, which supports 128-bit, 192-bit and 256-bit keys."

Question

[etymxris]

I hear that the various encryption protocols are easy to hack. But what about MAC filters? They have the advantage of putting all the security work on the server side. And though MAC addresses are easy enough to spoof, you have to know which MAC address to spoof, and there is quite a large address space.

So, are MAC filters any less/more secure than WEP?

overhead

[a3217055]

All these new ways of encrypting data over wireless is great. Security of data is a good service. But how much will it cost, do you need more expensive hardware to create such encryption, will there be a loss of performance and other related factors. These are important and must be tested before we start saying that wap2 is the world's greatest thing for wireless encryption.

Re:overhead

[The Islamic Fundamen]

Secure Wireless Network is pretty much an oxymoron. Just by nature, a Wireless Network is unsecure. I bet a WAP hacking group has already intercepted some packets that use this newfangled encryption and is already working on cracking it. Well, thats just my 2 cents.

Hmm

[Mattwolf7]

I doubt this is going to take off. Since we have enough problems with people enabling protection in the first place. Unless companys start requiring it, which won't happen because my local ISP gives you a wireless access point with service. But they do not enable WEP or any encryption on the devices.

Oh well mine is enabled

----
Free IPods [freeipods.com]

So...

[NETHED]

So now instead of just a few hours with a current computer, it will take a bit longer, maybe a week or something. Then someone will figure out that the key string is MAC dependent based on time signitures, or something, and there we go, no more security.

I have no illusions about the "security" of WiFi, no matter how encrypted it may be. The signal is traveling through open space for anyone to look at, and if you look at enough of the signal, you can find the pattern. This just increases the processing power needed by the AP and Card, further pushing the development of more advanced, procs. (Don't get me wrong, I'm all for this)

I understand that corperations are interested in this for security, but for an average joe like me, I keep my access point wide open for anyone to use. If you want to look at my GF's reciepe's or our photos, go right ahead.

Security is only as important as you make it to be.

Flaw fixed?

[sploo22]

One of WEP's biggest design flaws has been that all data is encrypted with the same key. Sure, there needs to be some shared secret for authentication, but the actual data transfer should use a negotiated key known only to the user and the AP. WEP is all right for authentication, but when it comes to security it's useless against other authenticated users.

It wouldn't be a bad idea to use something like this for non-broadcase Ethernet either, now that I think of it.

802.1x

[Anonymous Coward]

Our network uses a 802.1x system with dynamic WEP keys.. the system requires you to re-authenticate (handled automatically by 802.1x client software) with a randomly generated key every 15 minutes.

What is the real advantage to WPA here?

Re:WHY WONT SLASHDOT POST THIS STORY?

[Anonymous Coward]

As slashdot is becoming more "mainstream" you can expect more fluff and less punch. Hell, half the "science" articles are just ads [slashdot.org] now.

AES protects entire frame

[jonabbey]

I believe the AES implementation they are using actually does encrypt the ethernet (MAC) address, unlike WEP. (See Tying It All Together in this article [windowsecurity.com] for corroboration of that.)

WPA2 with AES is the real deal.

So I have to upgrade...again?

[Powertrip]

So this means to take advantage of the latest security, I would again have to upgrade all my AP's and Clients... $ $ $ When will this whole industry be commoditized enough that we have 'soft' radios for wireless (Like AC97 Audio) that allow us more flexibility in upgrading older hardware to newer standards? Heck, with a true soft-wireless chipset we could use one RF device for WiFi and Bluetooth and whatever they dream up next...

Comment removed

[account_deleted]

Comment removed based on user account deletion

WPA 2? How about WPA 1 support?

[Anonymous Coward]

There are still so many devices that don't support WPA one.. Tivo, I'm looking at you. All this nonsense about a supplicant this and that. When is Tivo going to get on the WPA 1 train?

To me the chief advantage of WPA is a human readable password.

Serious answer form geeks in the know...?

[aardwolf204]

I just setup a wireless access point in the conference room at my company's headquarters. Not my idea but when the CEO wants to use his centrino notebooks wireless its move or be moved. Anyway, they wanted to leave it open and just turn it on when needed but I talked them out of that. Instead I set it up with 64bit WEP. The AP supports 128 bit but getting them to all key in a huge hex pass isnt going to fly. Havent figured out how to get the passphrase to parse on XP SP1. SP2 looks nicer. Anyway all the wifi equipment is new, within the last year or two, and as netstumbler has shown me we're not the only kids on the block to have wifi with WEP in the building. I've read conflicting reports about how easy it is to crack WEP with tools as simple as those included with knoppix std, so I think what I'm asking is, is 64bit enough, and should I be more paranoid, setting up VPNs and the like?

Were talking about light traffic (email, little browsing) from 5 or 6 users about 8 hours a day.

"basically zero benefit"?

[Anonymous Coward]

Most people would agree that AES is much stronger than RC4. Of course proper use of RC4 would be good enough to keep away the wardrivers, but not a determined PhD with too much time on his hands.

Re:802.1x

[ImaLamer]

Why not solve the problem by putting another line of authentication in place?

My school *shudder* has access points in many of the labs but after a student said he was going to "hack" into it there was a simple warning:

1. We know the MAC address to every computer in the building...
2. We keep logs of MAC addresses that don't match our set (apparently he went around reprogramming the MAC addresses to a now defunkt card maker's line for easy log watching, except for one lab which was un-re-programmable)
3. Breaking the WEP key is a crime, during the investigation we will try to track your MAC to you (hope you didn't pay with a credit card - your breaking into "protected" systems, in fact a federal crime)
4. You can't get anywhere, you must authenticate through the NT (blah) server for network access
5. It's pointless

Really, it made sense. He simply stated that there was no point in getting a signal without access rights. The man's first job was to secure the wired network. Once the AP's were put in, it wasn't a problem.

Could you run wild on your companies network by just plugging into the next available switch?

If so, fix that problem first.

The really important question.

[DrXym]

Will hardware and software makers actually make it easy to use the crypto?

If you use WEP at the moment, some operating systems will prompt you to enter the key. Not the passphrase, but the digested key. So even though I know the passphrase, I must type 26 characters of hexidecimal into my iPaq with a stylus. Linux is no better for wireless and the last time I looked required hex too. Linux is particularly lousy if you use more than one WLAN since all the dists I've tried only store the details for one of them.

It is absolutely ludicrous. XP doesn't do that and I doubt (though I haven't tried) that OS X would either.

Given that, it would not surprise me that of those who even know to enable crypto if half don't just give up or use MAC filters or no security at all.

My preference would be whatever standard they choose be mandated to use crypto by default - and by virtue of the even longer key length it will force software makers to improve their support for it.