Forgot your password?
typodupeerror
Wireless Networking Encryption Security Hardware

Stronger Encryption for Wi-Fi 175

Posted by michael
from the huff-and-puff-and-blow-the-house-down dept.
sp00 writes "The first products certified to support Wi-Fi Protected Access 2, the latest wireless security technology, were announced by the Wi-Fi Alliance on Wednesday. The Wi-Fi Alliance says WPA2 is a big improvement on earlier wireless security standards, such as Wired Equivalent Privacy (WEP), which hackers have found easy to circumvent. It includes Advanced Encryption Standard, which supports 128-bit, 192-bit and 256-bit keys."
This discussion has been archived. No new comments can be posted.

Stronger Encryption for Wi-Fi

Comments Filter:
  • Sssssh! (Score:4, Funny)

    by FooAtWFU (699187) on Wednesday September 01, 2004 @09:32PM (#10134603) Homepage
    Please don't tell my neighbors about this technology. Thanks. :)
    • Re:Sssssh! (Score:2, Funny)

      by Anonymous Coward
      The subject is misleading :P I thought it was secure-secure-secure-secure shell
    • Re:Sssssh! (Score:2, Funny)

      by Hobadee (787558)
      Haha! Join the club!

      I went over to my friends house and was surprised that I was getting a WiFi signal. I asked my friend, "Dude, when did you get wireless?" He was like "We didn't."

      Cue a slow grin growing over my and his faces.
      • My dorm is even better. I work for the computer center and know that it's illegal to have access points, but I felt like going war walking last night. One building, two floors, 17 access points. All named belkin54g, linksys, wireless, or default. Except for two (unencrypted) networks called "Pablo's Private Network" and "don't use".

        If you don't want me to use it try some WEP at least. I am typing this on a channel-6 "linksys", actually. Now the next time I need illegal movies I'll just use this AP; i
  • by the_denman (800425) <denner@gmail. c o m> on Wednesday September 01, 2004 @09:33PM (#10134613) Homepage
    The real question is will the manufacturers come out with new drivers/firmware to take advantage of this new technology?
  • Question (Score:1, Interesting)

    by etymxris (121288) *
    I hear that the various encryption protocols are easy to hack. But what about MAC filters? They have the advantage of putting all the security work on the server side. And though MAC addresses are easy enough to spoof, you have to know which MAC address to spoof, and there is quite a large address space.

    So, are MAC filters any less/more secure than WEP?
    • Re:Question (Score:3, Informative)

      by ericpi (780324)
      I believe MAC filters are inherently less secure than encryption: The MAC addresses, I believe, are sent in the clear (i.e., not encrypted), so all someone has to do is listen to which devices are already operating on the network, then spoof their MAC to match.
      • Yes, but as far as I've seen, a (whitelist) MAC filter prevents anything not on the list from receiving any acks. So you wouldn't be able to listen to see what MACs are available, right?
        • Re:Question (Score:4, Informative)

          by ericpi (780324) on Wednesday September 01, 2004 @09:47PM (#10134725)
          At first, you don't trasmit anything. (Since, as you point out, the whitelist would prevent the access point from responding to you, anyway.) However, you just listen to the existing legitimate traffic. Then clone your device with the same MAC as one of these legitimate (and already on the whitelist) devices.
          • Yes, OK, I understand now. You would need special equipment, I imagine, unless there is a way to get a standard card to listen to all traffic on a given channel. But this would still make it easier than WEP. So I guess that answers my question.
            • As I understand it (I'm not really a network geek, so I could be wrong here), arp poisoning is an easy tactic to start getting data from any machine with a signal strength that can reach you.

              Here [securitywarnings.com] is a description of what it entails.
            • Re:Question (Score:2, Informative)

              by Minna Kirai (624281)
              You would need special equipment, I imagine,

              Nope.

              unless there is a way to get a standard card to listen to all traffic on a given channel

              Yep. Lots of normal cards can do this easily. The rare cards that can't are considered "crippled". A few cards can collect more than 1 channel at once.
      • by jonabbey (2498) * <jonabbey@ganymeta.org> on Wednesday September 01, 2004 @09:57PM (#10134799) Homepage

        I believe the AES implementation they are using actually does encrypt the ethernet (MAC) address, unlike WEP. (See Tying It All Together in this article [windowsecurity.com] for corroboration of that.)

        WPA2 with AES is the real deal.

        • So what your saying, is that they are creating another layer ontop of Ethernet? Well then I don't see how it could be backwards compatiable, unless this behavior could be turned off when it is being used with older equipment.
          • The negotiation is done in hardware, so if drivers are implemented correctly all the OS sees is another ethernet device with a possible extra set of status information and twiddles.

            This is how some hardware SSL accelerators work as well.

            Although you are correct in the fact that the encryption standards are not compatible with each other.
    • Mac filtering is way less secure than wep, and requires about 30 seconds to bypass. In addition your data is all transmitted in plain text when you don't use wep. The only thing mac filtering will prevent is random clients from associating (who don't have the tools needed to sniff the mac out of the airwaves, change their mac, then associate.)

      1. You can still see the data in the air, unencrypted when mac filtering is used.
      (kismet will do this for example...)

      2. The mac address is transmitted in plain text
  • Good (Score:3, Funny)

    by ergo98 (9391) on Wednesday September 01, 2004 @09:36PM (#10134633) Homepage Journal
    I feel I speak for wireless users everywhere when I say "Good". What more is there to say?
    • Re:Good (Score:3, Insightful)

      by SoSueMe (263478)
      I feel I speak for wireless users everywhere when I say "Wha?"

      Sadly, this is more prevalent than we like to think.
  • overhead (Score:4, Interesting)

    by a3217055 (768293) on Wednesday September 01, 2004 @09:36PM (#10134634)
    All these new ways of encrypting data over wireless is great. Security of data is a good service. But how much will it cost, do you need more expensive hardware to create such encryption, will there be a loss of performance and other related factors. These are important and must be tested before we start saying that wap2 is the world's greatest thing for wireless encryption.
  • WPA2? (Score:3, Informative)

    by Trygve (75999) on Wednesday September 01, 2004 @09:37PM (#10134645)
    Correct me if I'm wrong, but isn't WPA2 just the WiFi Alliance being stuborn about what to call 802.11i? I mean, WPA was just supposed to be 802.11i minus everything that required hardware upgrades. WPA2 is just 802.11i, only not a real standard, ooh boy!
    • Re:WPA2? (Score:5, Informative)

      by lizrd (69275) <adam@bu3.14mp.us minus pi> on Wednesday September 01, 2004 @10:05PM (#10134856) Homepage
      Not exactly. Wi-Fi/WPA/WPA-2 are all industry standards based on the various 802.11? IEEE standards. The difference is that WECA (Wireless Ethernet Compatability Alliance) actually does testing rather than just publishing standards like IEEE does. In order to get the fancy sticker on the package you need to pay a couple of grand and get your product tested to the standards. The benefit of certification is that you have some idea that the product was actaully implemented to the standard correctly.

      That said, WPA-2 provides basically zero benefit over WPA. WPA relies on the same RC-4 algorithm as WEP, but has a few patches put in place to resolve the problems it had. The most important one is using a new key for each frame. Given a choice between an algorithm that can be broken given 11MB of data and one that has no known attacks, do you think that it matters which you use to encrypt 1500 bytes? Not really.

      The good news about WPA-2/802.11i (same thing, just certified and a less scary name for the PHBs) is that it breaks hardware compatibility, and that means there's a chance that things have been done right this time.

  • by Anonymous Coward on Wednesday September 01, 2004 @09:39PM (#10134658)
    All of the known WEP attacks are based on receiving weak IV frames (usually after sifting through gigabytes of data). Modern WiFi chipsets (i.e., those made within the last 2 years or so) do not send weak IV frames all that often, if at all.

    It is not as easy as everyone says. Try it with some brand-new, high quality equipment and you may be surprised at the result.

    • I just setup a wireless access point in the conference room at my company's headquarters. Not my idea but when the CEO wants to use his centrino notebooks wireless its move or be moved. Anyway, they wanted to leave it open and just turn it on when needed but I talked them out of that. Instead I set it up with 64bit WEP. The AP supports 128 bit but getting them to all key in a huge hex pass isnt going to fly. Havent figured out how to get the passphrase to parse on XP SP1. SP2 looks nicer. Anyway all the wif
      • I'd set up at least PPTP VPN's. If not, then IPSec and an IDS. Explain it to them thusly: If you get owned, not only do you have to figure out what the hell happened (before it happens again), but you have to repair and replace a lot of data. I just lost a router and have yet to perform forensics on it to determine exactly WTF went wrong, but it looks like a trademark script kiddie attack, which is dirty and it pretty much wasted that box. And this is just my house where it might take me an hour to get it b
      • Is the AP connected to your internal network behind your firewall?

        If so, you should lay on the best encryption you have. If you can see other APs on the block, they can see you, too. You don't want someone to come in and rifle through your network, or release a worm or whatever. It is prudent to consider anything connected to the AP as untrusted.
        The best solution, in my mind, is to put a firewall between your APs and your internal network, and allow only VPN access to your internal net. A few steps back in
    • All of the known WEP attacks are based on receiving weak IV frames (usually after sifting through gigabytes of data). Modern WiFi chipsets (i.e., those made within the last 2 years or so) do not send weak IV frames all that often, if at all.

      That's actually not true. There were certain attacks that relied on weak IV's. So manufacturers stopped sending out the weak IV's--which means the keyspace is reduced and now other attacks are more feasible. I don't know of a script kiddie tool to do this, but there hav

  • Hmm (Score:4, Interesting)

    by Mattwolf7 (633112) on Wednesday September 01, 2004 @09:39PM (#10134659)
    I doubt this is going to take off. Since we have enough problems with people enabling protection in the first place. Unless companys start requiring it, which won't happen because my local ISP gives you a wireless access point with service. But they do not enable WEP or any encryption on the devices.

    Oh well mine is enabled

    ----
    Free IPods [freeipods.com]

    • Re:Hmm (Score:5, Insightful)

      by gad_zuki! (70830) on Wednesday September 01, 2004 @09:50PM (#10134763)
      >Unless companys start requiring it

      That's a bit out there. Do you really want the ISP doing what they think is best for you (or them)? "Oh, so you're running a webserver." Block port 80. "Oh, so you aren't using Microsoft's Firewall?" It gets installed by a tech and they charge you 50 bucks for the trouble, even though you have a hardware firewall, etc. Trust me, you don't want to be punished by rules set for the lowest common denominator.

      The problem here is the problem we see everywhere when it comes to computers: usability. WEP is counter-intuitive to implement. WPA is a step in the right direction with a single password (as people understand the concept of passwords). The new MS wireless manager in SP2 goes a lot way to simplifying wifi also.

      Make no mistake about it, there are lot of people who tried to get WEP to work only to have it fail. I know I've had bizarre issues with WEP that could only be fixed with a hard reset on the device and falling back to default settings, a firmware downgrade, upgrading firmware on the card, generating new keys every so often because the thing just didn't like the old ones, playing around with advanced wireless settings, etc. I don't think that level of troubleshooting should be expected from a typical end user.
      • by afidel (530433)
        Yes, Yes I do. I WANT the default to be secure. I want them to block outgoing port 25 traffic except when asked by a customer with a listed SMTP server. I WANT them to setup WEP at a minimum, and preferably WPA by default. People who know well enough to turn off the security features will do so when they feal it is apropriate and the great unwashed masses will be protected from their ignorance. It's the same reason I applaud Microsoft for turning off almost all services by default in Server 2003, and turnin
  • So... (Score:4, Interesting)

    by NETHED (258016) on Wednesday September 01, 2004 @09:39PM (#10134661) Homepage
    So now instead of just a few hours with a current computer, it will take a bit longer, maybe a week or something. Then someone will figure out that the key string is MAC dependent based on time signitures, or something, and there we go, no more security.

    I have no illusions about the "security" of WiFi, no matter how encrypted it may be. The signal is traveling through open space for anyone to look at, and if you look at enough of the signal, you can find the pattern. This just increases the processing power needed by the AP and Card, further pushing the development of more advanced, procs. (Don't get me wrong, I'm all for this)

    I understand that corperations are interested in this for security, but for an average joe like me, I keep my access point wide open for anyone to use. If you want to look at my GF's reciepe's or our photos, go right ahead.

    Security is only as important as you make it to be.
    • Re:So... (Score:2, Funny)

      by Anonymous Coward
      The signal is traveling through open space for anyone to look at, and if you look at enough of the signal, you can find the pattern.
      Thanks for letting us know you don't have the slightest clue how encryption works. Now go play in your room, we're talking about grown-up things.

      ;)

    • While this might be a long shot, what if your neighbors decide to steal Internet access from you? What if they decide to use that access for illegal activies? If and when the FBI/police trace that stuff back to your IP, it will be you in custody, and your PC(s) taken away. Do you really trust your neighbors?
      • Then point to the logs the AP prolly keeps as to when various people connected using it, and say "Hey, wasn't me." There's at least an easy way to deny it.

        If you have the thing encrypted up the wazoo, and they break it, then the courts are going to say "Sorry, not possible. It's using really good encryption."

        If you're really worried about trusting your neighbors, then give them free access to it, and limit their speed somehow so it doesn't bother you. Voila, you're a carrier with no knowledge of what t
        • Then point to the logs the AP prolly keeps as to when various people connected using it, and say "Hey, wasn't me." There's at least an easy way to deny it.

          many consumer-grade APs don't keep logs, and those that do have the feature disabled by default. usually these logging features involve dumping the log to a certain port on a PC, so that would mean having another machine running all the time with software to receive and store the logs.

          If you have the thing encrypted up the wazoo, and they break it

    • Re:So... (Score:3, Insightful)

      by Vellmont (569020)
      Wow. You certainly have put the security researchers in their place with that "or something". The truth is that if implemented properly you can have highly secure communications while anyone can monitor those signals.

      It remains to be seen if this is the case, but if you really want security use proven technology like SSH or a well implemented VPN.
    • Re:So... (Score:3, Funny)

      by Agent Green (231202) *
      If you want to look at my GF's reciepe's or our photos, go right ahead.

      Actually, we just want to see her photos. :)
    • Actually... (Score:5, Insightful)

      by TPS Report (632684) on Thursday September 02, 2004 @02:20AM (#10136125) Homepage
      ...keep my access point wide open for anyone to use. If you want to look at my GF's reciepe's or our photos, go right ahead.


      Yesss.. that sounds like a great idea.

      However, if you don't mind, I think I'll skip all the "take a look at my recipies" formalities and go straight to

      - sniffing your email passwords,
      - reading your email,
      - sending email under your account from your IP,
      - using your wireless access point to spam,
      - surf some underage porn using your IP,
      - seed my "next big worm" from your connection,
      - browse/sample your internal network from the IP your WAP so conveniently gave me,
      - and finish up by making various explicit threats against the president on the newsgroups while simultaneously using your cable connection to make VoIP calls to the NSA and reading them some of your previously mentioned fine recipes.

      I almost forgot to say thank you for the free access point. Where are my manners...
      ;)
  • Is this a software protection? A firmware protection? Will older devices be able to connect to WPA2 networks? That article is a bit... scarce on the details.
  • by the_denman (800425) <denner@gmail. c o m> on Wednesday September 01, 2004 @09:40PM (#10134667) Homepage
    Using 128 bit encription on most residental points will take several weeks of listening to break (correct me if I am wrong here) Shouldn't we concentrate on convinceing users on just doing something.
    • It depends on the access point, some older ones from a few major manufacturers are vulnerable to a Newsham (I think I got that right) attack, you can get a key off of those with relatively few data packets, not that I have ever done that ;-). That said, you are right, a 128 bit key changed weekly will be very hard to crack given the light usage by most residential users.
    • by gad_zuki! (70830) on Wednesday September 01, 2004 @09:55PM (#10134790)
      > on most residental points will take several weeks

      Try months (and thats on old equipment with no firmware upgrade to filter out weak frames). Try not getting spotted sitting there with your laptop and running airsnort all day.

      Do these WEP fatalists also refuse to lock their cars/house doors because anyone with some skill and one easily gotten tool can open their doors? Do these people also make their own padlocks in their basement because every manufacturer has a master key? Do these people also use blank passwords because cracking NTLM or most passwd files is very doable, etc.
      • Do these people also make their own padlocks in their basement because every manufacturer has a master key?

        Warning: Geek nit-picking ahead!

        I have taken a few padlocks apart, and have never seen the pins have more then one break. That means that there is no master key for the padlock.

        I'm not saying that it is impossible to have a padlock with a master-key, but that every padlock that I've seen has no master key.

      • Do these WEP fatalists also refuse to lock their cars/house doors because anyone with some skill and one easily gotten tool can open their doors?

        The problem lies more with people who say "we're already using WEP, so why enforce SSH/IPSEC/VPN?" People should think of WEP as a minimal "better than nothing" layer to keep casual visitors out while the real strong encryption protects from the more advanced crackers, but that's not usually what happens.

        I'd rather build the entire network to be safe with WEP

      • Do these WEP fatalists also refuse to lock their cars/house doors because anyone with some skill and one easily gotten tool can open their doors?
        No, we don't use Wi-Fi at all because we don't trust it yet. Until we are sure that it is ready we continue to use wired networking.
  • If there's one place closed source is on the level with open source, its when the entire package has been validated by the folks at NIST under the FIPS 140 program.

    http://csrc.nist.gov/focus_areas.html#cryptograp hi c
  • Flaw fixed? (Score:4, Interesting)

    by sploo22 (748838) <dwahler AT gmail DOT com> on Wednesday September 01, 2004 @09:43PM (#10134692)
    One of WEP's biggest design flaws has been that all data is encrypted with the same key. Sure, there needs to be some shared secret for authentication, but the actual data transfer should use a negotiated key known only to the user and the AP. WEP is all right for authentication, but when it comes to security it's useless against other authenticated users.

    It wouldn't be a bad idea to use something like this for non-broadcase Ethernet either, now that I think of it.
    • For a small or home network with trusted users, sharing the key works just fine. For larger networks, you would still want to secure the wireless access itself and also use IPSec [webopedia.com] to secure users from each other. This is as true for a wired network with a large user population as it is for a wired network (remember packet sniffers and switch hacks?) IPSec is standard with IPv6 [wikipedia.org] and can also work with IPv4 (the "regular" internet).
      • For a small or home network with trusted users, sharing the key works just fine

        The point, though, is that if you use the same key all the time an attacker has even more time to crack the encrypted data stream. OTOH, if you only use the preshared key for negotiating a new session key, it becomes a lot more difficult for an attacker to sample enough encrypted material to perform a proper attack.
    • Cisco LEAP fixed that flaw a long time ago by using per user dynamic WEP keys, so does WPA 1 and 802.1x. Hell WPA provides for per packet keys if the hardware can do it, so cracking the WEP is basically impossible and superfelous. Btw 802.1x is not specific to the 802.11 suite, it can be used on 802.3 wired ethernet as well (hell it can be applied to just about any medium).
    • didn't you just basically describe PGP? wouldn't that do? in fact why wasn't that the first place they looked? RSA too resource demanding?
    • Re:Flaw fixed? (Score:3, Informative)

      by MoralHazard (447833)
      It wouldn't be a bad idea to use something like this for non-broadcase Ethernet either, now that I think of it.

      Um, yes, it WOULD be a bad idea. WEP/WPA/WPA2 are all server-client protocols, in that they encrypt transmissions between a number of remote clients and a single central point. In order to make the analogy hold to wired Ethernet, you would have to make every Ethernet switch/hub/router support the crypto interaction with clients. As well as replacing every NIC in existence.

      And even then, the e
  • 802.1x (Score:3, Interesting)

    by Anonymous Coward on Wednesday September 01, 2004 @09:43PM (#10134693)
    Our network uses a 802.1x system with dynamic WEP keys.. the system requires you to re-authenticate (handled automatically by 802.1x client software) with a randomly generated key every 15 minutes.

    What is the real advantage to WPA here?
    • Re:802.1x (Score:5, Interesting)

      by ImaLamer (260199) <{john.lamar} {at} {gmail.com}> on Thursday September 02, 2004 @05:08AM (#10136694) Homepage Journal
      Why not solve the problem by putting another line of authentication in place?

      My school *shudder* has access points in many of the labs but after a student said he was going to "hack" into it there was a simple warning:

      1. We know the MAC address to every computer in the building...
      2. We keep logs of MAC addresses that don't match our set (apparently he went around reprogramming the MAC addresses to a now defunkt card maker's line for easy log watching, except for one lab which was un-re-programmable)
      3. Breaking the WEP key is a crime, during the investigation we will try to track your MAC to you (hope you didn't pay with a credit card - your breaking into "protected" systems, in fact a federal crime)
      4. You can't get anywhere, you must authenticate through the NT (blah) server for network access
      5. It's pointless


      Really, it made sense. He simply stated that there was no point in getting a signal without access rights. The man's first job was to secure the wired network. Once the AP's were put in, it wasn't a problem.

      Could you run wild on your companies network by just plugging into the next available switch?

      If so, fix that problem first.

  • Or do we have to buy new products ?

    I'm finding those wireless encryption thing to be a load of bullshit.

    It seems like everytime they finally seem to get the crypto part down (WPA), we get something new (WPA2). I think I'll wait for WPA12938491849034 before upgrading any of my hardware.

    Thankfully we have IPsec. (if only the OS-X version didn't suck so much)

    Sunny Dubey
    • the original design specks for WPA included the ability to flash/bios upgrade the code on the wireless adaptor to support these new fangled protocols...pending the original hardware has the processing ability to support the new stuff (256 bit aes encryption for eg. might be difficuilt on really early adaptors)..although i might add aes encryption is actually less cpu intensive than say wep, but it could remain a problem.

  • WPA-2 with AES 256bit encryption and Protected Extensible authentication protocol (PEAP).

    Deal.

    I still prefer a wired connection.
  • Pointless.. (Score:5, Insightful)

    by mcknation (217793) <nocarrier AT gmail DOT com> on Wednesday September 01, 2004 @09:47PM (#10134735) Homepage

    As long as these acess points are shipped with encryption turned *OFF* by default this is like pissing in the wind. It could be 1 billion bit one time pads and woulnd't make any difference. In my neighboorhood there are 10 unencrypted networks....all on the default channels. Out of the box straight onto the network is how they are set up. Joe Sixpack doesn't have time to deal with encryption.

    *don't worry much residential war drivers..there will still be free lunch for a long time to come... /-McK
    • All of the 2Wire routers I've seen, which are, I think, distributed by DSL providers, seem to have WEP turned on.

      So some provider is doing something right.
    • Re:Pointless.. (Score:4, Insightful)

      by subreality (157447) on Wednesday September 01, 2004 @10:45PM (#10135059)
      Not pointless.

      Even if it's turned off by default, the ability to turn on good crypto is perfectly useful.
    • Amen Brother. Having just completed a 2½ week roadtrip in California, it never took us any longer than 20 minutes to locate unencrypted WiFi internet access, no matter the town. The option of good security is great, but don't expect the sheeple to start thinking just because of that.
    • Joe Sixpack doesn't have time to deal with encryption.

      It might be more accurate to say "Joe Sixpack won't set aside the time to learn how to properly use the really complicated technology he buys".

      I mean, really...if the huddled masses had their way, there'd be one really big red button on a computer that says "do what I want" on it. You and I both know it's not really that easy, although companies love to spend big bucks on marketing to try to convince people that it is that easy.
    • As long as these acess points are shipped with encryption turned *OFF* by default this is like pissing in the wind. It could be 1 billion bit one time pads and woulnd't make any difference. In my neighboorhood there are 10 unencrypted networks....all on the default channels.

      You make it sound like this is the end of the world. What's the point of turning on encryption if you're not trying to hide anything? So what if somebody can see what porn site you're surfing... And if you're sending confidental data y
  • by z3021017 (806883) on Wednesday September 01, 2004 @10:15PM (#10134913)
    People talk about WPA security and how it's important, but the fact is most home users don't even change the default password for their wireless routers.
    • People talk about WPA security and how it's important, but the fact is most home users don't even change the default password for their wireless routers.

      There is a difference between not having a technology and not using it. The difference is that people who want to use it can if it's available, while no one can if it's not.
      • Most home users don't care if they get the 'source code' to their 'operating system' but some of us appreciate that option. I want the option to affordably secure my data wirelessly.
  • by Powertrip (702807) * on Wednesday September 01, 2004 @10:16PM (#10134917) Homepage Journal
    So this means to take advantage of the latest security, I would again have to upgrade all my AP's and Clients... $ $ $ When will this whole industry be commoditized enough that we have 'soft' radios for wireless (Like AC97 Audio) that allow us more flexibility in upgrading older hardware to newer standards? Heck, with a true soft-wireless chipset we could use one RF device for WiFi and Bluetooth and whatever they dream up next...
  • by ProfMoriarty (518631) on Wednesday September 01, 2004 @10:29PM (#10135001) Journal
    Are we for encryption ...

    or against [slashdot.org] it?

  • Link level security is fairly useless. It's fine for the average user, but the average user doesn't know how to turn it on. It would be great if there was some kind of auto-negotiated application layer security. Like IPSeC that has the user transport a USB dongle with the keys or something. This is just frivilous.
  • by Anonymous Coward
    There are still so many devices that don't support WPA one.. Tivo, I'm looking at you. All this nonsense about a supplicant this and that. When is Tivo going to get on the WPA 1 train?

    To me the chief advantage of WPA is a human readable password.

  • its about time (Score:3, Insightful)

    by presmike (754040) on Wednesday September 01, 2004 @11:56PM (#10135368)
    you guys can piss and moan all you want but AES is rock solid. This is a great solution for those who don't have time resources or knowledge to use 802.11x with RADIUS. Finanaly a secure encruption scheme for home users who know absolutely nothing about encryption and how it works. I give it 2 thumbs up :)
    • Re:its about time (Score:2, Insightful)

      by Gollum (35049)
      Don't assume that because they are buzzword compliant (AES 256-bit encryption!!!) that they have implemented it correctly.

      That was the first mistake which led to all the war-driving originally - early WEP implementations used good algorithms, but chose a weak Initialisation Vector, which made it easier to decrypt the traffic.

      Let's hope that they've learned their lesson this time, and aren't just trying to get people on the upgrade cycle again - WEP -> WPA -> WPA2 -> when will it stop?!
    • Substitute a hypothetical Perfectly Unbreakable Cipher (PUC) for AES and I'd still disagree with you.

      Suppose that a frame looked like this:

      field0: 16 bytes: address
      field1: 4 bytes: timestamp
      field2: 1024 bytes: message
      field3: 32 bytes: checksum

      Now, suppose a chipset is specced to implement:

      encryptFrame(frame):
      return field0 + field1 + PUC_encrypt(field2) + field3

      decryptFrame(frame):
      return field0 + field1 + PUC_decrypt(field2) + field3

      However, their c0d3r is an off-by-one idjit and really implements

  • WEP security (Score:2, Insightful)

    by rips123 (654488)
    WEP is a LOT more secure than people imagine these days. Most AP's and clients refuse to use weak IV's making the statistical attack used by Airsnort and other apps effectively useless.

    Theres a very small minority of people still using weak 64-bit ASCII key generator algorithms that were found to be only 21-bits of effective keyspace. These can be cracked offline in about 15 seconds with a single encrypted frame but other than that, offline cracking of WEP is still a hard thing to do (from a practical poin
  • VPN (Score:3, Insightful)

    by mrph (708925) on Thursday September 02, 2004 @05:57AM (#10136852) Journal
    Why not just set up a VPN? For example, OpenVPN [sourceforge.net] is quite easy to configure and maintain, and also
    allows for a variety of client systems to connect.

    I'm thinking of setting up a small WLAN using old equipment that i can get almost for free.
    I would just plug another NIC in my OpenBSD firewall and keep nothing but the necessary ports for the VPN open.
    There's a broad range of encryption and authentication methods available, and if the one I use
    would be too weak, I could just change to another one instead of having
    to buy new hardware such as PCMCIA cards, APs etc.

  • by DrXym (126579) on Thursday September 02, 2004 @09:40AM (#10138006)
    Will hardware and software makers actually make it easy to use the crypto?

    If you use WEP at the moment, some operating systems will prompt you to enter the key. Not the passphrase, but the digested key. So even though I know the passphrase, I must type 26 characters of hexidecimal into my iPaq with a stylus. Linux is no better for wireless and the last time I looked required hex too. Linux is particularly lousy if you use more than one WLAN since all the dists I've tried only store the details for one of them.

    It is absolutely ludicrous. XP doesn't do that and I doubt (though I haven't tried) that OS X would either.

    Given that, it would not surprise me that of those who even know to enable crypto if half don't just give up or use MAC filters or no security at all.

    My preference would be whatever standard they choose be mandated to use crypto by default - and by virtue of the even longer key length it will force software makers to improve their support for it.

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (10) Sorry, but that's too useful.

Working...