Re: How secure is the WPA-PSK wireless encryption
astiglic_at_okiok.com
Date: 01/13/05
- Next message: David Eather: "Re: Avalanche and Strict Avalanche Affect"
- Previous message: Douglas A. Gwyn: "Re: [Lit.] Buffer overruns"
- In reply to: Martin Bodenstedt: "Re: How secure is the WPA-PSK wireless encryption"
- Next in thread: Grumble: "Re: How secure is the WPA-PSK wireless encryption"
- Reply: Grumble: "Re: How secure is the WPA-PSK wireless encryption"
- Reply: Martin Bodenstedt: "Re: How secure is the WPA-PSK wireless encryption"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 13 Jan 2005 06:03:17 -0800
Martin Bodenstedt wrote:
> Sebastian Gottschalk wrote:
> > Martin Bodenstedt wrote:
> >>
> >>But a dictionary attack is not "Brute Force"...
> >
> > TKIP was created to avoid such attacks at all...
>
>
> ... and wisely chosen keys will!
The best protection is to use 802.1x with a RADIUS (or TACACS+ or
whatever) that generates a session key and sends it to the wireless
device via an encrypted tunnel (and changes the session key
periodically). This type of authentication is based on EAP (Extensible
Authentication Protocol), and there are many flavors. My favorite are
PEAP and EAP-TTLS, both establish a TLS connection with the RADIUS
server and then do an EAP authentiation to authenticate the user. The
difference between PEAP and EAP-TTLS is that EAP-TTLS supports more
authentication protocols (but PEAP supports a good share, EAP one-time
passwords, EAP generic tokens card (think SecurID) or EAP MSCHAPv2).
PEAP was developped by Cisco, Microsoft and RSA Security, EAP-TTLS by
Funk Software and Certicom, both have been submitted to IETF.
The problem with PSK (Pre-Shared Key) is indeed the fact that most
devices implement it by generating the pre-shared key derived from a
password and is thust vulnerable to a password search attack
(dictionary attack). Even if you use TKIP, with TKIP there is a
four-way handshake that is done in order to establish a session key,
you can sniff this and uses as a bases for your dictionnary attack
(brute force also can work if you think the person chosed a very weak
password). The attack can be done offline once the packets have been
sniffed.
If you don't have 802.1X, and you can't generate a random key directly,
that is if you must enter a password that will be used to derive the
key, choose a very strong password (passphrase if possible).
Most devices implement the key derivation based on PKCS#5 PBKDFv2, but
I seem to remember that there was some publication about devices that
implemented a weak key derivation function which made things much
worse.
Also note that WPA has 2 "modes", backwards compatibility mode where it
uses WEP-TKIP, and AES-CCM, make sure you use AES-CCM it seems to be
better (based on a better design which is probably more secure, it uses
a MAC based on AES and note Mike).
A good book on the subject of 802.11 security is Wi-Foo, there happens
to be a free chapter that discusses the vulnerability of PSK, see the
section Cracking TKIP: The New Menace:
http://www.wi-foo.com/wi-foo_samplechapter.pdf
There is also a bunch of information on the web about 802.1X, PEAP,
EAP-TTLS, TKIP, WPA/WEP, etc.
--Anton
- Next message: David Eather: "Re: Avalanche and Strict Avalanche Affect"
- Previous message: Douglas A. Gwyn: "Re: [Lit.] Buffer overruns"
- In reply to: Martin Bodenstedt: "Re: How secure is the WPA-PSK wireless encryption"
- Next in thread: Grumble: "Re: How secure is the WPA-PSK wireless encryption"
- Reply: Grumble: "Re: How secure is the WPA-PSK wireless encryption"
- Reply: Martin Bodenstedt: "Re: How secure is the WPA-PSK wireless encryption"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
