Slashdot Mirror
Wireless LAN Encryption Standard Broken
doug13 writes: "A Rice University student cracks 802.11x encryption protocol in a week. Here is how he did it." We mentioned the cryptographic paper that underlies this attack a few days ago.
← Back to Stories (view on slashdot.org)
There's no reason it has to be OTA programmable; requiring that the user physically possess the device should be a reasonable level of security.
The problem is that on a large network, you have to get all of the equipment working with the same encryption scheme. As the number of nodes increases, it's tough to move everyone up to the new scheme at the right time. So you've basically reinvented the key management problems that the military has with their secure radios, for example. There are ways around this, but they're generally going to make the card more expensive and move it out of the range of your average business or college campus that's using 802.11b.
Your right to not believe: Americans United for Separation of Church and
An algorithm problem. See my description here.
Has another lame encryption scheme comparable to ROT-13...
Anyway, wireless comm is inherently insecure: anybody could wiretap the communication either it's encrypted or not. We just need a stronger form of encryption. Probably the Wireless net should use RSA or other 1024-bit or better encryption scheme. Or... employ some protocol typical to OpenSSH...
I'm sure that people under this standard board is aware on such issue, but why don't they just apply some strong and well-known encryption scheme? It seems that they just want to reinvent the wheel (or is there anything fishy down there?). Oh well...
--
Error 500: Internal sig error
IEEE 802.11a is standard compliant up to 54 Mbps, now who is the troll ?
That should probably be a jackpot that decreases on a daily basis.
KangarooBox - We make IT simple!
Hell, you can get free access just about anywhere in the city. Take a laptop and an 802.11 card and wander from Harvard Square down towards MIT...
arrest him for what? he hasn't broken the DMCA, this has nothing to do with copyrights.
Sorry to respond to a troll, but you got it wrong.
Should read:
Your comments are DESpicable.
Why?
Because you have no IDEA how SSH works, but you assume you do.
You are a BLOWFISH.
Sorry, could not find a way to work in 3DES, RC4, or RSA into this picture...
LedgerSMB: Open source Accounting/ERP
The key word is "necessarily." If SSL uses a nonsecret IV of any kind, then we're hosed. I don't know if it does. On the other hand, it does mean that Netscape's 40-bit encryption is even easier to break because the way they get 40 bit keys is simply by making nonsecret the 128-40=88 remaining bits of a 128 bit key. That's like having an 88 bit IV!
Disclaimer: I'm not a security expert, but I read a lot of tech stuff on the subject, and I work in wireless LANs.
Then I can associate with your access point, use the microsoft-bug-of-the-day to send a trojan to one of your mobile users, and then use *their* VPN connection to attack your network.
You *need* end-to-end encryption with strong authentication on *all* media (wired and wireless); it's ridiculous to assume that an end-user's workstation will provide what WEP can't.
How about adding a wireless IDS, and VPN access routers into your mix?
And yes, my networks have both, and wired network equivalents, or a NICE BIG FAT SIGNOFF from the client stating that they've chosen to mitigate their risk in other ways.
I'm an alum as well (WRC BACS/MANA) and actually lived only a few doors down from Adam. Incredibly smart guy.
I bet this has never been seen on slashodot before: RFR!
WFR
Unless I am confused, the IV is used to create the packet key. One of the attacks is described as the "known IV attack". Since most cards use a incremental IV sequence, it makes prediction (and if you know encryption, predictability is your worst enemy). Sure you can mount a plaintext attack against it, but you need packets with the IV's that you have decrypted.
Saying it boils down to money and stupidity is pretty obtuse. Using RC-4 is much more practical for intensifying security on a transmission than 3DES merely because 3DES is a computational monster and more data intensive then RC-4. RSA would be a poor choice as well being that RSA is an asymmetric cipher and requires more infrastructure than a symmetric cipher. Symmetric ciphers are sort of natrual for 802.11 because your network may be only as complex as two hosts connecting as network peers. Even using the Diffie-Hellman algorithm to build shared secret keys for an asymmetric can be costly in terms of bandwidth and processing. This is something you don't want on wireless components that need to run off laptop batteries and are limited to 11Mbps of bandwidth. Because 802.11b has a IV vector size doesn't mean the original designers don't know their encryption theories, it simply means the original drafters had to work within the constrains of the technology.
I'm a loner Dottie, a Rebel.
And on re-reading the paper, I found that the stream generator uses a packet key of IVk, in other words, it uses one of 2^64 or 2^128 cipher streams, not just 2^24 as suggested by Zeinfeld. (IMHO?)
The flaky IV generation could be handled by a software upgrade, I imagine. This would then spread the IVs out more evenly over the 2^24 number space, and reduce the probability of stream re-use. The IV size is still too low for very high traffic. But I don't know by how much improving the generation would increase the amount of traffic required for a crack - 2^24 ÷ 4 million ?
The cipher stream might be made less amenable to this attack by using RC4(cf(IVk)k), where cf() is some cryptographic function, possibly RC4 again, but you'd need to be an expert to sort this out!
This all goes to show that you should have your protocol design and key management audited by an independent expert in the field. A firm I worked with used to use Donald Davies. Sadly he died last year.
You won't find many similarities. The paper that you link to documents a number of flaws in the way WEP is used. These are really generic flaws that apply to the use of any stream cipher. They are not RC4 specific, and focus on two main points. One, the IV is only 24 bits, so there are only 2^24th different key streams. Building a dictionary of all of these is quite doable in a reasonable amount of space. Also, the CRC check on WEP encrypted packets is linear. Bascially it means that you can flip bits in the packet, and know which bits to flip in the CRC portion of the packet so that it will be accepted as valid. This lets you do things like capture a packet, change it's destination address, and resend it. You can use this trick to get the AP to decode the packets for you. Quite slick. I don't know that anybody ever implemented any of these. And again, they are not RC4 specific, and tend to have certain practical problems. You pretty much have to have some knowledge about the network to begin these attacks, such as knowing what addresses are in use.
The new attack is a whole different game. It's based on a RC4 specific attack published by Scott Fluhrer, Itsik Mantin, and Adi Shamir (the 'S' in 'RSA'). It's titled Weaknesses in the Key Scheduling Algorithm of RC4. I don't have a URL offhand. Basically, RC4 has a lot of weak keys. If one of these keys is being used, then knowledge of a few key bits and the output of the cipher lets you determine a little bit more about the key bits you don't know. They theorized that WEP could be attacked with their method.
The latest paper discusses implementation of the new RC4 attack. In a nutshell, they could take the knowledge of the IV (which is used as 24 bits of the key) and the first byte of output from the cipher (easy to determine since all the packets are 802.2 encapsulated SNAP packets making the first byte 0xAA in ALL packets) to determine if the key was likely to be a weak key. They would analyze the packets whose IV indicated it is probably a weak key, and use that to determine the most likely value for the 'secret' key bits.
This is a slick attack for two reasons: it scales linearly with the size of the key. So, a 128-bit key is only about 3 times as hard to crack as a 40-bit key. Ouch. Also, it requires no previous knowledge of the network and is completely passive. Just sniff the packets until you know the key. They found it usually took about five or six million packets.
So, the newest paper is really new. None of the content is related to the paper you link to. It's not just a rehash. That's the amazing thing about WEP. It doesn't just have problems, it has a lot of them. If I had been on the design team, I would be embarrased to admit it. Almost every aspect of the protocol is broken. Almost any part that hadn't been probably will be soon.
I'm not sure you said what you meant. If it is an SSL connection to buystuff.com then your traffic is already encrypted. If you introduce a proxy into this you will break the SSL. The salient point about WEP that people tend to ignore is that it is not designed to provide security, only Wired Equivalent Privacy. And indeed, even with the recent announcements 802.11 is at least as secure as running Ethernet cables through your parking lot.
The problem of being able to access someone elses 802.11 network is totally different than the problems with WEP.
Si vis pacem, para bellum
The only thing more annoying than a Libertarian is an (un|mis)informed Libertarian
We are all very impressed by your openness.
Now, please post all your passwords, credit card numbers, and social security number.
There's a good boy.
What sophisticated equiment? These guys are using a laptop with a $100 802.11b card in it! Any card based on the Intersil Prism2 chipset will work. D-Link, Compaq. There's a bunch of them, and they tend to be the cheaper cards. They happened to use the Linksys. Since when is anything made by Linksys "sophisticated quitement that isn't readily available"! If you are talking about the antenna to pick up the signal at a distance, there are many ways to make a homemade antenna or convert an old dish for cheap.
Post 'em here -- thanks!
I have a co-worker who took his laptop home and booted it up with his wireless card in it. Much to his surprise, he was connected to the Internet even though he didn't have a wireless network at his house. Turns out that there was an "Internet cafe" across the street who evidently had no encryption turned on on their network and would let anyone with a wireless card connect to it.
So if you are moving to a new place, before you order that DSL line or cable modem, first pop in a wireless card and see if you can get a free Internet connection.
>Interesting, here is an even older story about guys from the University of California in Berkeley breaking 802.11 security...
kinda sorta. that older article (which is very good, i used it for research i was doing on wireless security) talks specifically how one could attack WEP encryption. but the implementation is left as "an excercise for the reader". this, i believe, is merely an implementation of the attack.
Everything wasn't up for review outside of the committie. It should have been.
Burn Hollywood Burn
According to dmca it is illegal to circumvent electronic copyright protection measurements. Since a lot of cryptography is used to protect something that is also copyrighted dmca is almost universally used as prosecution tool against encryption cracking hackers..
However, In this case there is no clear copyright violation involved, so applicability of dmca is more than questionable. The purpose of this encryption was not to protect specific copyrighted material.. that is, unless all the packet headers contain some copyrighted strings or something..
Firmware encryption broken in a week. Why am I not suprised?
Any chance of the 802.11 manufacturers implementing different encryption schemes, such as blowfish? Give the consumers a choice, and it will not only lessen these embarrassing hacks, but will also make it ALOT more difficult for anyone to crack a properly secured wireless network..... Please note I said "properly secured".
Feed the need: Digitaladdiction.net
This is a well known exploit already, you act as if this is news.. WEP has been broken quite a while ago, and IIRC it was even mentioned on slashdot.
I am working with a company which plans to roll out 802.11b wireless to a medium-sized city. Sure, it may not be the most secure thing.. but until another solution pops up...
Actually, the DMCA restricts the design or production of devices produced for the purpose of "circumventing a technological measure that effectively controls access to a work..." An effective technological measure such as encryption is very different from the "copy protection scheme" that isn't even mentioned in the DMCA
Anyway, there is an exemption for encyrption research, so the DMCA is not applicable here anyway.
That is why $DEITY invented SSH and VPNs.
I have:
secret list of porn sites that i don't want anyone else visiting, list of hot stars panty colors at the oscars, plans for new code blue virus, eating habits of the overweight, insider stock tips of cow manure futures, secret plan to do nothing to the world, secret plans for excercise program that works while you are excercising, bad meat collection location, squirell fishing pictures. I definitely don't want myself finding out that I have these.
Take this personaility test.
Since when is Linux easily available ;)
the post was actually nearly sarcastic. i mean, who am i more afraid of, people who are close enough to my house to leech/spy on my bandwidth (i.e., my neighbors) or the millions of 'leet' hackers worldwide who'd LOVE to see my wife's laptop in front of the firewall.
The REAL sam_at_caveman_dot_org is user ID 13833.
depends on how they've setup the networks. Easiest way I can think of, use SSH to keep communications encrypted. PuMA Net's going to be working in a similar fashion.
Do people read this crap before they mod it up? Hey moderators, some of you need to get a brain and know what the other person is talking about before you start waving the mod-stick around.
-EvilMonkeyNinja
Mild Mannered Host by Day
Wild Hammered Programmer by Night
They didn't want software DES available because it is much harder to regulate. If DES is available hardware only, then they can make sure that the hardware is only exported to trustworthy companies. Software is more ethereal, and therefore much harder to control.
Just look at PGP. Easily available anywhere, and totally beyond any government's ability to control. DES hardware, on the other hand, is something physical that you can stop at the boarder, confiscate, track, etc. Copying DES hardware is something that no terrorist organization has the resources to do. Copying PGP, however, is mindnumbingly easy. Simply by being in hardware makes it much easier control DES than PGP. Of course, now that there are software implementations of DES, DES is out of the bag too. But this is about crypto control in the early 80's.
This is the old WEP proticol that we knew was broken. This is not the new encryption that is supposed to be secure.
This student, OTOH, broke this w/o profit and without breaking any copyrights.
That brings up an interesting point.
With all the hoopla about software integrity - especially the operating system, you'd think Microsoft and the other cash-riddled companies would pay the smart people (like this guy) to find the flaws before product release.
A good example is Windows 2000. I remember that Microsoft set up a "Crash This Server and Win Nothing" site to test integrity. But wouldn't it have been in Microsoft's best interest to put some money into the game? Perhaps a jackpot that increases on a daily basis.
Not only would this have been VERY good PR, but it would made Windows 2000 a more secure platform "out of the box". While Bill Gates is a remarkable businessman (thats good and bad), he always manages to shoot himself in the foot.
Life is the leading cause of death in America.
Seems as though most people don't use the encryption - it slows down most 802.11b interfaces anyhow. Besides, if anybody is broadcasting sensitive info over RF in ANY format, they're pretty much asking for it. The most important layer of security is physical, after all.
... not in here, pal, this is a mercedes...
The subject says it all.
I have a little box at work the size of a small book that will encrypt 3DES at 45Mbps.
If the key hadn't been discovered, DVDs would never be cracked (barring any new mathematical breakthroughs).
A key would have been discovered, since anyone who had a dvd player or dvd software had a key. At some point, every dvd player or dvd software has to load that key in some fashion into a form of memory, and all you have to do is examine the device long enough while it's running and you will figure out when and how it does that...
And once you've done that, you can do it yourself.
the distinction 802.llx is incorrect.. dss is easy to figure out.. hopping sets 802.11a it a bit more tricky.. please correct..
Folks, the Cat 5 is Cool theory doesn't work if you are really security conscious. Unless you run all Tempest gear and shielded cable, you are radiating your packets all over your neighborhood anyway, 802.11 is not required. The work is excellent, though, and shows how a lazy standard produced something worse than no security, namely, the illusion of security.
On a similar note, Aviel D. Rubin, another one of the authors here, was also one of the authors of the passport analysis that was recently mentioned.
Yeah, surfing for Pr0n on the john unsecured gives me performance anxiety too...
What are peoples views on the security built into the Bluetooth standard, which has a certain application overlap with 802.11 (although slower at the moment)?
I believe it has some flavour of public-key encription, but has it been well designed?
At the end of the PDF, it looked like the 802.11 Working Group chair was appreciative of his efforts.
Hopefully he doesn't show his appreciation by sending over the FBI for a little "Q&A..."
For one thing, most of these attacks rely on sophisticated equipment that isn't readily available for people to use. And as the authors point out, the simple fix is to use end-to-end encryption (e.g., SSH) instead of expecting the WEP do it for you -- just as you would if you were on a broadcast network through your ISP (e.g., Roadrunner).
There is a threat of abuse from people with serious resources (e.g., the governments of developed nations), but even that threat is small. For now.
how long until the fbi gets involved in this one?
and the Irishman took the fly in his hands and yelled, "spit it out!"
gonna have to re-run that cat-5 into the shitter after all.
"i was saying gnu-rd"
If you want a really good primer on the history, schemes, and problems related to encyrption I suggest that you read the book "Crypto". It is not the highly esoteric mathematical type book that one usually sees on encryption. It is written in a way that intelligent people without extensive background can understand.
Regardless of WEP's weaknesses, it would be stupid to rely on link-level encryption to secure your communications from the outside world. Heck, if you had a really good radio receiver, you might be able to pick up noise from someone's messy CAT5 cables. Guess it depends on who's your enemy. Any business really ought to encrypt most of their internal traffic anyhow just on principle and to keep snoopy employees from poking around.
OK you young-ins, you're making me feel old :-)
Baker 90
BSEE
PDF also uses RC4 - 40 bit in Acrobat 4 and less, and 128 bit in Acrobat 5. It also uses MD5 hashes - there's actually nothing wrong with the PDF encryption as such. Provided that there is a password required to open the document, the only *technical* way of breaking the document is brute force, which doesn't impress anyone anymore.
I don't know what Skylarov found, but I suspect the flaws where in the "third party encryption plugins" that are an option in PDF documents.
IPsec does have an encrypted key exchange, at least in FreeS/WAN.
./ filled with drama queens?
--
Why is
The second set of papers have demolished the proposed fixes that nobody has implemented. I doubt that a workarround will be necessary since that set of proposals is now completely dead.
Time for the 'A-Team' to arrive and take over.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
IPsec is yet one more protocol made and bought into by morons. The key exchange occurs in plain text. What part of "completely unrelated to security" don't you people understand?
Take this personaility test.
Surely someone somewhere could claim that they use this encryption scheme to protect copyrighted data...
This isn't the first time Adam Stubblefield has done something like this. He's also involved with the Rice group that worked with Princeton and Xerox Park to crack SDMI. Here's the bibliographic entry from the Usenix paper they want to submit (pending the outcome of their lawsuit):
Scott A. Craver, Min Wu, Bede Liu, Adam Stubblefield, Ben Swartzlander, Dan S. Wallach, Drew Dean, and Edward W. Felten, Reading Between the Lines: Lessons from the HackSDMI Challenge, 10th Usenix Security Symposium (Washington, D.C.), August 2001, to appear, pending legal action.
Here's an original link:
http://www.cs.rice.edu/~dwallach/pubs.html
I would suspect that using 3DES or RSA encryption requires a licencing fee.
Hacking together a quick and dirty encryption protocol 'in house' is cheaper.
But, as you pointed out, appears not to be too robust.
so what else is new...
Actually, the kuro5hin story points to a different article than the one slashdot pointed to today. The kuro5hin linked story says nothing about the actual exploit by the guy from Rice. It only talks about the paper that the exploit was based on.
Well, actually, that's not quite correct. :P
As for SSH, the founder of SSH corporation was Tatu Ylönen. In 1995. See ssh.com. (I do realize that he probably didn't invent the technology, but this is all I could find...)
As for VPN's, we all know that Al Gore invented that to go with the internet.
A weakness in the RC4 encryption algorithm, where the usage of certain weak keys can "leak" bits of the secret key.
Static bits in the ethernet frames. Since they are SNAP frames, the first byte of the frame is always 0xaa.
The scary part of the paper is that the attack didn't rely on the poort initialisation vector. So it will work on networks with the random IV feature being implemented in the latest lucent firmware.
Okay... I'll do the stupid things first, then you shy people follow.
[Zappa]
You're right, that closely resembles my current problem :-)
WEP doesn't work at 11 Mbps, but rather 2 Mbps. 802.11b can reach 11 Mbps but only when all the nifty security features are turned off. It's a sad choice of two evils, but thankfully that choice seems to have been made for me now :~)
"If you want to make an apple pie from scratch, you must first create the universe." - Carl Sagan
They beat slashdot to the punch, even though slashdot appears to have attempted to cover this before:
Yesterday's article from Kuro5hin quoted below:
This recent Slashdot article has links to the technical details. (Inexplicably, that article didn't appear on the Slashdot's front page and awareness of this problem has lagged.) The hardware and resource requirements for this new attack are trivial: pretty much anyone with a wireless Ethernet card can compromise WEP.
Hmm, gaining a few leads from k5, huh Michael? Should have gotten it on the front page correctly the first time.
Beat you to the punch, Will.
Darn. And I even changed my tag for that post.
In metropolitan ares, tons of companies/individuals have 802.11 networks. Could he use this to have free access just about anywhere? I think Starbucks is installing 802.11 in all their stores. This would be nice.
No, you are not correct on the CSS crack. Orginally the key was needed to decrypt the stream. However, further analysis of CSS revealed that it was possible to predict the bytes in a decryption key in a fashion similar that described in this article. It is now known that it is possible to solve the decryption functions for CSS mathematically in such a way that the key table of hexadecimal byte codes is no longer required (factored out) hence the DeCSS descrambler written with seven lines of PERL.
As a Rice alum, I'm damn proud of Adam. :-)
There are connections on the cards for external antennas, not expensive, and very easy to connect, and gives better result than Lucents antennas.
Too bad this is old news fellas. A group from UC-Berkeley has done an even more in-depth research project about the (in)security of wep, and can be viewed here:
Wep (in)Security
One of the important things to point out is that in the paper done by this group of people is that the also included active attacks, which is a pretty neat tool. I won't elaborate too much on this, but it is possible for a hacker (bad context) to act like a man-in-the-middle attack, sniffing your packets off the air, then doing whatever to them, then sending them to you (as if nothing every happened).
The sad thing is that most people don't even know that encryption is available on some of these models.
One other important thing to point out with wireless LANs is the new thing with war driving (similar to war dialing). What this consists mainly of is someone sitting outside in your parking lot and just surfing the net for free. There are also more complex stuff that is done out there, specifically in San Franscisco where the whole city was marked out by the http://www.dis.org guys, containing all the wireless LANs available as well as their SSID's (think of identification).
Here are some links on wardriving:
Mobile Wardriving
San Fran War Driving
General War Driving Info
One last thing to point out is that new technology that is coming out allows you to make a mobile sniffer device just using a Compaq iPaq, a Lucent wireless LAN PC Card, and a few other items (depending how sophisticated you want to get), and all of this can be done for under 1000 US dollars.
God bless Al Gore for creating the Internet.
We built 802.11 gear, marketed that gear, and ate our own dogfood. Renegade 802.11 access points became a major issue. Our folks walked around the campus with a WinCE device and network card negotiating to internal networks in (almost) all buildings.
But that wasn't the incident to drive the issue home.
It seems some non-employees were using the light rail to go to work the day after attending some networking convention. They had bought some of our wireless NICs and happened to have them in their laptops when, suddenly, they found themselves on someones network. Ours. Since they knew some of our guys, they sent an email pointing this out. That email made the rounds fairly quickly.
The joke that not only do we provide equipment for the Internet, but also public access to it? More gallows humor. I'm not sure if it was appreciated by management.
Obviously it's a good thing to expose holes in techonologies, to make everyone aware of possible security risks, and to do it in a professional way. There is no doubt about this.
However, think of the image of the programmer who did this. He is a Linux user. So when all the IT department heads get this emailed to their inboxes they will see that a Linux hacker has broken their wireless network. Guess what: No Linux allowed onsite from now on. Linux hacker. Linux hacker. Linux hacker.
Stop using Linux to demonstrate these security holes. Please.
"The simplest solution is to ignore your dead children."
Uhhh... all of my finances in GnuCash, maybe? Credit card and bank account numbers, you know, that sort of trivial stuff. Or do you post yours on your personal web site for the world to see?
You can only drink 30 or 40 glasses of beer a day, no matter how rich you are.
-- Colonel Adolphus Busch
Assume that anyone within physical range can communicate on the network as a valid user. Keep in mind that an adversary may utilize a sophisticated antenna with much longer range than found on a typical 802.11 PC card.
Does anyone remember the article a while ago, I think in Wired, that detailed the escapades of a couple guys bombing around Silicon Valley with a directional antenna hooked to an 802.11 card? Hell, at that time most of the networks they checked weren't even using any encryption (I think Sun was the worst offender - not sure though).
I disagree... always go with hardware solutions if you have the options, the overhead would induce too much latency.
Dear God, what are they teaching kids these days.
Not Meta-modding due to apathy.
The reason that SSH, SSL, et al stand up so well is because you don't know the anyone's private key except your own. In fact, you don't even need your own private key to still use the protocol, since the server can set up a session with you by exchanging a randomly generated key. There is no encrypted information until you agree on which keys to use, and that's when the encryption starts.
Now think about how the other formats you mention use encryption. You can't exchange random keys, because the information is already encrypted. It's encrypted when it's stored on the disk or file. You can't encrypt it with the end user's private key, because not everyone has a certificate. So the only thing left to do is send the key itself (I think pdf does this) or use predistributed keys (such as dvd). Since the end user must be able to get the key to use it, then the hacker can too.
They are listed as references at the end of the document.
Another bit of interesting text was in the acknowledgements:
"We informed Stuart Kerry, the 802.11 Working Group Chair, that we success-fully implemented the Fluhrer, et al. attack. Stuart replied that the 802.11 Working Group is in the process of revising the security, among other aspects, of the standard and appreciates this line of work as valuable input for developing robust technical specifications."
Nice to know that they let Mr Kerry know ahead of time and that they are already working on revising the standard, instead of taking the capitalistic approach of sending it to the courts.
Bravo to both parties.
While I am occasionally one to lambast the hypocracy of slashdot (promoting products of the MPAA despite the MPAA's thus-far-successful attack on Free Software through movie and DVD reviews ... though the latter seem to have thankfully been discontinued), and while I concurr with your criticism (the link should not be to a format promoted by a company all those with conscience should be boycotting), this is, I think, reflective of lax editorial work rather than outright hypocracy. The link was submitted by a reader, not a slashdot editor.
... anyone analyzing the statistics of the logs will gain a false impression of people's preferences WRT the document's format, thus promoting PDF at a time we really don't want to be doing so.
That having been said, would the slashdot editors please change the link to point to the HTML version of the document? Boosting the clickthroughs to a proprietary format from an offensive company at the expense of clickthroughs to an open format (HTML) isn't helpful regardless
Just my 2 cents, of course.
The Future of Human Evolution: Autonomy
SSL is great if you're talking to a web site, but if you are using a wireless network to access GniCash, Quicken, whatever off of a home file server, the information would be available as it transferred to the laptop by the file server. That's what WEP is supposed to prevent, and evidently, it doesn't.
You can only drink 30 or 40 glasses of beer a day, no matter how rich you are.
-- Colonel Adolphus Busch
I differ only a little with Sangui5 on his submission. The algorithm used with DES was a subset of the Lucifer Algorithm. The Lucifer Algorithm was described by my college professor, who had a copy, as,"A monster". The use of a subset kept the result to a practical size. The DES was to be implemented in hardware, and the government provided a set of three hexadecimal numbers to test any implementation. I have this information from 1979, when life was simpler and 56-bit keys were strong stuff. An engineer published an article showing how to implement the DES in a 1979 microcomputer with a 1024 byte memory. He wrote a how-to article, and explained that even though his implementation worked, it was software and not hardware. Therefore, the government would never bless it. Remember, he implemented DES. He made no attempt to crack it.
"The WEP standard uses RC4 IVs improperly, and the attack exploits this design failure."
I don't get it. This is a standard, so isn't it supposed to go through some rigorous testing? Aren't there supposed to be some rather smart people involved in the creation of a wireless networking standard? If so, how could all these brainies improperly implement encryption?
Not that it matters, but Adam Stubblefield is an undergraduate student (CS and Math), and also part of the famous Princeton/Rice SDMI Challenge team. He also broke the mp3.com beam-it protocol. Quite an impressive start to this guy's career.
RRF!
Lovett 2000
The main problem with these encryption schemes is that they are developed by companies in house and aren't submitted for peer review. DES and RSA on the other hand are open algorithms that have been tested by many cryptographers and have yet to fail (Not counting DES's meager key size).
Even ICMP?
Mr. Stubblefield was kind enougth to provide the paper in three different formats and you choose to point to only the PDF version on Slashdot?
The intro page is at http://www.cs.rice.edu/~astubble/wep/ which points to the paper in PostScript, PDF, & HTML formats.
> I agree that it applies to this usage of RC4, but there are other encryption techniques, like DES, that can be used with a nonsecret init vector
Sure, but we've also known all along that reusing a key for a stream cipher like RC4 was a big mistake, but not so much of a problem with block ciphers like DES, but that doesn't mean stream ciphers are all broken, just that you have to be careful not to reuse keys. The abstract says "The WEP standard uses RC4 IVs improperly, and the attack exploits this design failure."
rant
As a side note, Lucent prohibited the use of 802.11 wireless networks at any of it's facilities a few months ago. Stated reason: complete lack of security. Hell, Lucent MAKES lots of these cards!
e d-worm-pub.shtml had an article on 802.11 security and what a joke it and the process to develop it was.
The March 2001 Cryptogram http://www.cisco.com/warp/public/707/cisco-code-r
Learning HOW to think is more important than learning WHAT to think.
Didn't you realize that you can't inform people about things that happen in the world without first calling your lawyer and having them find out if you're violating the DMCA.
Just so you know, $50,000 is the going rate for bail.
Care to back this claim up with any proof. Which company? Did the company give any specific reasons as to why it shouldn't be used? Maybe there were other reasons besides security.
It means it's dangerous. Note he used a Linux driver to break it. So soon we can expect some states and municipalities to outlaw Linux, since it's associated with criminal behavior, just as glow sticks are associated with use of e at raves.
--- Will in Seattle - What are you doing to fight the War?
This is exactly while all security measures should be wide open to public observation before implementation. It is NOT safe to assume that if the spec is not released publicly, in its entirity, that someone can not reverse engineer it later and break it wide open. To rely on laws that make it illegal to discover these holes is fruitless because those who are interested in knowing how such things work could care less about what is illegal and what is not illegal.
Burn Hollywood Burn
Treat the WLAN as an external cable, put a firewall on your side of it and the 802.11* makes a nice connection mechanism to the internet.
No more requirement to run cable all the way to the door. Set up community WLANs and share fast broadband connections to your ISP.
Deleted
Mr. Carnes goes on to proclaim "the storage building industry may as well give up. No one will want to trust leaving their old couches in those things now."
In a related story: All over the nation, garages equipped with the Microsoft IIS Garage Door Opener have been opening spontaniously for more than 2 weeks. The owners don't seem to mind, though, as they gave up trying to actually use the garages due to their being built only wide enough to hold a Microsoft car, and nothing else.
NetInfo connection failed for server 127.0.0.1/local
The user is stupid.
well if you really want to nitpick, it's transliterated that way, but it's actually spelled with Cyrillic characters. This is significant because the Cyrillic character that looks like the backwards cap-R is a vowel that makes a "yah" sound. so, "sklyarov" is pronounced something like "skl-ya-rov" but said fast and scrunched together. it is not much more difficult to pronounce than the English word "sclerosis"
While the content of your SSH session may be secure, an Evil Hacker could get into the underlying network and kill off the nodes, change the mac address, reconfigre thigs, etc.
He didn't crack any encryption, he merely showed a real world implementation of someone elses work using cheap hardware ...
Oh, like that will stop them from tossing him in the jail when they bust into his house.
Not.
--- Will in Seattle - What are you doing to fight the War?
It's spelled "Sklyarov."
The most valuable commodity I know of is information. - Michael Douglas as Gordon Gekko, Wall Street
Note: He was a summer intern at ATT.
So..what did you do last summer.
Hacked WEP and got arrested by the FBI all in one week.
Impressive..but I don't think that is Microsoft-material...
_______________________________
"I'm not Conceited...I'm just a realist..."
> i'm not very well versed in encryption schemes,
> but why is it that the encryption schemes in
> DeCSS, Adobe PDF, and now 802.11 are so 'easily'
> broken, as opposed to 3DES or RSA that are
> being used in SSH & SSL? why aren't these
> algorithms being applied in 802.11?
A very simple reason underlies all of this: cost.
You see, your PC has a whole lot more horsepower than a PC card, both in terms of CPU and in terms of memory. It can easily afford the memory space and CPU cycles to perform beefier algorithms. PC cards, on the other hand, are much more limited, due to the fact that in order to make any profit, they have to be made for as little money as possible (believe it or not, pretty much all 802.11 radios are sold with exceedingly low profit margins. You'll notice the cheaper ones have lesser or no WEP capabilities, for instance). A few things sacrificed to cost: CPU speed, FLASH space, and RAM size. This is an environment where 80MHz is a high-powered CPU, and 1MB is alot of storage capacity/memory space. WEP encryption is only one of many, many other options that have to fit in there. Now, one option is to put the encryption into its own hardware. That frees up CPU cycles, plus some RAM space and FLASH (though not all by a long shot). However, hardware encryption adds to the cost of the PC card. In other words, it's real hard to win in these situations. This is why all manufacturers of WiFi radios recommend using VPN over a wireless connection, and not relying on WEP. WEP is there to help (it'll at least stop the random script kiddie from setting their card to associate to "ANY", walking through your parking lot and hopping on your LAN), but it was never meant to be the end-all-be-all of security for wireless connections.
That being said, IEEE is working on further security standards that require a lot more pieces (e.g. authentication servers, etc), but those standards are not yet finalized, and even when they are, the radios, access points, and servers will all cost extra.
It all boils down to this: to get a more adequate security system implemented costs more money, and most people don't want to spend more money on 802.11 equipment. (At least, that's been my personal observation, based on conversations with friends and customers of 802.11 equipment).
-Freeptop
AUGUST 9, 2001 -- Apple Computer, Inc., immediately ordered the FBI to arrest Slashdot's site administrator, affectionately known as CmdrTaco, for illegally publishing information on how to break the encryption on their not-so-popular "Airport" wireless networking standard. He is currently in custody, pending a trial sometime in 2005.
In response, thousands of "Slashdotters" immediately raised a protest, sending hundreds of electronic petitions to FBI headquarters and generally making a pointless nuisance of themselves. It is not known whether the DOS attack on the FBI Web site is related to the incident, but investigations are underway.
Look in these two places:
http://www.tml.hut.fi/Tutkimus/IPSEC/
http://www.cs.hut.fi/~mweissen/secot/alpha.html
Well, here's my interpretation:
3DES and RSA are two-way communication methods. Every transaction or file encryption using these methods involves a cryptographic lock that only one key can open. The security is based firmly on math, and on the fact that creating the decrypted version given the encrypted version and the key is very mathematically easy, but creating the key given the encrypted and decrypted versions is just about impossible. And just because you have one key and one lock doesn't mean that your key can be used to open anyone else's lock. The math is strong, the math is solid, and the goal-- encrypt something in such a way that it can only be decrypted if you stumble across the right key by accident-- is completely feasible.
CSS and such, however, are inherently weak because they try to do something silly. Instead of some solid, possible thing-- let's scramble this secret document such that only a specific person with a specific key can open it-- they basically try to limit the circumstances under which a person can do a certain thing. They want to sell you a DVD, and sell you a DVD player, and ensure the only way that you can get the information off of a DVD you have bought is to buy a liscensed DVD player.
This is silly. Your enemy is not some third party who is not involved in the transaction; your enemy is *your customer*. The person you are trying to keep from decrypting the movie in an unauthorized fashion-- *your customer*-- is the *exact* person you have also given a key (a dvd drive) to. The key to the encrypted transaction is available in stores all across america, and all that has to happen is that *one* person can take apart the key and figure out how it works, and they can make keys of their own. You are giving your enemy not only the encrypted message, but a *key* to that encrypted message, and then trusting that somehow, they will not find a way to make copies of that key and give it to their friends.
To be honest, the only explanation i can come up with for believing something such as CSS or ebook "copy protection" would work is if the believer in question is either unbelievably, unbelievably stupid or hideously misinformed. It just doesn't make sense; you're going to give someone a computer program or device that can decrypt this movie, but expect that they won't be able to take apart the computer program or device and figure out exactly how it works? Only a complete moron would assume that. In the case of computer programs, especially; if you are going to give my computer instructions for decrypting CSS, you have given *me* instructions for CSS. All it takes is time, and i will have disassembled your program and written my own, even if your instructions are written in machine code.
In short: you cannot have any real encryption in which people who you are trying to keep out of the tranaction are being given keys!! DeCSS was not encryption or even a workable form of copy prevention at ALL, but simply extremely complicated security through obscurity. That is why it was cracked easily. Moreover, even if it HADN'T been cracked, all it would have taken is leaked design documents or source code from ONE of many DVD liscensees, and we would all know how it worked anyway. You *cannot* have real security if *this many people* have keys, all keys are being sold in Best Buy for $200, and all keys are roughly interchangable! For it to be workable encryption, THE KEY HAS TO BE MATHEMATICAL, NOT PROCEDURAL, and ONLY THOSE PEOPLE YOU WANT TO BE ABLE TO DECRYPT THE MESSAGE AT WILL SHOULD HAVE A COPY OF THE KEY.
As to why the encryption in 802.11 is broken, i believe the answer is because its encryption method is weak and old. They *could* have used the same methods SSh uses; instead, they used a low-bit-count version of RC4. As to why they used the weak, old thing instead of something like 3DES, i haven't the foggiest idea. I would suspect it has something to do with export regulations, or perhaps that they assumed that the lowly "consumer" didn't need strong encryption, so they could use toy encryption and nobody would mind. Either that, or they purposefully meant it to get hacked so that they could sell you a more-expensive "strong" version at a later date.
Shhh! No one tell the FBI! And ESPECIALLY not Adobe.
The reason CSS is fundementally flaws is not that they didn't test it, but that the concept itself is flawed. You cannot give someone a hunk of data, and a way to decode that data, and think they will be unable to come up with another way of decoding the data then the way you made.
Yes, the concept behind CSS is flawed. Given that I have physical access to the hardware, and total control over the runtime environment of any software implementations, it is impossible for a perfect lockdown. Hardware is much harder to figure out, but there are no foolproof ways of making reverse engineering impossible (although some methods are damn good).
However, the CSS algorithm itself was flawed, as well as the design of the system itself. Even if Xing's key was kept secret, flaws in the algorithm itself meant that it was only a matter of time before CSS was cracked wide open. I believe that the effective key length of CSS is only about 20 bits (or was it 40?), even though the actual key length is much longer. That's a fairly flawed algorithm, and makes a brute force attack childs play. With a system that bad, you are basing your security on having a secret algorithm. But one of the key principles of crypto is that you should assume that your enemy has access to everything except your key. They know your algorithms, they have large quantities of choosen plaintext, and they have lots and lots of resources at their disposal. CSS's security was based on having a secret key, but design flaws made that ineffective, leaving only the secret nature of the algorithm.
But yes, the attack that was first done on CSS was made much easier by very poor security in Xing. Regardless, even without an easily reverse engineered software imp of CSS, it would have fallen eventually. The Japanese cipher PURPLE was broken during WWII. The people who broke it never recieved even a vague description of the official PURPLE cipher machine. To this day nobody really knows how PURPLE worked (all of the machines were destroyed before being captured). But dispite having a hidden algorithm, it was cracked.
So, yes, handing people a software player is a surefire way to get cracked. But CSS's flaws run much deeper than that.
Actually, according to the article, the week that it took incorporated writing the software, ordering and installing the hardware, testing and setting everything up. The actual exploit took around a few hours as I recall, and my understanding was that the time it took to crack was at least partially based on the amount of traffic. This may mean that a very busy network could be cracked even quicker?
Cube root, square root, BTU Compass, slide rule, Go Rice U!
According to the Berne Convention, to which the US is signatory, just about anything a citizen creates is protected by copyright law. Now, in reality, only a registered copyright is easily enforcable, but that's a different argument.
So what data do you send around that isn't copyrighted? Only stuff you specifically put in the public domain, and network control data. Now, control data in any other protocol or archive format doesn't preclude the copyrighted data from being protected. Checksums on a DVD, for instance. And how much stuff that you send over a wireless net you have specifically put in the public domain? I'd say almost none of it. So, the vast majority of stuff being sent around on a wireless network is, in fact, copyrighted by you or someone else.
Now, why are you encrypting network traffic? So other people can't make a copy of it. Intercepting and recording is making a copy. So, you have a situation where you're using an encryption device to prevent the unwanted copying of copyrighted material. And this security research demonstrates how to circumvent that encryption. All you have to do is code it to get the dreaded 'circumvention device'.
If I can make that argument being a proponent of full-disclosure security you can bet your ass a MegaCorp lawyer can too. Adam's work is illegal, per se, because of the DMCA. Publishing security research is illegal because of the DMCA. If the DeCSS source code is illegal, a white paper or security research article is going to be given the same treatment - both are instructions on how to build a circumvention device (one to a compiler, one to a person).
Don't get me wrong, this is abhorrant to freedom-loving Americans, but there's no use denying its illegality just because it shouldn't be.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Leaving aside the key management problem - which is the real technical/cost issue - the problem with implmenting "wired" flashability, even if key management wasn't a problem, in a "non-wired" device is gonna be marketing.
Marketing, as in "We don't think it's a big enough selling point to justify the $5.00 worth of parts to put a USB/serial port in it, and the $50K upfront cost of writing and QA-ing a flash-updater for it."
(Yes, that's Marketese for "Fuck security, if it's insecure because the protocol's weak, and not because of our negligence, the user won't blame us and will simply buy another one when the protocol is cr4cked! We save $5.00 per unit today, and probably get another sale next year when they replace it!")
All right, all together now, in case there's someone on the planet who hasn't heard this:
Preacher Ben despite adversity
Saved a Southern university
His nephew said, "Now ain't that nice,
Uncle Ben's converted Rice."
Plain Text, sounds good to me ;)
IPSec addons for MacOS? How? Where?
The only possible way to do something like that is to seal your decoder inside a self destructing box, making people unable to reverse engineer it. Once people can poke around the decoder, you're completely screwed.
Of course, this isn't to say that a sealed decoder is foolproof, people could still brute force any single player player keep and, tada, you're screwed, but handing people software players is simply impossible to make work. Even if MS somehow came up with a 100% unbreakable way of making certain programs not reverse-engineerable, it's is a fundamental law that computer are Turing complete, and *any* computer can emulate any other.
If corporations are people, aren't stockholders guilty of slavery?
ha ha, that's especially funny because "rus" means "Russia" in Russian.
as another bit of trivia, no, it's not really the same: the Russian "ya" has a little curl-up at the bottom of the slanty leg.
Actually, it isn't the fee; I believe that the computational cost of doing RSA or DSA schemes (but NOT DES, for which there should be fast cheap hardware), is deemed too high for hardware units that are meant to be consumer level and mass produced. Or it might also have been because of US export policy in the past which may have limited allowable key lengths. In any case, it almost surely came down to costs of production (and testing), not licensing, etc.
But, I'm just making a semi-informed guess...
"It's overkill, of course. But you can never have too much overkill." - Anonymous Slashdot Coward
Doing RC4 or AES at 11 Mbps in software is no problem.
In our IT department, for example, all connections from the internet go through one firewall box. But that's the only port between the inside and outside world. One box. We even put the mail server outside of the firewall, get it to filter the email, then push the email through to an exchange server.
And once again, I've got to argue, what can you possibly have on a home network that needs to be encrypted? I have no secrets to hide, and would seriously consider never using any kind of protection (except for a software firewall, so my machine isn't "borrowed" for a DoS attack).
It is, but you have to use software to completely replace the wireless driver completely. There is a guy at cornell cs that wrote this recently and put it under GPL, I believe. If people are interested I can try to get the dood's email.
wow, you really just don't get it do you?
The reason we break these encryption schemes is *BECAUSE* "government tries to snoop on unencrypted, unprotected data..."
It is because we improve on things that are broken. Ignoring a problem doesn't make it go away. My "APPLAUD" goes to this guy.
-EvilMonkeyNinja
-EvilMonkeyNinja
Mild Mannered Host by Day
Wild Hammered Programmer by Night
Has he been arrested yet? I am sure some people are sending coypwrited material via 802.11...
Some PDF encryption is strong, some is weak. What was attacked by Dmitry was the plugin protocol, which is weak. Adobe itself isn't really in the market of encryption, but in a protocol that allows restricion of usage in certain ways. Many vendors provide plugins that use the protocol, and many of their plugins have cryptographic weaknesses. The plugins themselves are moot, however, as the protocol blows.
- Use the (cough) security features of 802.11 . This keeps out the casuals.
- Don't put the base station right on your network, plug it into a port on your firewall.
- Program the firewall to only allow VPN connections through that port.
This basically means that you HAVE to use VPN software to do anything on your network. Note that this does NOT stop anyone from browsing your open shares on your laptop, but anyone with that kind of insecure setup is asking for it anyway.The strongest encryption algorithm in the world, will not protect you if you don't use it correctly. Any cryptosystem is only as strong as the weakest link, and in most modern cryptosystems the weakest link is key management. If you chose a predictable key, or fail to keep the key secure, it doesn't matter what algorithm you use.
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
How about:
"A Rice University student breaks something that is already broken" ?
"
Not a circumvention device, the primary purpose of WEP is not copy protection.
"
It's not to stop people outside your network copying data from inside your network then?
What is it used for then?
Only two things are infinite, the universe and human stupidity, and I'm not sure about the former. (Einstein)
RSA is very slow, for sure, which is due to the fact that they have to do a lot of arithmetic with very large numbers (1000s of bits each).
Even one-key cyphers, which don't usually make use of the large integer math, are slow on modern processors, however. The big reason for this is that encryption inherently "breaks" pipelinined and superscalar architectures, since in a good encryption scheme instructions do interact with those that directly preceeded them.
This is one reason why most commercial web sites are not encrypted, less a few "critical" pages, and why you can actually buy "SSL Accelerators" which take the SSL overhead off of the server.
802.11i also specifies AES as the encryption algorithm to replace RC4, as well as many other improvements over WEP.
The article is in French, the title could be translated as "Piracy, wireless and cabriolet version". In short, the reporter and a security expert drove downtown Montreal with a 802.11b equipped laptop running NetStumbler and were able to sniff out packets from four office towers.
Marketing began pushing wireless access points out in to the corporate business units (heavy discounts for the equipment). They began showing up on internal networks and home networks (that are, via ADSL and ISDN, connected to the internal LAN).
It was a nightmare.
Suddenly our internal network - a network we don't allow access to from the lobby, cafeterea, or other more-or-less external points - became accessable to anyone hanging out in the parking lot with a laptop (or PDA) and a wireless network card.
A lot of backpeddling had to be done. And thus began the new game of whack-a-rogue-access-point-mole.
Would I go in to detail about the company and specific internal policies? No. That wouldn't be right. But it was a big company with a big problem. Wireless.
Punching a hole in a standard is not illegal. Telling other people that you have punched a hole in a standard is not illegal. Demonstrating that you have punched a hole in a standard is not illegal. Telling others about how you punched that hole in a standard isn't illegal. Distributing the product that punches the hole in a manner reasonably calculated to advance the state of knowledge or development of encryption technology when engaged in a legitimate course of study and then providing the copyright owner with notice of the findings and documentation of the research is not illegal. Distributing the hack for noncommercial purposes is not criminally illegal.
Dmitry was allegedly selling a product designed primarily to commit illegal acts. That's why he was arrested, not because he demonstrated a security hole. He found it, then he tried to profit off of it by distributing it to people who paid him. Allegedly.
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
CSS was cracked, the program that cracks it is called DeCSS, mmkay?
802.11x hardware is gonna be real cheap now. If you're in the situation where you're not worried about people snooping your traffic then this could soon become a real cheap network solution - particularly with all of these paranoid companies throwing their 802.11x cards out in the rubbish.
The big problem here is man-in-the-middle attacks, right? So you have to be sure that when you exchange random keys, there's no way for someone else to insert themselves in the transaction.
Freelance tech journalist for the Economist, MIT Technology Review, Macworld, and others
the standard wasn't engineered to protect passwords from eventual decryption, etc. instead, it's a way that a network access point can enforce a security policy so that no traffic can get through on the lowest network layers until a client has sufficently authenticated to the access point. so a wireless hub (or even a wired hub) can say "hey, identify yourself!" and the client can say "hey, this is me!" and the hub will go to a authentication server (in Microsoft's case, they say a RADIUS server) and say "hey, is this (so and so)?" and if the authentication server says yes, then the hub will let the client's traffic through.
coupled with that is a protocol where access points can enforce a policy where clients must refresh their encryption keys on a hourly basis. so a network intruder must be able to crack these keys on an hourly basis to gain access to the network. a week is a joke... these 802.11x access points will be through several iterations of keys by the time one is cracked.
(interestingly enough, the protocol also includes provisions for someone who is wandering between wireless access points where one hub can vouch for the user and cause the newer hub to forward their traffic until authentication by the server is achieved, allowing for roaming without the 3 or so second delay that would be necessary for all of this to happen).
the point of all this is that it's not there to secure your cleartext POP password.. 802.11x is there because access points (be they wireless or ethernet or whatever) are becoming more prevalent in our society in public, physically insecure places, so a protocol has to be developed so that network admins can be sure that the right people are using it.
the protocol even allows (given 802.11x aware hardware) that user levels be granted based on the authentication server, so a guest might be allowed restricted gateway access to the Internet but their traffic may be physically restricted from reaching the LAN fileserver, whereas the admin is given the red carpet.
pretty sweet, from an admin perspective.
Just raise the taxes on crack.
Because they need lots of computer power. To fit into a small card with a poor DSP, we need other types of algorytms.
The REAL sam_at_caveman_dot_org is user ID 13833.
Much like Microsoft's security patches for IIS, wireless networking was and is only as secure as the sysadmin implementing it makes it.
Really, is this any surprise at all? Did they REALLY think that when they embedded that "WEP" thing into all the wireless devices that there wouldn't eventually be a hack? Seems to me the network layer is not a smart place to put this stuff.
:) Maybe now they won't be able to get around with this tossed off 40-bit encryption crap... WEP indeed.
:)
What do we do now? Does this mean that Apple Computer and the other people are going to have to get together and, y'know, come up with a real, widely and easily implemented FreeSWAN-like point-to-point-encryption thingy that would allow you to wrap a strong version of SSH or whatever around everything that your ibook says to your airport base station?
Or is even that hopeless? Can we really think that we'll ever find a way to have two computers carry an extended digital conversation in an environment where any random bypasser can read *all* their signal, and hope that the bypasser won't eventually be able to break the encryption no matter how long they stand there recording your radio emissions from just outside your house?
If it is at all possible, then what this Rice University kid has done is a VERY GOOD thing, because he's forcing the corporations to be pushed toward a point where they finally get around to giving us REAL options for tunneling everything through ssh
Kuro5hin's treatment of this subject was much clearer than slashdot's, btw.
Once you read all the man pages? I think you just hilighted the problem. The easiest (and more likely to be widely accepted) way to prevent sniffing is to use low-layer protocol-invisible encryption. People won't accept a mix of confusing settings and protocols.
Besides, 90% of your web browsing is clear text. I wouldn't want anyone knowing what I read or post on the web. Or are you going to tunnel _everything_ through a wired box somewhere?
Hands in my pocket
Wired Equivalent Privacy (WEP) isn't. The protocol's problems are a result of misunderstanding of some cryptographic primitives and therefore combining them in insecure ways. These attacks point to the importance of inviting public review from people with expertise in cryptographic protocol design; had this been done, the problems stated here would have surely been avoided.
What a great summation!
The stream has original material, no? For example, this post, travelling over a WEP encrypted connection, which I assume will keep others from reading what I am typing, is protected under the DMCA.
You are forcably removing the copyright protection (the encryption wrapper) and pirating my intellectual property. You have not paid me to view it, I have not granted you a license, you are a pirate.
Scary, isn't it??
.sig: Now legally binding!
someone oughta be bitchslapped in metamod eh?
Are car vendors brought up on charges when someone is caught drunk driving in one of their cars?
While WEP being crap is not really breaking news, the Reuters story is not referring to the same thing as the eetimes story slashdot is talking about.
If you'd bothered to look at the paper you'd have seen that it was released three days after the Reuters story you pointed to.
That pretty much convinced me it was junk. I'll stick to copper for anything I particularly care about, thanks.
He didn't crack any encryption, he merely showed a real world implementation of someone elses work using cheap hardware ($100 linksys wireless card based off the Intersil Prismn II chipset). They used this card because much the card is done in software and it had a Linux driver that could grab raw WEP encrypted packets.
Burn Hollywood Burn
Let the 'rice' jokes begin. All hand to the puns!
The Independent: Reverend Spooner Arrested in Friar Tuck Incident - ISIHAC, Historical Headlines
My congratulations to Adam (Stubblefield. The guy who "earned the distinction of being the first to implement a devastating new attack...") on "all" his "hard" work. ;o) I sure couldn't have done it.
As for network protocols, as other posters already pointed out, it depends on how much CPU power/network bandwidth you are willing to give up for the encryption. Skimp a bit, and in 2 years it'll be cracked.
I don't get it --
we're supposed to be up in arms whenever the government tries to snoop on unencrypted, unprotected data...
but here some young punk is actively breaking strong encryption, rendering the notion of digital privacy obsolete, and we're supposed to APPLAUD? Get real!!
You might have missed the headline:
Sec. 1201. Circumvention of copyright protection systems
Claus
Subsequently, the three researchers, the authors of linux-wlan-ng prism2, Tim Newsham (who wrote the diabolical WEP_password_cracker.ppt), and anyone who ever hosted a download site for tcpdump, were thrown in jail by the ever-vigilant FBI. Such is the punishment for those who would dare challenge our corporate economy's secrets. America is saved again from the evils of Open Source Communism!
Quoth Special Agent Luser: "I fucking hate geeks and I'm going to beat the crap out of every single one of them until they give me their lunch money." Go get 'em Agent Luser!
Finding God in a Dog
What's the difference between the two activities? Nothing. One was sanctioned by AT&T and one was done independently. They both accomplished the same goal - prove an encryption scheme did not offer much security.
The point isn't people reading your email. The point is that POP passwords and simple HTTP based authentication not via SSL are sent in the clear. If someone can sniff your network, grab your password, and crack your network merely by extracting a WEP key, then we're all doomed. Of course, sensible folk are using SSH tunneling (I'm about to get this set up, once I read all the man pges) or SSL-based email (Eudora and MS Outlook both support it, as does sendmail and Exchange), and SSH terminal software and so forth. (The related story isn't that WEP was cracked, but rather that thousands of open, free and for-fee 802.11b networks are being deployed, and those don't even have WEP on them. Sit at Starbucks, transmit your POP password in the clear, and find your mailbox ransacked later, etc., etc.) Anyone could read my email; how boring. But I'd rather that everyone not crack my accounts.
Freelance tech journalist for the Economist, MIT Technology Review, Macworld, and others
i heard he wirelessly decrypted a pdf, get him adobe!!!
speaking of crack
First, lets go over why 3DES and RSA haven't been cracked. DES was developed by IBM, for use as a commercial product. The original design was developed by a pretty bright guy, who, among other things, had attended a few NSA sponsered talks, and knew about some nifty new things (like S-Boxes). When IBM decided to turn his cipher (Lucifer) into a product, they got worried that if it was broken, they'd be mega-liable. Therefore they busted their asses trying to break it. In the process they (re)discovered many types of attacks, include differential attacks (a type of chosen plaintext attack). Somebody noticed that NIST had asked for ciphers and nobody had a good submission, so IBM submitted Lucifer. BUT they were still worried about it, and spent more time refining it. The NSA didn't want free crypto going loose, and offered to give it their seal of approval if IBM would cooperate fully. IBM didn't want to be liable if Lucifer had a small flaw, so they agreed. The NSA then also joined the groups of people attacking Lucifer, and helped the IBM team avoid differential attacks (which they had already done, but NSA offered refinements). The only bad thing the NSA did was cut the key length. Lucifer was submitted, and became DES.
Now, the whole point of this is that it took a long time and many many manhours of very bright people attacking the cipher, and coming up with design principles to help avoid the attacks, because IBM DID NOT want to release a cipher without doing it's damndest to guaruntee it was secure. They invited outsiders from all over (including the NSA) to attack and comment on it. A lot of work was put into it initially.
If DES had an easy attack against it, it would have been found, the design principles would have been revised, and hopefully the entire class of attacks would be taken care of.
RSA was similar. R and S came up with ciphers, and tried to break them. When they thought they had something good, they'd hand it over to A, who would then break it (supposedly he broke the first 31 attempts without any trouble). This is the same cycle IBM did: a team designs it, submits to others who will attack it, they get feedback and refine it. After the original RSA was OK'ed by R S and A, they gave it to colleages to try and break. Who failed.
My point is that all successful ciphers have gone through extensive work. Many many ciphers developed in the course of coming up with good ones are scraped. Only a few are secure. The best ciphers have been analysed by many people for a long time before they even see the light of day.
CSS was not put through such a process. They developed it, and never submitted it to the glare of public scrutiny. It contains glaring design flaws, that even a small amount of competitive attacking would have found. But it was never submitted to such, and therefore deployed before it was proved secure. The PDF security model (which Dmitry broke) was also not given a public vetting before release. (BTW, Dmitry didn't break crypto, he broke the protocol. However, many of the encryption schemes used in eBooks are proprietary designs that haven't been put to public scrutiny, and are therefore likely weak) I haven't chewed through the details of the 802.11 break, but 802.11, while it has been submitted to public scrutiny, hasn't been there very long.
It isn't that the codes are bad, but that most codes developed are crap. If you want a good code, take a code, and try as hard as you can to break it. Ask your friends/hire independant consultants to break it. Then, release it to the public to break it. Only then can you have any confidence that it is secure. And at that, if a new code hasn't been around for a while, it's probably crap. Most codes are easily broken. Scrutiny breaks the easily broken ones, leaving the strong ones for wider use.
speaking of security, I HACKED THIS ASIAN PORN SITE, ENJOY!!!
The NSA didn't explain anything unnecessary to IBM. They also forbid IBM from discussing the reasoning behind IBM's own design changes, or even the design itself. The world has the algorithm, and any idea of why it works is up to ppl to figure out themselves.
The general feeling is that the NSA did not do anything to purposely weaken DES's basic algorithm. First off, nobody has found any truly effective attacks against DES. Bruteforce, of course, but that isn't basic to the algorithm, and besides, 3DES provides more than adequate protection. DES is also slightly vulnerable to differential (know plaintext) attacks. Differential attacks were (re)discovered by IBM, and they changed DES to prevent against it. The NSA knew about such attacks (and kept the knowledge to itself) for some unknown long time, probably before Lucifer was even somebody's dream. While the NSA did change the S-Boxes, the changes strengthened DES against some differential attacks, rather than weakening it.
Besides a lack of evidence, it was/is probably beyond the ability of even the NSA to weaken DES and get away with it. Such a weakening would have to masquarade as a strengthening, or else IBM wouldn't accept it, would have to be so subtle that it wouldn't be caught, and still leave DES strong against any other concievable attack. Making a strong code is hard enough. Making a code that seems strong, that you do not have 100% control over, and leaving one but only one subtle hole in it is probably impossible even today.
Overall, the NSA probably honestly tried to make the basic algorithm strong. The changes they made to the S-Boxes were probably geared towards differntial attacks, which the IBM'ers had only just discovered, and probably didn't understand some subtle point of. They did, however, weaken the key. 56 bits was probably low enough that they could brute force an intercept if they really really needed it, but high enough to lock out everybody else, with the possible exception of the KGB. But of course anything that the KGB would want badly enough to brute force in such a manner probably wouldn't be encrypted with DES, but with a stronger secret cipher. If the S-Boxes were weak, however, and an enemy discovered the NSA's trap door, then the enemy could decrypt everything, and sift through for tidbits later.
802.11a??? a is less than b so that means it's slower. Go away troll. 802.11b is faster than 802.11a.
And here is a link to their paper and additional information ... it would sure be fun to compare those for "similarities" ... ;)
Because it would obviously require software driven crypto, which would mean you need a fairly powerful generic PSU, which would eat power, produce more heat and cost more. So they use an ASIC instead, which is much more efficient but less flexible.
However, most boards do include a firmware which controls some aspects of the crypto, for instance the latest firmware from Lucent includes a Random WEP initialization vector to alleviate the static nature of WEP keys'.
But obviously you can't go changing whole crypto algorithm though because you hit the barrier of the physical layer.
I just handed my pet monkey my Desert Eagle, with RhinoKiller(TM) bullets. It will be nothing less than interestering to see what happens next.
If encryption was all that important to you, you'd be running a 3DES VPN connection between the mobile user and the server anyways. I've never trusted 802.11b for encryption, only for convenience.
Nope, RSA is now free for all to use.
The problem is that these protocols are expensive in CPU time. Sure sometimes the Not-Invented-Here syndrom bites them hard, but usually the problem is that theses protocols aren't fast enough. 2 seconds to encrypt an email is ok, but you need to encrypt 5Mb/s here, with just some little chips on your card.
Nobox: Only simple products.
The latest firmware available for your wavelan cards will force them to randomize the initialization vector used in WEP. For those of you that read the paper on breaking it, this is part of what makes it trivial. I would like to see this test run again with the random IV's. I'm sure it doesn't increase the difficulty by too much.
'cause he so smart
I distribute copyrighted mp3s all the time over my 802.11 connection. Of course, the copyright is held by others.
I have Unix underpants.
I'm using wireless right now. Good thing I'm not encrypted, or someone would be able to break it and snoop on me to see that I am reading /.
Are they going to arrest this guy too?
All Troll + "offtopic" mods are meta moderated as "Unfair", because you abused the system.
yep, that's the one.
No, he did NOT break the MP3.com beam-it protocol. He concluded that it was quite secure.
using the coacoa bean cipher attack!
this is slashdot, we don't need your stinking facts.
next thing you'll be telling us emperor stallman isn't wearing any clothes! poppycock!
Stubblefield's attempt took just under a week, which included the time taken to deliver the card, set up the testbed, perform debug and then finally retrieve the key.
Ouch.
-----
In all honesty though, this -could- be a good thing for us regarding laws. Here's an American graduate student that showed an immense weakness in a standard encryption protocol. Furthermore, he did it for no profit, without violating any copyrights, and while working with AT&T.
This could be very good. People (as in general society) would be a bit leary of Dmitry Skylarov because he is Russian and becuase it was a for-profit venture.
This student, OTOH, broke this w/o profit and without breaking any copyrights.
Hopefully (though I doubt it) this can hit at least semi-mainstream news, or, at a minimum, the ears of lawmakers and security analysts.
He cracked security and he used educational resources to do it, not only will he get a huge fine because of that, the government will lock him up now.
-"Those who fought today will die tommorow."-
Interesting, here is an even older story about guys from the University of California in Berkeley breaking 802.11 security...
If you're thinking about the DMCA, you're mistaken. Breaking encryption schemes is not illegal, even not under the DMCA. It's only breaking the encryption of "copy protection schemes" that is illegal, which Wireless Ethernet is not.
Sorry, this won't be a test case for the DMCA.
Claus
The details of how he did it are in PDF format. Doesn't that make Adobe a party to the crime of distributing a circumvention device?
Without this example hanging over their heads, dozens of companies and tens of thousands of individuals would be running insecure networks who could be exploited by people who really are criminals.
Now that this kid has punched a hole in the standard... and he wasn't even the one to punch the hole, just the first to exploit it in a public manner... These comapnies will be forced to sit up and see that they're not safe.
Of course, we tried to use this same argument on the MPAA, and they responded by trying to sue every hacker in the U.S.
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
i'm not very well versed in encryption schemes, but why is it that the encryption schemes in DeCSS, Adobe PDF, and now 802.11 are so 'easily' broken, as opposed to 3DES or RSA that are being used in SSH & SSL? why aren't these algorithms being applied in 802.11?
reech bee-yond ur clip-0n
Get versed! Spend an hour or two with OpenBSD . They gotta liscence or two, hee hee. Now go forth and kick some ass, Hailman.
Friends don't help friends install M$ junk.
I think that it can be. With the advent of encryption being broken in a week, maybe the standards groups..(ANSI, IEEE, etc..) can really start advocating a secure enviornment prior to the acceptance of a standard. Although wireless lan protocols have been compromised, will that stop people from using them? No. That is bad, because we all know MSFT will do nothing to help introduce any type of higher level encryption. I hope that the open source community will have an open source project in the works. I would really enjoy watching that happen. Is bandwidth a concern here, yes. 11mbs will work extremely well for many applications, but I would hate to have a large encryption scheme (working at layer 5 or above...) eating a whole ton of bandwith and proc cycles.
Blah Blah Blah.
Corporate security structure tends to have a tough shell, with a nice creamy center. That is - security revolves around firewalls to protect the internal network with very little internal security (the logistics of internal security can be insane). A part of this security posture also relies on controlling physical access.
Wireless networking creates havoc with this model.
First, as in my previous example, you have the issue of rogue access points. The equipment tends to come as plug-in-and-go magic boxes. Which provides a functioning access point - but one that has had absolutely no security configuration. Unknowing employees, with the intent to get their laptops running in a conference room or even at the beach down the road (true story), suddenly expand the "internal" network to well beyond what was normally a physical boundry - the building itself.
This is not a minor issue. Before, rogue (and/or potentially dangerous) network equipment (and services) could be disabled with proper firewall rules. There is no such choke-point with wireless access points (heck - they're easier to set up than a MODEM).
It becomes a game of whack-a-mole as you try to hunt down and disable rogue access points. One of our guys built a script that did occasional nmap scans, looking for signigures of known wireless access point hardware. It provided a method to find access points and a step towards shutting them down. But it is far from perfect.
So now this leads to the current news. Network managers who were relying on the strength of WAP will have to reconsider their strategy. Many won't be aware of recent events.
I suspect a lucky few (who are knowledgable and either don't have to fight, or are successful at the political battle with their corporate user base) will be able to deploy sanctioned access points external to their network (on the "big bad internet" side of the firewall) and rely on some sort of VPN solution for internal access.
But that doesn't solve the issues of resource abuse or rogue access points.
Sure. Its all about deployment. But that's still a pretty sizable issue. And its one a lot of managers will have to tackle. Wireless networking technology IS very cool / empowering / usefull.
When and where can I buy a wireless card that will do this automatically?
Life is the leading cause of death in America.
Any static scheme will be broken eventually.
Is it because US demands that weak encryption be used so that they can unencrypt the transmissions? This must be stopped or we're at year 88 again.
The World's Best Music!
This was reported by Reuters (as seen on CNET) on August 3rd, and pretty much on every news web site I read (except that I'm too lazy to hunt down the links).
I just thought that folks might want to know that /. is simply republishing week-old Reuters dispatches, and pretending that it's breaking news.
Surprised? No one should be... it's not like most encryption can with stand the test of time. Remember when DES was thought to be impossible to break? What I want to see is a real time SSL and PGP decode hack.
HaiLHaiL asked about crypto.
the OpenBSD crypto page talks about encryption. How is that off topic?
Friends don't help friends install M$ junk.
As others have noted, end-to-end encryption is the best bet. However...
If there are control functions used by 802.11 nodes that depend on WEP for their integrity/privacy, the network could still be susceptible (even if your application data is secured end-to-end).
Would someone familiar with 802.11x internals shed some light on this? Thanks.
I thought this happened months ago as someone esle has already pointed out. Wireless netowrks always should have been treated like a regular network because that's all it is. While, even at my work I would not be afraid of this (Secure your host systems as well as you can so that you can minimize risk. Use SSH and other similar things for being secure on your regular network and you should be fine.). Home users should not have much to worry about if they are relative newbies, or knowing what they are doing (newbies are too fearful to type in anything such as bank card info and stuff....techies already knew it wasn't secure and will hide the appropriate stuff). All in all, they sky isn't falling. It's just something that you already should have worried about from the start! :)
Gorkman
Ummm I think the whole point is that its encrypted for a reason. You'd be pretty pissed if you found someone tapping you phone line, after all it runs right in front of your house out in the open.
Only the State obtains its revenue by coercion. - Murray Rothbard
It seems to me that low volume wireless LANs are pretty safe, and can be completely safe if they rekey on a regular basis.
The original paper estimates that on average either 1 million or 4 million packets need to be sniffed in order to discover a 40-bit key depending on how the IVs were generated. Adam Stubblefield's paper found that it seemed to require 5 to 6 million packets to discover a 40-bit key. That's actually quite a lot of packets for many LANs, and a huge number for a typical home LAN. Adam had to run a flood ping for several hours to collect enough packets.
Add to that the fact that the complexity scales linearly with key size. This means that, on average, discovering a 128-bit key will require somewhere between 3 million and 18 million packets.
I just checked the statistics on my home 802.11b AP and found that I average somewhere around 100,000 packets per day. That means that someone would have to continuously monitor my network for between one and six months in order to gather enough packets to determine my key, assuming I use good keys (I do).
So, as long as I'm careful to rekey every couple of weeks, I should be safe.
Obviously, if your wireless LAN pushes a couple million packets per day (20 people streaming 192Kbps MP3s for 12 hours) you'd have to rekey daily, which would be a major pain if it wasn't automated.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
How does this relate to MAC Address security? - If you restrict your WAN to only certain MAC Nos then does that provide a secure solution? It must at least discourage 'floaters'
-Jack Mott proud Rice University Alum
Man pages? Just read the secure-POP howto and that'll get you going. You can forward lots of things, like ftp, vnc (way cool), etc.. You don't have to do the sleep thing, btw.
Need a Linux consultant in New Orleans?
If the access point has lousy access controls (or in the case of the Linksys WAP11, _no_ access controls), you can use IPSec and SSH all you want and you've still got a huge problem... For example, once the client determines the WEP key and associates with the WAP, using the SNMP Configuration Utility downloadable freely from the Linksys website will allow the client to configure everything on the WAP. 0wnzed. The additional encryption will prevent people from viewing your stuff, but with a couple of keystrokes it's _you_ without the WEP key!
It is people like this person that will ruin technology for everyone. People will get so paranoid that they will not want to buy anything related to technology. Who wants to store personal information on something that can be cracked. Get a life people and stop hacking others. You will ruin the whole industry for everyone.
I ain't smiling when I write this...
Read the paper. It does not matter how often you rekey or whether you buy the 40bit or 128 bit cards. The algorithm used is a stream cipher and will XOR your plaintext with one of 2^24 ciphertext streams that are generated from your key.
The attacker can cause the gateway to act as an oracle for any given ciphertext stream.
If you rekeyed every hour you would be safe (ish). However the WEP protocol does not support rekeying and everyone in the network has to use the same key. So you would have to update all your machines manually constantly.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
A month or so ago, I saw a story about how WEP is crackable. As a result, I recently picked up a relatively inexpensive D-Link Access Point with 40-bit encryption instead of 128-bit, since I'm not going to use WEP anyway. Instead, I'm going to use IPsec and very restrictive firewall rules to get into my network, though I'm betting that the free IPsec add-on for MacOS will work properly on my partner's G4 laptop ;-).
I wonder why the wireless manufacturers didn't use IPsec in the first place rather than creating their own WAP that's now worthless?
Read the paper. ... The algorithm used is a stream cipher and will XOR your plaintext with one of 2^24 ciphertext streams that are generated from your key.
Wrong paper. You're talking about the other break, not the new one. I have to admit that actually haven't read that older paper.
Ironically, a short IV makes the attack I referred to tougher (but not very tough) but makes the one you mentioned easier (possible).
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Ian Golberg, chief architect of zero knowledge already exposed 802.11 weaknesses a long time ago (or is that something else?)
h tm l
His home page is at:
http://http.cs.berkeley.edu/~iang/
and his paper on wep are at:
http://www.isaac.cs.berkeley.edu/isaac/wep-faq.
A very plausible solution, but always remember - there's always something that makes the odds hit a lot closer to home. For example, say I buy a single lottery ticket, and 6 million other people do the same. Given a pool of ~6 million choices, the pretty little balls will pop out with one lucky winner - who could be talking to Apu's shrine/whatever-the-proper-word-is at Kwik-E-Mart.
Most likely, it wouldn't happen for a long, long time (1 to 6 million packets). But every once in a while, it'd work on the first try.
(and for those of you who didn't like this: I want my two cents back. Really. I'm a poor college student, and if just half of you do just that, it's $125 in my pocket... Actually, forget that... it'd all be under siege by the girls outside the window before I knew it...)
Seriously, this is smart anyway, and if you use ipsec for remote access, this isn't difficult at all. Just make sure everyone connects via ipsec over 802.11 and signs in with good authentication (e.g. SecurID) and you should be okay.
Companies who don't use ipsec for remote access should start anyway - it's much nicer over DSL or fast hotel lines than dialup.
sulli
RTFJ.
Doing RC4 or AES at 11 Mbps in software is no problem. Neither is doing RC4 or AES or Triple-DES, etc. via hardware on the NIC. Just use a chipset with decent algorithm.
**AA: a bunch of mindless jerks who'll be the first against the wall when the revolution comes