New Wireless Security Standard Has Old Problem?

eggboard writes "Wireless security expert Robert Moskowitz, who sits on IEEE and IETF committees on that subject, sent me a short paper on a glaring weakness in the Wi-Fi Protected Access (WPA) protocol that's replacing the weak and broken WEP system well discussed here at Slashdot. His paper, which I've posted here, proves definitively that while WPA itself remains robust and secure, the interface for choosing consumer passwords makes it simple to snarf a tiny bit of network traffic and perform an offline dictionary attack. For Slashdot readers, this probably seems trivial, but because Linksys, Apple, and others are letting users enter My Dog Has Fleas as their passphrase, WPA might be less secure for home users than WEP."

My Dog Has Fleas?

[Trillan]

My Dog Has Fleas is a positively fantasic password compared to the usual choice of a middle name, spouse's name, child's name or birthdate.

Or, of course, the infamous "password."

Re:My Dog Has Fleas?

[IM6100]

Something that amused me recently was when I installed IRIX on a cool SGI box I bought at auction.

It refused to let me use a password longer than 8 characters.

I am talking about a release of IRIX that was pressed to CD in the year 2002.

Re:My Dog Has Fleas?

[Trillan]

Similiar problem with a Windows 2000 server using Services for Macintosh. Microsoft uses an old authentication model which doesn't support long passwords... unless you install Microsoft's client-side authentication model, which is too buggy to use (i.e. authentication windows pop up BELOW everything else).

Re:My Dog Has Fleas?

[weileong]

default Solaris8 won't take more than 8, either. neither will the older versions of MacOS X (Puma, Jaguar. Panther has this fixed, though).

WEP newbie question - how bad is it?

[frostman]

I've just bought my first wireless kit (DLink 802.11b wireless router plus card for $60).

I did some reading on WEP and it sounds pretty frightening. Today I'm going over to set up the same kit for a friend who's NOT a slashdot type. I'm pretty-well used to data protection issues, and I take reasonable precautions and would also not freak out if something Bad happened. But I'm wondering what I should tell my non-techie friend.

Practically speaking, just how vulnerable is WEP? If my friend has a good non-dictionary password and uses "256 bit" encryption, is he reasonably safe from casual hijacking?

That's certainly what the manufacturers would have us believe, and the low prices and ubiquitous Starbucks access points seem to be causing a lot of folks to adopt wireless, at least out here in silicon valley.

Having read up on the security problems, I'm now hoping some of you can provide or point to real-world scenarios.

Hope this isn't too off-topic...

Re:Some security is better than no security

[Carnildo]

In general, if someone has the ability to run a dictionary attack on a password, it's as good as giving them access. From personal experience as a sysadmin, 65%-75%(1) of all passwords can be found by a dictionary attack.

(1) From running dictionary attacks against three sets of passwords.
Computer science students: 75%
Public forum #1: 65%
Public forum #2: 75%

My Dog Has Fleas

...my wireless router has a first name
it's l-i-n-k-s-y-s

my router has a SSID
it's l-i-n-k-s-y-s

RE: password security -- what about the old technique of using an acronym for something that wouldn't be hit by a dictionary attack? Um, like:

My Dog Has Fleas And Your Mom Does Too would create a password of "mdhfaymdt" ? Secure enough...and probably not in someone's best interest to share with anyone else.

one for the crypto/math freaks

[nehril]

I think this problem is present in *any* system that relies on user passwords. according to the article, each character in a password is equivalent to about 2.5 "bits" of encryption (since you can't use the entire ascii bitspace and some words/letters are more common, etc). this is a higher number than I saw referenced in one of bruce schneier's books (he said 1.3 bits of entropy per char I think.).

so, if your 128 bit or 256 bit or bit security system is ultimately based from a human-rememberable (and thus probably short) password, is there ANYTHING that can be done short of requiring 30 character passwords?

Re:one for the crypto/math freaks

[PD]

It's actually a stupid idea.

Your chance of winning the lottery is exactly the same if they change the winning numbers, or if they don't change them.

Making users change passwords does the following:

1) Annoys the users.
2) Users are likely to pick easy passwords to remember, rather than memorizing a really good password just once. Or worse, they will write the password down.
3) Does all that for no increase in security. Yay!

Organizations Do This to Themselves

[Valar]

Many institutions unwittingly standardize on weak passwords. For example, a certain EE department at a certain university (that I might attend), has a password convention of six characters, letters and numbers, but no two letters or numbers are allowed next to each other. So all the passwords are number, letter, number, letter, etc or letter, number, letter, number. They don't even require mixed case letters.

Kerberos

[GreenKiwi]

Why don't these companies start implementing Kerberos? Or something similar. My understanding is that no passwords are ever sent out over the network.

http://web.mit.edu/kerberos/www/

Re:At least use WEP!

I liken WEP to the Club. It's a deterrent. Most casual thiefs can defeat the Club. But why should they bother when 95% of cars don't have them? (Unless the car is a Lexus, but that's beside the point.)

Most people who are just out casually wardriving are going to drive right by a locked network and hit one of the other 15 that are open.

And if your firmware allows it...

• Turn of SSID broadcasting (I have read some articles that say not to do this, but I've yet to find a good reason not to. But if shutting off your SSID breaks something, then I guess you'll have to keep it on.)
  
• Lower the radio signal power to a level that isn't broadcasting any farther than is necessary. If you have a good solid signal at half power, it's not going to make your downloads any faster by having the power all the way up. But if you start dropping connection, then you might have to turn the signal up.
  
• Change all the default WAP settings such as the admin password (and name if possible), disable the guest account if one exists or at least change the password.
  
• Don't use meaningful names like "DL614" - in a personal wardriving experiment I was able to look up the default admin name/password/default IP for the router on a WAP because the guy used the manufacturer name and model # as his SSID.
  
• MAC address filtering
  

Go into the firmware and shut off the radio broadcast if you're not going to be using your wireless for some length of time. I wish manufacturers would include a radio shut off scheduler like some do for Internet traffic. So you could have your wireless radio broadcast automatically physically shut off at night and automatically come back on at 8 a.m. And a manual switch on the front of the WAP would be cool too since mine sits on my desk. I'd flip the switch to shut off the radio if I was going to leave for a while.

I'm probably forgetting a few things but those tips should help.

Re:At least use WEP!

[Malor]

I f you have a Linux firewall, just add another network card and move the wireless traffic off onto its own segment. Tunnel the laptop to either the firewall or a desktop machine behind it; one easy way is by running squid on a Linux box, connecting to it with SSH, and routing local port 3128 to remote port 3128. Then configure IE to use 127.0.0.1:3128 as your proxy port. Disallow all traffic except SSH to your LInux server, make sure you run a firewall on your laptop, and disallow wireless administration of the access point. This should give you a fairly secure wireless network.

If you need additional services, you can tunnel those too; ssh can do it for free via Cygwin, but it takes a little time to set up. (each port requires a separate ssh command; you can script them if you always need several). You can also use a payware program like SecureCRT to forward multiple ports with a nice GUI interface.

With this kind of setup, WEP becomes essentially irrelevant. In fact, it may be a detriment, simply because you may get sloppy about not setting up your tunnels if you think maybe you're not being watched.

You can also do IPSEC, which will work with anything and won't require specific tunneled ports, but that's a lot more complex. SSH is simple, fast, easy, and pretty secure.

Re:WPA dictionary attack

[weileong]

One thing I'm curious about, is that nobody seems to be talking about the installed base of WEP-only wifi equipment already out there (which, as is evidenced by all the almost-as-excited-as-during-the-bubble-days VCs, is quite a large one). I've not heard of any plans by anyone to retrofit WPA onto existing WEP-only equipment (about the only one I know of is Apple's recent software update, but that's only for users of a subset of their installed base (those with the original Airport system aren't included), and the further subset of those who've purchased the latest release (10.3; no update for 10.2 has been released and it's unclear at this point if there ever will. Does anyone have any better info?)).

I'm sure the manufacturers would hope that people would just rush out and buy new WPA-capable equipment after junking their old WEP-only ones, but I'm figuring most people would just keep on using it (or is part of the WPA rollout going to involve a massive FUD campaign to instill The Fear Of Airsnort upon the general public?).

In which case, won't Airsnort et al retain "usefulness" well beyond the introduction of WPA and the ostensible "retirement" of WEP... ?

(Of course, none of this would apply to the people using completely unencrypted wifi. which is a yet bigger proportion of the wifi using population...).

Tell me about it. I practically orgasmed...

[Ayanami+Rei]

when I read buried way down in the Solaris 9 12/02 release notes that they'd be FINALLY supporting md5 password crypts.

And in typical Sun style, they created a new plugin architecture to support it. There are all of two useful plugins (the standard crypt is built into libc)... ::eye roll::

Re:At least use WEP!

[j+h+woodyatt]

"At least use WEP?"

That's not really great advice. If you can use WPA w/EAPOL, then use WPA w/EAPOL. If you can't be bothered to run an authorization server (or you don't know what that is), then use WPA w/PSK (pre-shared key).

Robert Moskowitz is telling us that securing a network with a poorly-chosen shared secret is a bad idea, because dictionary attacks are easy to mount. If your WEP key is an ASCII string of characters spelling out the word "PEANUT" then you're just as vulnerable (if not more) than if you had used that secret as your WPA pre-shared key passphrase.

Why? Because, in addition to the well-known weakness of WEP, it's also the case that an offline dictionary attack might succeed sooner. Just snarf a pile of WEP-encrypted frames and mount a dictionary attack on the raw WEP key used to encrypt the IP headers.

And if the access point is an Apple AirPort Base Station, then the WEP key is actually most likely the product of a hash function (one not widely published, but it's no secret). That's only a little speedbump.

The problem has always been there. It isn't getting any worse with WPA pre-shared key. If you can upgrade to WPA, you have no good reason to stick with WEP other than you're lazy. (Don't get me wrong-- lazy can be a perfectly good reason.)

And if you're a network administrator, and you care deeply about wireless security, because-- I don't know-- you're on contract to the U.S. Department of Homeland Paranoia, then install a RADIUS server and run WPA w/EAPOL. And spend the extra $49.95 per station for the hardware upgrade to support AES rather than TKIP. All your deepest fears should be ameliorated by this.

--

Re:open waps...

[stripes]

They can nail you for posession.

Wait a minute. Person A has an open WAP. Person B downloads kiddie porn using person A's WAP. Assuming person A doesn't have a caching web proxy how does person A posess anything that person B downloaded? It isn't on his WAP (granted it was in his WAP's RAM for a few milliseconds), it isn't on his laptops, it isn't on his desktops, it isn't printed out in his house, it isn't hiding in his car.

Wouldn't that be like charging person A for kidnapping if person B drove across his lawn with a trussed up body in their trunk?

It doesn't pass the sniff test.

Now this being "anything to protect the children" America I can see them charging Person A with something else, some sort of aiding charge or something. (actually I guess they could charge you with anything, but getting a judge to not laugh at possesion when nothing is possesed seems like a long shot)

Re:open waps...

[jolyonr]

Yep, you'll be able to quite easily prove that the pr0n was never on your computer - the problem is that you'll have to wait until *after* the authorities have broken down your door at 6am and taken away all your computers for analysis.... And persuading your ISP to let you re-register as a customer once they've cut off your account.

Jolyon