New Wireless Security Standard Has Old Problem?

eggboard writes "Wireless security expert Robert Moskowitz, who sits on IEEE and IETF committees on that subject, sent me a short paper on a glaring weakness in the Wi-Fi Protected Access (WPA) protocol that's replacing the weak and broken WEP system well discussed here at Slashdot. His paper, which I've posted here, proves definitively that while WPA itself remains robust and secure, the interface for choosing consumer passwords makes it simple to snarf a tiny bit of network traffic and perform an offline dictionary attack. For Slashdot readers, this probably seems trivial, but because Linksys, Apple, and others are letting users enter My Dog Has Fleas as their passphrase, WPA might be less secure for home users than WEP."

Oh, thanks.

Way to tell everybody my password.

Man, now I have to change it.

Re:Oh, thanks.

[interiot]

One! (one)
Two! (two)
Three! (three)
Four! (four)

Five! (five)

That's the stupidest combination I've ever heard in my life. That's the kinda thing an idiot would have on his luggage.

My Dog Has Fleas?

[Trillan]

My Dog Has Fleas is a positively fantasic password compared to the usual choice of a middle name, spouse's name, child's name or birthdate.

Or, of course, the infamous "password."

Re:My Dog Has Fleas?

[Tumbleweed]

Yeah, but what if your does doesn't HAVE fleas? Or if you don't even have a dog? Then your security is based on nothing but LIES! And how secure can THAT be? Think before you ask these questions, Mitch.

Re:My Dog Has Fleas?

[DeltaSigma]

What is this infamous "password?"

Everyone's always talking about it, but noone will ever tell me!

Re:My Dog Has Fleas?

[sweetooth]

That's because it's a "secret"

Re:My Dog Has Fleas?

[IM6100]

Something that amused me recently was when I installed IRIX on a cool SGI box I bought at auction.

It refused to let me use a password longer than 8 characters.

I am talking about a release of IRIX that was pressed to CD in the year 2002.

Re:My Dog Has Fleas?

[stefanlasiewski]

My Dog Has Fleas is a positively fantasic password compared to the usual choice of a middle name, spouse's name, child's name or birthdate.

Well, not really.

Using your child's name for a password is a million times more secure then posting it on Slashdot :)

And with the Slasdot crowd, maybe someone really does have a kid named "j3Nn!f3r". What could be more secure then that? It's so secure that those poor kindergarteners can't even pronounce it!!!

Re:My Dog Has Fleas?

[Trillan]

Similiar problem with a Windows 2000 server using Services for Macintosh. Microsoft uses an old authentication model which doesn't support long passwords... unless you install Microsoft's client-side authentication model, which is too buggy to use (i.e. authentication windows pop up BELOW everything else).

Re:My Dog Has Fleas?

[jamesh]

'My Dog Has Fleas' is indeed fantastic. I'm changing all my passwords to that right now. I encourage you all to do the same.

Re:My Dog Has Fleas?

[Chops]

Once I noticed that an acquaintance of mine's Win2k machine had no password on the "Administrator" account. I began to lecture him on the dangers of SMB, C$, and such, and the fact that his machine was basically freely usable by anyone who had (a) the internet and (b) some semblance of clue and maliciousness.

He laughed and said, "Yeah, but who would think that the administrator account wouldn't have a password?"

I gave up and said no more.

Re:My Dog Has Fleas?

[weileong]

default Solaris8 won't take more than 8, either. neither will the older versions of MacOS X (Puma, Jaguar. Panther has this fixed, though).

Some security is better than no security

[Dancin_Santa]

If all it took were a dictionary attack to sniff a password, at least it took that much.

This isn't some simple passthrough that can be gotten through by knowing a couple backdoor passwords, it's a real live algorithm.

But in the end, it's up to the user to enter a password and as long as humans remain humans easy to remember passwords will always be chosen over #HrS2sWmNw/()LggDwMn.

Re:Some security is better than no security

[Carnildo]

In general, if someone has the ability to run a dictionary attack on a password, it's as good as giving them access. From personal experience as a sysadmin, 65%-75%(1) of all passwords can be found by a dictionary attack.

(1) From running dictionary attacks against three sets of passwords.
Computer science students: 75%
Public forum #1: 65%
Public forum #2: 75%

Re:Some security is better than no security

[Minna+Kirai]

But that's no security violation. If someone wants to run the equivalent of an anonymous FTP server, let him. (I assume these are on separate disks than the main OS install, right?)

Occasionally in the lose college environment like that, you find students leaving text files on other people harddrives, things like "Hey I like your MP3s, where do you live? I'm in Kenmore 402!", because they find shares but have no knowledge of the owner.

PS. What I don't believe is the number of administrators at your school collecting $1,800,000 severance after zero days of work!

At least use WEP!

[jolyonr]

It doesn't matter how easy to break a new system is, it's better than having no security.

I recently took my laptop on a trip across Toronto and in a couple of hours spotted around 60 wireless networks. Around 80% had NO encryption enabled at all. And yes, the most common SSIDs are 'default' and 'linksys'.

So make a system more complex and people won't use it - which defeats the whole object of it.

Jolyon

Re:At least use WEP!

[Xerithane]

I recently took my laptop on a trip across Toronto and in a couple of hours spotted around 60 wireless networks. Around 80% had NO encryption enabled at all. And yes, the most common SSIDs are 'default' and 'linksys'.


How many of those were open intentionally? Probably quite a few. I don't leave the default SSID on, just so they can get an idea where they are connecting to, but I leave my access point open. It's on a different network segment, and I figure if someone has an 802.11 card I'll help out with their bandwidth. If it ever becomes a problem on my bandwidth, I'll just regulate that segment.

Don't assume that because they are open without encryption it is due to naivity.

Re:At least use WEP!

[WuphonsReach]

We don't use WEP on our wireless net at the office. Too often, the interaction between the card and the access-point doesn't work well if WEP is enabled (different vendors for the two products).

Instead, we've segregated all of the WAPs onto a dead-end network where the users have to VPN into our LAN through a border server. (Basically treating them as if they were outside the office and coming in from an external ISP.)

Works pretty well, other then having to remember to VPN into the network. The traffic ends up encrypted (inside of the VPN tunnel), so it's not possible to sniff passwords.

Re:At least use WEP!

[Rascasse]

Here in the cafes in Toronto where I use my iBook, WEP isn't enabled on the pay-as-you-go wireless Internet services. But that doesn't mean I'm vulnerable. I setup my Linux box at home to act as a VPN gateway and the first thing I do after connecting to the hotspot is connect to my VPN and do my Internet surfing indirectly from home.

Re:At least use WEP!

[mcrbids]

I leave my access point open. It's on a different network segment, and I figure if someone has an 802.11 card I'll help out with their bandwidth. If it ever becomes a problem on my bandwidth, I'll just regulate that segment.

A classic case of altruism meets real-world. Contributing your bandwidth is all fine and dandy until some jerk uses it to send bomb threats to the president. Or send all kinds of incriminating pseudo-spam that makes you look very bad.

Perhaps a picture of some guy's backside with the wording "A little love from us at nerd farm!" in big, yellow letters.

And, looking at the email headers shows that it did, in fact, come from YOUR network segment...

I'd suggest a bit of security-consciousness goes a *long* way...

Re:At least use WEP!

[Xerithane]

And, looking at the email headers shows that it did, in fact, come from YOUR network segment...

First, it's not anything related to nerdfarm. Second, what makes you think I don't have any security in place on top of that? Such as filtering port 25, and only allowing ssh and http, https?

It's not altruism, it's just not being a dick.

Re:At least use WEP!

I liken WEP to the Club. It's a deterrent. Most casual thiefs can defeat the Club. But why should they bother when 95% of cars don't have them? (Unless the car is a Lexus, but that's beside the point.)

Most people who are just out casually wardriving are going to drive right by a locked network and hit one of the other 15 that are open.

And if your firmware allows it...

• Turn of SSID broadcasting (I have read some articles that say not to do this, but I've yet to find a good reason not to. But if shutting off your SSID breaks something, then I guess you'll have to keep it on.)
  
• Lower the radio signal power to a level that isn't broadcasting any farther than is necessary. If you have a good solid signal at half power, it's not going to make your downloads any faster by having the power all the way up. But if you start dropping connection, then you might have to turn the signal up.
  
• Change all the default WAP settings such as the admin password (and name if possible), disable the guest account if one exists or at least change the password.
  
• Don't use meaningful names like "DL614" - in a personal wardriving experiment I was able to look up the default admin name/password/default IP for the router on a WAP because the guy used the manufacturer name and model # as his SSID.
  
• MAC address filtering
  

Go into the firmware and shut off the radio broadcast if you're not going to be using your wireless for some length of time. I wish manufacturers would include a radio shut off scheduler like some do for Internet traffic. So you could have your wireless radio broadcast automatically physically shut off at night and automatically come back on at 8 a.m. And a manual switch on the front of the WAP would be cool too since mine sits on my desk. I'd flip the switch to shut off the radio if I was going to leave for a while.

I'm probably forgetting a few things but those tips should help.

Re:At least use WEP!

[Malor]

I f you have a Linux firewall, just add another network card and move the wireless traffic off onto its own segment. Tunnel the laptop to either the firewall or a desktop machine behind it; one easy way is by running squid on a Linux box, connecting to it with SSH, and routing local port 3128 to remote port 3128. Then configure IE to use 127.0.0.1:3128 as your proxy port. Disallow all traffic except SSH to your LInux server, make sure you run a firewall on your laptop, and disallow wireless administration of the access point. This should give you a fairly secure wireless network.

If you need additional services, you can tunnel those too; ssh can do it for free via Cygwin, but it takes a little time to set up. (each port requires a separate ssh command; you can script them if you always need several). You can also use a payware program like SecureCRT to forward multiple ports with a nice GUI interface.

With this kind of setup, WEP becomes essentially irrelevant. In fact, it may be a detriment, simply because you may get sloppy about not setting up your tunnels if you think maybe you're not being watched.

You can also do IPSEC, which will work with anything and won't require specific tunneled ports, but that's a lot more complex. SSH is simple, fast, easy, and pretty secure.

Re:At least use WEP!

[j+h+woodyatt]

"At least use WEP?"

That's not really great advice. If you can use WPA w/EAPOL, then use WPA w/EAPOL. If you can't be bothered to run an authorization server (or you don't know what that is), then use WPA w/PSK (pre-shared key).

Robert Moskowitz is telling us that securing a network with a poorly-chosen shared secret is a bad idea, because dictionary attacks are easy to mount. If your WEP key is an ASCII string of characters spelling out the word "PEANUT" then you're just as vulnerable (if not more) than if you had used that secret as your WPA pre-shared key passphrase.

Why? Because, in addition to the well-known weakness of WEP, it's also the case that an offline dictionary attack might succeed sooner. Just snarf a pile of WEP-encrypted frames and mount a dictionary attack on the raw WEP key used to encrypt the IP headers.

And if the access point is an Apple AirPort Base Station, then the WEP key is actually most likely the product of a hash function (one not widely published, but it's no secret). That's only a little speedbump.

The problem has always been there. It isn't getting any worse with WPA pre-shared key. If you can upgrade to WPA, you have no good reason to stick with WEP other than you're lazy. (Don't get me wrong-- lazy can be a perfectly good reason.)

And if you're a network administrator, and you care deeply about wireless security, because-- I don't know-- you're on contract to the U.S. Department of Homeland Paranoia, then install a RADIUS server and run WPA w/EAPOL. And spend the extra $49.95 per station for the hardware upgrade to support AES rather than TKIP. All your deepest fears should be ameliorated by this.

--

There will always be stupid users...

[mackman]

The important thing here is that this allows for actual security for users smart enough to use good passwords. Even in hex users can enter dumb passwords ("AA AA AA AA AA...").

Big deal

[WolfWithoutAClause]

Just about any protocol allows dictionary attacks. Whilst some techniques, like salt, help, ultimately they make the problem for the bad guys only slightly harder.

Only long passwords and encouraging the users to use good quality passwords/phrases really helps.

Ultimately though, these passphrases are flawed anyway- they are a form of shared password. History has shown this to be a thoroughly bad idea, one passphrase per user/machine is a far better idea; and even the user shouldn't know what it is (that way it can't get beaten out of them- black cosh crytography works pretty darn well.) These standards organisations aren't even trying.

Re:Big deal

[timeOday]

Ultimately though, these passphrases are flawed anyway- they are a form of shared password. History has shown this to be a thoroughly bad idea, one passphrase per user/machine is a far better idea... These standards organisations aren't even trying.

Well, the second sentence in the article does say that the standard provides for each MAC address to be given a different key. In fact it's called a "Pairwise Master Key."

Improvement over WEP?!

[hobbesmaster]

Hold it, someone correct me if I'm wrong, but doesn't this mean that instead of collecting thousands of weak packets in RFMon you just need to collect one packet from each network and brute force it?

Which method is harder to crack? I'd take WEP. Simply because its takes longer to collect the necessary packets; especially on a smaller network. On a larger network it may work out to be better from a security standpoint for the cracker to start a brute force attack on the packet on a spare computer and let it sit for a few days instead of having him hide a pocket PC with a wifi card in range of the AP for a few days.

WEP newbie question - how bad is it?

[frostman]

I've just bought my first wireless kit (DLink 802.11b wireless router plus card for $60).

I did some reading on WEP and it sounds pretty frightening. Today I'm going over to set up the same kit for a friend who's NOT a slashdot type. I'm pretty-well used to data protection issues, and I take reasonable precautions and would also not freak out if something Bad happened. But I'm wondering what I should tell my non-techie friend.

Practically speaking, just how vulnerable is WEP? If my friend has a good non-dictionary password and uses "256 bit" encryption, is he reasonably safe from casual hijacking?

That's certainly what the manufacturers would have us believe, and the low prices and ubiquitous Starbucks access points seem to be causing a lot of folks to adopt wireless, at least out here in silicon valley.

Having read up on the security problems, I'm now hoping some of you can provide or point to real-world scenarios.

Hope this isn't too off-topic...

Re:WEP newbie question - how bad is it?

[hobbesmaster]

It takes far longer than that. Getting thousands of interesting packets takes weeks for a 256bit WEP network being used by only one person.

And yes, this is from experience. I will neither confirm nor deny that I was given permission to try this...

Re:WEP newbie question - how bad is it?

[Dusty]

Ars Technica has a good summary of what you can do with SSID's and WEP to improve your wireless network's security:-

Security Practicum: Essential Home Wireless Security Practices

Re:WEP newbie question - how bad is it?

[timeOday]

The threat is way overblown. I'm willing to bet that fewer than 1% of WEP-protected access points fall to cryptographic weakness (but my guesstimate will yield immediately to anybody with ACTUAL DATA that agrees or disagrees). Any sensitive data you send, you should be (and probably are) sending over ssl (when the little lock appears in your browser window), using ssh instead of telnet, etc. As for Starbucks access points, they're not protected by WEP anyways.

Just enable the WEP, use secure applications for sensitive data, and quit worrying about it.

Re:WEP newbie question - how bad is it?

[ch-chuck]

Don't worry, set him up, turn on wep, make some keys, and also use MAC filtering so only known stations can get in. To get around both those someone has to be fairly determined, just like someone determined to get in your house can probably do so, no matter what locks and alarms you install. That'll keep out the accidental neighbors and casual drive by scanners. Anything important like credit card numbers should be encrypted from browser to server with SSL anyway.

Now, if a bank or hospital was going to install a wireless wep on a campus with account passwords etc in the air in the parking lot, then you'd have good reason to worry.

Re:WEP newbie question - how bad is it?

[LearnToSpell]

It doesn't _hurt_ to enable the MAC address protection though.

It's next to useless. It doesn't hurt, but it doesn't help. If somebody's cracking your WEP key, MAC addressing isn't even going to slow them down.

And if they are stupid enough to hijack your MAC while you are using it (and to figure out the MAC they'd first have to break the WEP),

Not true. You can get the client MACs within seconds, without cracking anything.

you'd know pretty quickly that something was going on.

How?

Re:WEP newbie question - how bad is it?

[Brad+Mace]

I think 1-2 days is more likely, especially with only one person using it. The important thing is that it's no longer about casually driving by and noticing it's open. Someone would have to invest a lot of time to get past it. It's doubtful anyone is going to bother. Even more so when they could just drive down the block and find an open node. using MAC filtering also makes more work for intruders, though they can sniff those from your traffic and spoof them.

My Dog Has Fleas

...my wireless router has a first name
it's l-i-n-k-s-y-s

my router has a SSID
it's l-i-n-k-s-y-s

RE: password security -- what about the old technique of using an acronym for something that wouldn't be hit by a dictionary attack? Um, like:

My Dog Has Fleas And Your Mom Does Too would create a password of "mdhfaymdt" ? Secure enough...and probably not in someone's best interest to share with anyone else.

Re:My Dog Has Fleas

[shird]

Actually, a dictionary attack is inlikely to break 'My Dog has Fleas' because it is composed of multiple words, is fairly long, and has mixed case. Dictionary attacks typically involve just one or possibly two words strung together. Anymore and it becomes pretty impratical.

The only pratical way to find that password is through brute force. In this scenario, the longer the password and more possible different characters (ie lowercase and uppercase, and spaces) makes it more difficult. Thus, 'My Dog has Fleas' would be more secure than 'mdhfaymdt' against a brute force attack. The latter could be broken in a matter of hours through brute force.

This is *Supposed* to be hard

[TechyImmigrant]

The idea here (I know, I was there when we voted it into the standard) is that the PBKDF2 is computationally significant.

Thus when you perform your offline dictionary attack, for each lookup in the dictionary, you must perform 4096 HMAC_SHA1s and this might take some time if you are looking up a large number of dictionary entries.

The basic conflict is the wide disparity between the power of processors in low end 802.11 transceivers and high end computers. The time to compute the 4096 HMAC-SHA1s is significant on say a slow ARM7TDMI and the 4096 value is a compromise to limit the delay in computing this. This delay affects the time from pressing return on the keyboard, to the time the PTK can be known and communications can begin.

However the attacker can apply his cluster of 3GHz PCs, or his FPGA HMAC_SHA1 parallel processor, or his supercomputer array, and make the speed of dictionary lookups relatively insignificant compared against the strength of the passwords being used.

The wise people asked for a much higher number than 4096. Some implementation types beat it down to 4096, and here we are..

one for the crypto/math freaks

[nehril]

I think this problem is present in *any* system that relies on user passwords. according to the article, each character in a password is equivalent to about 2.5 "bits" of encryption (since you can't use the entire ascii bitspace and some words/letters are more common, etc). this is a higher number than I saw referenced in one of bruce schneier's books (he said 1.3 bits of entropy per char I think.).

so, if your 128 bit or 256 bit or bit security system is ultimately based from a human-rememberable (and thus probably short) password, is there ANYTHING that can be done short of requiring 30 character passwords?

Re:one for the crypto/math freaks

[nehril]

a good point, but that doesn't help against the offline dictionary attack listed in this paper: sniff some data, crack the password offline, THEN connect/spoof/raise hell. it will appear succeed on the first *visible to you* attempt.

Re:one for the crypto/math freaks

[shokk]

This is where frequent password rotation comes into play. Security is more than that single great password. You need to have a continually changing flow of great passwords to keep one step ahead of hackers. What's in your password wallet?

We do that in corporations where we are forced to change the password every 3-6 months, but we gripe about it and avoid doing it elsewhere. How many of us really take that extra measure of security. Remember, security is a process, not a destination.

Re:one for the crypto/math freaks

[cookd]

Kudos to a sibling post who brought up the fact that the only way to prevent this kind of attack is to limit the number of attempts possible in a span of time. The article/post failed to emphasize this enough.

When possible, it is nice to find an algorithm or a protocol that allows two parties to authenticate without actually revealing enough information to identify the key.

The lowest level of security would be where everything is out in the open for any observer -- they still have to observe, but one observation is all that is needed. For example, if you hand somebody your credit card, they have all of the information necessary to use it to steal from you -- it is all there on the card, perfectly legible. As another example, if you walk up to a terminal and type your password, anybody with camera pointed at the keyboard or some kind of electronic keylogger will be able to record your name and password on the wire, and then they know everything they need to know to take over your account.

Things are slightly more secure when some additional work is required after getting the information. The old-school UNIX passwd file with encrypted passwords out in the open was like this -- anybody could copy the passwd file, but they would then have to run a cracker on it for a few weeks or months before anything useful showed up. Now that computers are faster and security is more of an issue, the passwd file is shadowed so that the passwd file doesn't actually have the encrypted passwords, which is a good thing because the original crypt algorithm can now be cracked pretty easily. Thus exploit is similar -- you can watch a session initiation, and with only that info, you can crack the password.

Re:one for the crypto/math freaks

[PD]

It's actually a stupid idea.

Your chance of winning the lottery is exactly the same if they change the winning numbers, or if they don't change them.

Making users change passwords does the following:

1) Annoys the users.
2) Users are likely to pick easy passwords to remember, rather than memorizing a really good password just once. Or worse, they will write the password down.
3) Does all that for no increase in security. Yay!

Re:one for the crypto/math freaks

[cookd]

I fell asleep before I could finish my post last night, and I hit "submit" as I was drifting away. So continuing where I left off...

There is a third category of transaction security, where even after observing the entire transaction, an eavesdropper doesn't have enough information to impersonate you. Generally, this takes the form of challenge-response. The server asks "42365?" and you answer "92581!" which is the correct answer. But an observer still doesn't know how to impersonate you, because next time, the server will ask "98765?" and the observer doesn't know that the answer is "45678!". Smart cards are like this, which is why they are more secure than credit cards or passwords.

Each of these three categories still have varying degrees of security.

In the first case, it is easy to use the information from a stolen credit card, but it would be pretty hard to make use of the information from a retinal scan. In both cases, you have all the information, but it's quite a pain to get your eyes replaced (if you get hungry, there's a sandwich and some milk in the fridge...).

In the second case, while reversing a crypt password isn't too tough anymore, it still takes a bit of work to reverse engineer a 1024-bit RSA key. In both cases, the information is out in the clear, but factoring a 1024-bit number is a lot more work than running the crypt algorithm a few billion times.

In the third case, "Mary had a what?" --> "Little lamb!" is easier than a smart card transaction.

While we would love to have a cryptographically strong variation on the third case for every possible authentication/encryption transaction, it just isn't practical. In the case of WEP/WAP/Whatever, there are a lot of limitations to work around. It has to work on cheap hardware, it has to be fast enough to handle the traffic, it has to work in the face of many dropped packets, it can't inconvenience the user too much, etc.

While I can think of a few things that I might have done differently, it seems like the new protocol is decent, given the limitations they were facing. While I wouldn't want to trust top-secret information to it, it seems that it is good enough for the average Joe.

Shorter Version of the Article

[f1f2f3]

"Poorly choosen passwords lead to insecurity."

Well, duh. I didn't need three pages of dense, TLA-obscured claptrap to tell me that.

What's that?

[dswensen]

perform an offline dictionary attack

What, you sneak up behind the sysadmin and brain him with a copy of Webster's?

Re:What's that?

perform an offline dictionary attack

What, you sneak up behind the sysadmin and brain him with a copy of Webster's?

Better that than using the Oxford English Dictionary. Talk about your weapons of mass instruction.

Re:passphrases kick password ass

[Muerte23]

actually, your passphrase has much lower entropy than your random password. assuming there are about 10K words in common vocabulary, and you use 10 words, that's about 10,000^10. pretty large, but only about 23 bits. now consider the deterministic ordering of words in an english sentence, and you knock off a few more bits.

but your 20 character password has a huge entropy. you have 26 lowercase letters, 26 uppercase letters, 10 numbers and about 10 punctuation marks. that's 66 possibilities per character. now 72^20 is a lot. that's about 26 bits.

so it may be easier to remember, but it's not more secure.

WPA dictionary attack

[uucpbrain]

Speaking as a cryptographer and longtime security geek, this weakness is about as damning as... using a 128 bit cipher that only gives 120 bits of protection. Look at the big picture. Most people don't even use WEP, let alone limit access by MAC address. The average user is SO oblivious to security, sharing passwords, opening .EXE attachments... I'd hate to recall how many times I found things like .rhosts files with '++' in them among career Unix programmers who must have known better. WEP was a semi-broken protocol, TACACS+ was a totally broken protocol, there was no way one could use them without compromising security. Just as nobody can use a number of commercial software products without compromising security.

WPA, on the other hand, is a very well-designed protocol. It is only as weak as its users are careless. And one need not choose "h^Ne#b8SV@,4g%yP" as a password to avoid this attack, any semi-uncommon phrase of 4 or 5 words will do.

I will deal with this problem by threatening users with a nasty note in their personnel file if they choose a sh*t passphrase -- and terminate their wireless access. And yes, I will try cracking the passwords myself, just as I have done with operating system passwords for several years.

I sure wish all my security problems were so simple! At least WPA *can* be secure, unlike the steaming heap of offal that most folks call a desktop operating system.

Re:WPA dictionary attack

[weileong]

One thing I'm curious about, is that nobody seems to be talking about the installed base of WEP-only wifi equipment already out there (which, as is evidenced by all the almost-as-excited-as-during-the-bubble-days VCs, is quite a large one). I've not heard of any plans by anyone to retrofit WPA onto existing WEP-only equipment (about the only one I know of is Apple's recent software update, but that's only for users of a subset of their installed base (those with the original Airport system aren't included), and the further subset of those who've purchased the latest release (10.3; no update for 10.2 has been released and it's unclear at this point if there ever will. Does anyone have any better info?)).

I'm sure the manufacturers would hope that people would just rush out and buy new WPA-capable equipment after junking their old WEP-only ones, but I'm figuring most people would just keep on using it (or is part of the WPA rollout going to involve a massive FUD campaign to instill The Fear Of Airsnort upon the general public?).

In which case, won't Airsnort et al retain "usefulness" well beyond the introduction of WPA and the ostensible "retirement" of WEP... ?

(Of course, none of this would apply to the people using completely unencrypted wifi. which is a yet bigger proportion of the wifi using population...).

WPA itself remains robust and secure

[frovingslosh]

WPA itself remains robust and secure

Boy, some peole just want to find things to complain about. I just read another "you have to protect us from ourselves" article today, perhaps this should have been included in their list. Personally, I think if people want to hurt themsleves this way they should be allowed to do so. If they do it as part of their job then better qualified technical people should take their place.

Cryptography is not for the math-impared

Where are you getting this stuff?!?

assuming there are about 10K words in common vocabulary, and you use 10 words, that's about 10,000^10. pretty large, but only about 23 bits.

10,000^10 ~ (2^13.3)^10 = 2^133 = 133 bits of encryption.

but your 20 character password has a huge entropy. you have 26 lowercase letters, 26 uppercase letters, 10 numbers and about 10 punctuation marks. that's 66 possibilities per character. now 72^20 is a lot. that's about 26 bits.

66 possibilities * 20 chars ~ (2^6)^20 = 2^120 = 120 bits of encryption.

Re:Cryptography is not for the math-impared

[adrianbaugh]

A program implementing a true brute force attack would be really stupid, though, at least for [J. Random Muppet]'s account; lots of time would be wasted trying aaaa, aaab, aaac etc., when the password is far more likely to be "password" or "150367". Once you force people to use passcodes of a length sufficient that even dumb people are likely to enter more than one word, or a word with at least one number, you enforce a level of security unbreakable by most entities over the average duration of a user's session. OK, that isn't anywhere near perfect but it's a lot better than allowing "password", "banana" or "slashdot"....

Organizations Do This to Themselves

[Valar]

Many institutions unwittingly standardize on weak passwords. For example, a certain EE department at a certain university (that I might attend), has a password convention of six characters, letters and numbers, but no two letters or numbers are allowed next to each other. So all the passwords are number, letter, number, letter, etc or letter, number, letter, number. They don't even require mixed case letters.

Kerberos

[GreenKiwi]

Why don't these companies start implementing Kerberos? Or something similar. My understanding is that no passwords are ever sent out over the network.

http://web.mit.edu/kerberos/www/

Re:Kerberos

[Bored+Huge+Krill]

the problem isn't that passwords are sent over the network in the clear. They aren't. The problem is that any security system* that relies upon passwords as the basic secret is vulnerable to an offline dictionary attack; collect a sample of an exchange where the password was used somehow to encrypt a nonce also sent over the network, and try all the words in the dictionary that might be used as a password in an attempt to replicate the same exchange. When you get a match, bingo - you have the password.

* there are some known systems that use passwords but which are not susceptible to this attack, invoving a carefully bound combination of passwords and a Diffie-Hellman exchange. I don't have a reference to hand, but such a system exists. Kerberos isn't it, though.

Krill

how about my password?

[SHEENmaster]

6cea e4ca 6713 721c 4cbf 71a4 e1aa 8972 0a03 f9d0 47a9 8f3c 9ead 8fb4 35d9 38c0 0406 1f02 0c46 878f 42f8 5ec1 77c5 1a99 f64b 5ad3 bb82 2c93 7870 a725 ba29 dd2b c470 0e70 3bf4 9c50 01a3 31cd c717 0b68 afe0 d479 62b2 46c0 a0c6 af61 c8e0 1915 01f4 8df8 be64 7401 4ed7 1459 766c d888 e772 f41b b310 e958 ebf6 87a1 c0e7 7a60 99d1 38ff d009 4c65 7a5f dbb0 f347 7a65 1f34 254c 8167 d103 4e34 9fc7 c97b 9ac0 0575 12a5 4f0d 9c87 5015 a647 ab9d 0ff6 f940 c1e7 1699 bfef 9827 b19f 9bc9 8391 3985 ed5e 275d f2c0 d3cd d489 13d3 6d0c 9aba 85e2 221d 1990 2fc8 1584 f2cf f7a1 98de 819d 6d2f 954e 83f0 d4a6 b854 940b 6cec a490 f7ce f556 fff2 fc53 daee 7af2

By coincidence, I do plan to name my kids in hex. Leet-speak would make them look like wimps, while 6cea would certainly make my kid the coolest throughout school.

Re:News flash! Easily cracked passwords easy to cr

[eggboard]

You're missing the point here: you're sophisticated and understand that poor password choice produces high risk.

Since WPA is susceptible to dictionary attacks, wouldn't you build an interface that would reject poor passwords? Or would you advertise WPA as a way to enter simple passwords? You're smart: you'd build an interface that had crack behind it and a good dictionary, or at least required 20 digits and some punctuation.

Since the marketing folks and interface designers are encouraging the use of simple passwords, this dramatically increases the risk to consumers that their networks aren't truly secure.

How is this worse?

[Halo-]

Okay, so users might pick a password which is less than 20 characters and is dictionary based. Guess what? They always will... Security is a balancing act. If you make security too cumbersome, then users will find a shortcut and abuse it, making it worse than no security. If the spec enforced something like: "passphrases must be at least 128 hex characters" you'd end up with a bunch of passwords which were all "AAAAA..." (or something similiar)

The simple truth is people are lazy. How many passwords do you have? And how many password guarded accounts? I bet even the most diligent of us out there only have a small number of "good" passwords which we use for damn near everything and never rotate.

The problem with WEP was flawed crypto. No matter how good my password was, someone could crack it with unacceptable ease. At least with this new scheme those of us with "good" passwords have a chance.

Tell me about it. I practically orgasmed...

[Ayanami+Rei]

when I read buried way down in the Solaris 9 12/02 release notes that they'd be FINALLY supporting md5 password crypts.

And in typical Sun style, they created a new plugin architecture to support it. There are all of two useful plugins (the standard crypt is built into libc)... ::eye roll::

WEP isn't that bad to begin with

[Brad+Mace]

If you're smart when you set up your access point, and turn on WEP, 99.9% of people that might hack your network are going to go find an easier target. The typical figure I've heard is 24 hours or more to get enough traffic to break the encryption. Unless someone knows you have something they want, they're not going to bother.

Home users are going to generate less traffic than businesses, and so it will take even longer to get enough traffic. Unless you happen to notice a van parked outside your house for a couple days, or find yourself staring down the barrel of a pringles can, you can relax.

1. Turn off SSID broadcasting
2. use a unique SSID
3. For God's sake, change the admin password
4. Turn on WEP
5. Use MAC address filtering

Congratulations, you're now more trouble than you're worth.

Not a big deal

[mcrbids]

Guys, wifi is limited in scope to that which is not more than a few hundred yards from the access point. The password doesn't have to stop everybody, just everybody not too far away.

That limits the damage scope of a malicious party to that within a half a mile of their present location.

The *same* limitations of passwords on the public Internet, however, are much more likely to be damaging. Let me give an example...

How many people use email with pop3 over the Internet? Not only are these accounts typically set up with crummy passwords (like "Robert" - their middle name, or "120871" - their b/day) but then the passwords are sent, several times/day in plaintext!

And yet, with all of these big, huge, security no-nos, pop3 reigns supreme as the standard for email receipt on the 'net, and seldom is there actually a problem.

So, to whit, we have an issue like "A credit card can be used to bypass the locks on many doorknobs" and it makes front page at /.?

Re:open waps...

[stripes]

They can nail you for posession.

Wait a minute. Person A has an open WAP. Person B downloads kiddie porn using person A's WAP. Assuming person A doesn't have a caching web proxy how does person A posess anything that person B downloaded? It isn't on his WAP (granted it was in his WAP's RAM for a few milliseconds), it isn't on his laptops, it isn't on his desktops, it isn't printed out in his house, it isn't hiding in his car.

Wouldn't that be like charging person A for kidnapping if person B drove across his lawn with a trussed up body in their trunk?

It doesn't pass the sniff test.

Now this being "anything to protect the children" America I can see them charging Person A with something else, some sort of aiding charge or something. (actually I guess they could charge you with anything, but getting a judge to not laugh at possesion when nothing is possesed seems like a long shot)

Re:open waps...

[jolyonr]

Yep, you'll be able to quite easily prove that the pr0n was never on your computer - the problem is that you'll have to wait until *after* the authorities have broken down your door at 6am and taken away all your computers for analysis.... And persuading your ISP to let you re-register as a customer once they've cut off your account.

Jolyon