Slashdot Mirror
Security evaluation of 802.11i
Uberhacker.Com writes "Server Pipeline features an interesting report on the security viability of 802.11i. As most observers of the WLAN industry are aware, the security features found in the original standard were woefully inadequate. To a certain degree, these deficiencies reflected the perception that security services are normally implemented at layer 3 and above. 802.11i's privacy services are built on top of AES, a strong encryption standard that passes muster with even the most paranoid security administrators."
AES!=SECURE! It's how you implement it and use it that makes you secure!
AES is the buzzword of the moment. The real question: is 802.11i implemented in such a way that it is secure from the get-go (even at the expense of usability), and implemented in such a way that it can be upgraded quickly and easily should exploits be found.
Well?? I don't give a damn what algorithm it uses, I just want it to use the algorithm CORRECTLY.
Comment removed based on user account deletion
You can't throw pretty sounding state of the art encryption schemes at something and call it secure. WEP's failing was not a bad algorithem, RC4 isn't new by any means, but its nothing to turn your nose to. When used properly, it can do the job. But WEP used predictable session id's, a tiny key space, and a whole host of recomended but "optional" wep concepts that the manufacturers ignored because they were all harder to implement.
Wep was designed with the model:
1. pretty acronyms.
2. mumnle mumble mumble
3. SECURITY!!!
You could use AES in wep and it would still be breakable, the key exchange was piss poor, making the entire system piss poor.
I didn't read the article, this was just me bitching at the slashdot post, and people who believe fancy new encryption = security automagically.
--Nuintari
slashdot : where an opinion can be wrong.
Here is the problem: Most people *still* aren't going to turn on encryption, and 802.11i doesn't address one of the biggest regions people don't turn on encryption:
Encryption makes configuring your wireless network 10x harder for the average person.
As the article recognizes, "the lack of a single, universally accepted standard will inevitably lead to implementation and interoperability challenges."
Encrypted wlan communication needs to be so straightforward that end users can connect to *any* access point and be assured of privacy without any additional configuration.
So what is the average user supposed to do? Just keep waiting, I guess...
you don't have to be totally hack-proof, just moreso than any other potential target. :)
-ninjaneer
Encrypted wlan communication needs to be so straightforward that end users can connect to *any* access point and be assured of privacy without any additional configuration.
No.
Because then you don't necessarily know if you're connecting to an attacker's access point or not. This is mostly why security doesn't belong at L2 -- you don't care or trust the next hop, you trust the endpoint (or at least some faraway gateway that gets you into the endpoint).
--Dan
It's not realy security through obscurity. The encryption stops attackers from joining a wifi network besides protecting all data passing through it. Thats a big deal because passive sniffing is one thing active attacking is another. Once they can inject packets onto your network depending on design they have breached a layer of security (then there are those that treat there wifi like the inetnet and trust none of it)
Yup your L2 is secured and your L4 is as well when we get ipsec in place your l3 will also be secured.
It's all breakable it's just a question of time vs computing power. There is only one known unbreakable encryption method the one time pad (quantom encrypt is realy just pad generation and distribution with the added benifit of being tamper evident)
AES secures Layer 2, the physical layer might be secured via fairiday(sp?) cages, directional anetena's guys, guys with guns etc. But only the realy paranoid worry about that to much.
Overall is a good idea to secure each and every layer as it just adds to the ammount of computation required to decrypt what you want.
No sir I dont like it.
Some pretty substantial information can be gleaned from headers. You may not care that people know you're sending data to your credit card company. But some people do care. Any theoretical thief now knows what bank you use, for one thing. Someone with some amount of authority or social-engineering skills could go to the bank directly and corellate their logs with your traffic and find out exactly who you are. A physical thief could notice that you're visiting porn sites and decide that since you're probably not paying much attention to outside, now would be a good time to steal your car. These are contrived examples I admit, but given time, privacy is eroded greatly by such small loopholes.
To compare it to its non-internet equivalent, it is the difference between allowing everyone to see your phone records (anyone can look at where your packets are headed), and requiring a subpoena to disclose them to a court of law (subpoena the ISP or destination sites' logs). In neither case can they see or hear exactly what you said to the other end, but obviously the latter is much preferable for anyone interested in privacy.
Random and weird software I've written.
Security through obscurity isn't intrinsically bad. That's essentially how I keep people both out of my car and my home. How many tumbler combinations are there for the typical doorknob anyway?
Never confuse volume with power.