Slashdot Mirror
Stronger Encryption for Wi-Fi
sp00 writes "The first products certified to support Wi-Fi Protected Access 2, the latest wireless security technology, were announced by the Wi-Fi Alliance on Wednesday. The Wi-Fi Alliance says WPA2 is a big improvement on earlier wireless security standards, such as Wired Equivalent Privacy (WEP), which hackers have found easy to circumvent. It includes Advanced Encryption Standard, which supports 128-bit, 192-bit and 256-bit keys."
Please don't tell my neighbors about this technology. Thanks. :)
The World Wide Web is dying. Soon, we shall have only the Internet.
Be sure to use AES-256.
The real question is will the manufacturers come out with new drivers/firmware to take advantage of this new technology?
I hear that the various encryption protocols are easy to hack. But what about MAC filters? They have the advantage of putting all the security work on the server side. And though MAC addresses are easy enough to spoof, you have to know which MAC address to spoof, and there is quite a large address space.
So, are MAC filters any less/more secure than WEP?
I feel I speak for wireless users everywhere when I say "Good". What more is there to say?
All these new ways of encrypting data over wireless is great. Security of data is a good service. But how much will it cost, do you need more expensive hardware to create such encryption, will there be a loss of performance and other related factors. These are important and must be tested before we start saying that wap2 is the world's greatest thing for wireless encryption.
Depends on how motivated people are.
"I use a Mac because I'm just better than you are."
Correct me if I'm wrong, but isn't WPA2 just the WiFi Alliance being stuborn about what to call 802.11i? I mean, WPA was just supposed to be 802.11i minus everything that required hardware upgrades. WPA2 is just 802.11i, only not a real standard, ooh boy!
It is not as easy as everyone says. Try it with some brand-new, high quality equipment and you may be surprised at the result.
Oh well mine is enabled
----
Free IPods
So now instead of just a few hours with a current computer, it will take a bit longer, maybe a week or something. Then someone will figure out that the key string is MAC dependent based on time signitures, or something, and there we go, no more security.
I have no illusions about the "security" of WiFi, no matter how encrypted it may be. The signal is traveling through open space for anyone to look at, and if you look at enough of the signal, you can find the pattern. This just increases the processing power needed by the AP and Card, further pushing the development of more advanced, procs. (Don't get me wrong, I'm all for this)
I understand that corperations are interested in this for security, but for an average joe like me, I keep my access point wide open for anyone to use. If you want to look at my GF's reciepe's or our photos, go right ahead.
Security is only as important as you make it to be.
--sig fault--
Is this a software protection? A firmware protection? Will older devices be able to connect to WPA2 networks? That article is a bit... scarce on the details.
Using 128 bit encription on most residental points will take several weeks of listening to break (correct me if I am wrong here) Shouldn't we concentrate on convinceing users on just doing something.
If there's one place closed source is on the level with open source, its when the entire package has been validated by the folks at NIST under the FIPS 140 program.
p hi c
http://csrc.nist.gov/focus_areas.html#cryptogra
One of WEP's biggest design flaws has been that all data is encrypted with the same key. Sure, there needs to be some shared secret for authentication, but the actual data transfer should use a negotiated key known only to the user and the AP. WEP is all right for authentication, but when it comes to security it's useless against other authenticated users.
It wouldn't be a bad idea to use something like this for non-broadcase Ethernet either, now that I think of it.
Karma: Segmentation fault (tried to dereference a null post)
Our network uses a 802.1x system with dynamic WEP keys.. the system requires you to re-authenticate (handled automatically by 802.1x client software) with a randomly generated key every 15 minutes.
What is the real advantage to WPA here?
Or do we have to buy new products ?
I'm finding those wireless encryption thing to be a load of bullshit.
It seems like everytime they finally seem to get the crypto part down (WPA), we get something new (WPA2). I think I'll wait for WPA12938491849034 before upgrading any of my hardware.
Thankfully we have IPsec. (if only the OS-X version didn't suck so much)
Sunny Dubey
That's obviously BS - just look at who wrote it.
Lyons doesn't exactly have a reputation for writing accurate, nonbiased, intelligent pieces.
WPA-2 with AES 256bit encryption and Protected Extensible authentication protocol (PEAP).
Deal.
I still prefer a wired connection.
As long as these acess points are shipped with encryption turned *OFF* by default this is like pissing in the wind. It could be 1 billion bit one time pads and woulnd't make any difference. In my neighboorhood there are 10 unencrypted networks....all on the default channels. Out of the box straight onto the network is how they are set up. Joe Sixpack doesn't have time to deal with encryption.
*don't worry much residential war drivers..there will still be free lunch for a long time to come...
Which part is BS? The one where he directly quotes the people who chose Windows over Linux because it is cheaper?
As slashdot is becoming more "mainstream" you can expect more fluff and less punch. Hell, half the "science" articles are just ads now.
I believe the AES implementation they are using actually does encrypt the ethernet (MAC) address, unlike WEP. (See Tying It All Together in this article for corroboration of that.)
WPA2 with AES is the real deal.
- jon
Ganymede, a GPL'ed metadirectory for UNIX
Cause Slashdot doesn't exactly have a reputation for posting accurate, nonbiased, intelligent pieces.
HAHAHAHA!
The number of bits used by the key is not enough to judge the security of the system. You could have a crap cryptographic algorithm or, more likely, a crap protocol.
People talk about WPA security and how it's important, but the fact is most home users don't even change the default password for their wireless routers.
Bored? Visit my exciting counter page!
So this means to take advantage of the latest security, I would again have to upgrade all my AP's and Clients... $ $ $ When will this whole industry be commoditized enough that we have 'soft' radios for wireless (Like AC97 Audio) that allow us more flexibility in upgrading older hardware to newer standards? Heck, with a true soft-wireless chipset we could use one RF device for WiFi and Bluetooth and whatever they dream up next...
Sufficient for what?
Keeping a serious attacker away from your data, if it's specifically you he's after? Possibly not.
Keeping a casual war(mode-of-transport)'er out of your WLAN to stop him leeching your bandwidth? Probably.
or against it?
Karma? Karma? I don't need no stinkin' karma.
Seriously. You don't know what the purpose of encryption is.
The purpose of encryption is to make it so that information cannot be decoded by third parties who may intercept your information. There are years of mathematical proof and basis to prove that properly done encryption to be not capable of being cracked but simply so exceedingly difficult and time consuming that it is considered to be tantamount to being secure.
Link level security is fairly useless. It's fine for the average user, but the average user doesn't know how to turn it on. It would be great if there was some kind of auto-negotiated application layer security. Like IPSeC that has the user transport a USB dongle with the keys or something. This is just frivilous.
There are still so many devices that don't support WPA one.. Tivo, I'm looking at you. All this nonsense about a supplicant this and that. When is Tivo going to get on the WPA 1 train?
To me the chief advantage of WPA is a human readable password.
I just setup a wireless access point in the conference room at my company's headquarters. Not my idea but when the CEO wants to use his centrino notebooks wireless its move or be moved. Anyway, they wanted to leave it open and just turn it on when needed but I talked them out of that. Instead I set it up with 64bit WEP. The AP supports 128 bit but getting them to all key in a huge hex pass isnt going to fly. Havent figured out how to get the passphrase to parse on XP SP1. SP2 looks nicer. Anyway all the wifi equipment is new, within the last year or two, and as netstumbler has shown me we're not the only kids on the block to have wifi with WEP in the building. I've read conflicting reports about how easy it is to crack WEP with tools as simple as those included with knoppix std, so I think what I'm asking is, is 64bit enough, and should I be more paranoid, setting up VPNs and the like?
Were talking about light traffic (email, little browsing) from 5 or 6 users about 8 hours a day.
Im dreaming ofa big bndwdth, That can resist the
cracked yet!!! Estimated time to flaw; 30 days!
you guys can piss and moan all you want but AES is rock solid. This is a great solution for those who don't have time resources or knowledge to use 802.11x with RADIUS. Finanaly a secure encruption scheme for home users who know absolutely nothing about encryption and how it works. I give it 2 thumbs up :)
presmike
How many bits is the Law Enforcement Access component of the key?
AES if implemented correctly is 10 time better then having an open ethernet port outside your house. For the love of God people, please understand cryptography before making un-informed comments about how weak this will be.
h tm
http://home.ecn.ab.ca/~jsavard/crypto/co040801.
"As of 2004, no successful attacks against AES have been recognised" http://en.wikipedia.org/wiki/AES
presmike
I remember hearing that the NSA restricts the export of high level encryption protocols. Is this still in effect and does this new Wi-Fi encryption push the limits of this restriction?
Pod Six was jerks- Capt. Murphy
didn't you just basically describe PGP? wouldn't that do? in fact why wasn't that the first place they looked? RSA too resource demanding?
Your CPU is not doing anything else, at least do something.
WEP is a LOT more secure than people imagine these days. Most AP's and clients refuse to use weak IV's making the statistical attack used by Airsnort and other apps effectively useless.
Theres a very small minority of people still using weak 64-bit ASCII key generator algorithms that were found to be only 21-bits of effective keyspace. These can be cracked offline in about 15 seconds with a single encrypted frame but other than that, offline cracking of WEP is still a hard thing to do (from a practical point of view).
Yesss.. that sounds like a great idea.
However, if you don't mind, I think I'll skip all the "take a look at my recipies" formalities and go straight to
- sniffing your email passwords,
- reading your email,
- sending email under your account from your IP,
- using your wireless access point to spam,
- surf some underage porn using your IP,
- seed my "next big worm" from your connection,
- browse/sample your internal network from the IP your WAP so conveniently gave me,
- and finish up by making various explicit threats against the president on the newsgroups while simultaneously using your cable connection to make VoIP calls to the NSA and reading them some of your previously mentioned fine recipes.
I almost forgot to say thank you for the free access point. Where are my manners...
I was told that I could listen to the radio at a reasonable volume from nine to eleven...
I just got a WRT54g router, and I'm using WPA-PSK / AES. ;-)
Of course, one week later, they release WPA2
What is the diference between WPA and WPA2 ?
Most people would agree that AES is much stronger than RC4. Of course proper use of RC4 would be good enough to keep away the wardrivers, but not a determined PhD with too much time on his hands.
I just got the new encryption set up on my local network at home, and I'm finally back on slashdo23h[oifa fejw093 fawejio;32feaw [NO CARRIER]
allows for a variety of client systems to connect.
I'm thinking of setting up a small WLAN using old equipment that i can get almost for free.
I would just plug another NIC in my OpenBSD firewall and keep nothing but the necessary ports for the VPN open.
There's a broad range of encryption and authentication methods available, and if the one I use
would be too weak, I could just change to another one instead of having
to buy new hardware such as PCMCIA cards, APs etc.
Are Broadcast packets allowed with WPA2?
If so, are they just the same packets sent multiple times with different encription to each receiving end-point, or is there a wiser kind of transmission?
I had a buddy that ran his own WISP and he said most all did not use any encryption because of the CPU overhead and the loss of bandwidth. In Corporate America I cannot believe they approve of standard MAC filtering, WEP and SSID broadcast turned off. WEP is so bad I cannot recommend it to anyone for anything.
WPA and a long password are the way to go. 16 characters of mixed case with one number and one special character should be 99.9999 percent effective.
Your Average Joe
I don't want my neighbours to find out about this. I have my access point wide open so I can watch all the exceedingly weird things they browse. And I am biding my time for enough users so that I can inject a bit of goatse.cx in there. ARRRRRRGGGHHHHH MY EYES!!!!!!!!!!!!!!!
If you use WEP at the moment, some operating systems will prompt you to enter the key. Not the passphrase, but the digested key. So even though I know the passphrase, I must type 26 characters of hexidecimal into my iPaq with a stylus. Linux is no better for wireless and the last time I looked required hex too. Linux is particularly lousy if you use more than one WLAN since all the dists I've tried only store the details for one of them.
It is absolutely ludicrous. XP doesn't do that and I doubt (though I haven't tried) that OS X would either.
Given that, it would not surprise me that of those who even know to enable crypto if half don't just give up or use MAC filters or no security at all.
My preference would be whatever standard they choose be mandated to use crypto by default - and by virtue of the even longer key length it will force software makers to improve their support for it.
Cracking WPA2 is really all dependent upon three things: How much time you have, and how much CPU you can throw at the problem, and how sophisticated is your statistical analysis?
The goal of any security is to secure something long enough that by the time it is cracked/stolen, it is no longer of any value.
For data, his time can be reduced by half by doubling the CPU horsepower applied to the problem.
The simple statistical analyses available in airsnort or other COTW (common, off the web) softs are probably a bit lightweight for this, but a full blown data mining database (e.g. Oracle 10g) running on a cluster can handle this. It's what they do: statistical analyses on huge datasets of seemingly unrelated data.
FWIW - One of Oracle Corporation's largest customers is the NSA.
Correctly implemented AES is not what he's got in a stock 64-bit-WEP access point (where "he" is the person whose comment I was replying to - that comment is now at -1 Troll for some unknown reason).
We already know that old-style standard WEP can be defeated. Grandparent wasn't discussing this new arrangement in his post - hence, neither was I.
Obviously you don't know what YOU are talking about. Just because you have a buunch of scripts that is capable of cracking WEP does not mean you have a knowledge of why WEP is vunerable. WEP cannot be made totally secure (the claim was not made by me or the grandparent), however, many vendors have highly reduced the vulnerability of WEP
You are incorrect. One hole has been plugged; others appeared, some are still theoretical, and not all are widespread.
If you care, run a VPN and then it doesn't matter.
..don't panic