Slashdot Mirror

← Back to Stories (view on slashdot.org)

Stronger Encryption for Wi-Fi

Posted by michael on from the huff-and-puff-and-blow-the-house-down dept.

sp00 writes "The first products certified to support Wi-Fi Protected Access 2, the latest wireless security technology, were announced by the Wi-Fi Alliance on Wednesday. The Wi-Fi Alliance says WPA2 is a big improvement on earlier wireless security standards, such as Wired Equivalent Privacy (WEP), which hackers have found easy to circumvent. It includes Advanced Encryption Standard, which supports 128-bit, 192-bit and 256-bit keys."

22 of 175 comments (clear)

  1. upgrades to old equipment by the_denman · · Score: 4, Insightful

    The real question is will the manufacturers come out with new drivers/firmware to take advantage of this new technology?

    1. Re:upgrades to old equipment by aredubya74 · · Score: 4, Insightful

      Nope. They'll come out with new equipment, which we will buy. Sigh.

      --

      RW

    2. Re:upgrades to old equipment by sadler121 · · Score: 2, Insightful

      Unless you have a Linksys WRT54G router, where there are already open source firmware projects. Once the standerd is settle on, (which sounds like it is pretty much settled on now, from RTFA), I would expect these various projects to upgrade to WPA2.

      Linksys may not like this, and may attempt to sue these projects into oblivian, (using our "friend" the DMCA). But it shouldn't be to hard to implimate.

    3. Re:upgrades to old equipment by afidel · · Score: 2, Insightful

      uh, is the hardware capable of doing multiple AES-128 conversations in real time with changing keys all without an ASIC? I doubt it. So new hardware will almost assuradly be needed.

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
  2. Why not get users to use what they have by the_denman · · Score: 3, Insightful

    Using 128 bit encription on most residental points will take several weeks of listening to break (correct me if I am wrong here) Shouldn't we concentrate on convinceing users on just doing something.

    1. Re:Why not get users to use what they have by gad_zuki! · · Score: 4, Insightful

      > on most residental points will take several weeks

      Try months (and thats on old equipment with no firmware upgrade to filter out weak frames). Try not getting spotted sitting there with your laptop and running airsnort all day.

      Do these WEP fatalists also refuse to lock their cars/house doors because anyone with some skill and one easily gotten tool can open their doors? Do these people also make their own padlocks in their basement because every manufacturer has a master key? Do these people also use blank passwords because cracking NTLM or most passwd files is very doable, etc.

  3. Pointless.. by mcknation · · Score: 5, Insightful


    As long as these acess points are shipped with encryption turned *OFF* by default this is like pissing in the wind. It could be 1 billion bit one time pads and woulnd't make any difference. In my neighboorhood there are 10 unencrypted networks....all on the default channels. Out of the box straight onto the network is how they are set up. Joe Sixpack doesn't have time to deal with encryption.

    *don't worry much residential war drivers..there will still be free lunch for a long time to come... /-McK

    1. Re:Pointless.. by subreality · · Score: 3, Insightful

      Not pointless.

      Even if it's turned off by default, the ability to turn on good crypto is perfectly useful.

  4. Re:Hmm by gad_zuki! · · Score: 4, Insightful

    >Unless companys start requiring it

    That's a bit out there. Do you really want the ISP doing what they think is best for you (or them)? "Oh, so you're running a webserver." Block port 80. "Oh, so you aren't using Microsoft's Firewall?" It gets installed by a tech and they charge you 50 bucks for the trouble, even though you have a hardware firewall, etc. Trust me, you don't want to be punished by rules set for the lowest common denominator.

    The problem here is the problem we see everywhere when it comes to computers: usability. WEP is counter-intuitive to implement. WPA is a step in the right direction with a single password (as people understand the concept of passwords). The new MS wireless manager in SP2 goes a lot way to simplifying wifi also.

    Make no mistake about it, there are lot of people who tried to get WEP to work only to have it fail. I know I've had bizarre issues with WEP that could only be fixed with a hard reset on the device and falling back to default settings, a firmware downgrade, upgrading firmware on the card, generating new keys every so often because the thing just didn't like the old ones, playing around with advanced wireless settings, etc. I don't think that level of troubleshooting should be expected from a typical end user.

  5. Re:Does this means... by bloo9298 · · Score: 2, Insightful

    The number of bits used by the key is not enough to judge the security of the system. You could have a crap cryptographic algorithm or, more likely, a crap protocol.

  6. Missing a point here... by z3021017 · · Score: 3, Insightful

    People talk about WPA security and how it's important, but the fact is most home users don't even change the default password for their wireless routers.

    --
    Bored? Visit my exciting counter page!
  7. Re:Good by SoSueMe · · Score: 3, Insightful

    I feel I speak for wireless users everywhere when I say "Wha?"

    Sadly, this is more prevalent than we like to think.

  8. Re:So... by Vellmont · · Score: 2, Insightful

    Wow. You certainly have put the security researchers in their place with that "or something". The truth is that if implemented properly you can have highly secure communications while anyone can monitor those signals.

    It remains to be seen if this is the case, but if you really want security use proven technology like SSH or a well implemented VPN.

    --
    AccountKiller
  9. Re:"Easy to circumvent"? by Anonymous Coward · · Score: 1, Insightful

    Obviously you don't know what YOU are talking about. Just because you have a buunch of scripts that is capable of cracking WEP does not mean you have a knowledge of why WEP is vunerable. WEP cannot be made totally secure (the claim was not made by me or the grandparent), however, many vendors have highly reduced the vulnerability of WEP.

    Please come back with an argument once you become a little more knowledgeable in this area. A**hole script kiddies need not apply.

  10. Link level security is fairly useless. by pingus · · Score: 2, Insightful

    Link level security is fairly useless. It's fine for the average user, but the average user doesn't know how to turn it on. It would be great if there was some kind of auto-negotiated application layer security. Like IPSeC that has the user transport a USB dongle with the keys or something. This is just frivilous.

  11. its about time by presmike · · Score: 3, Insightful

    you guys can piss and moan all you want but AES is rock solid. This is a great solution for those who don't have time resources or knowledge to use 802.11x with RADIUS. Finanaly a secure encruption scheme for home users who know absolutely nothing about encryption and how it works. I give it 2 thumbs up :)

    --
    presmike
    1. Re:its about time by Gollum · · Score: 2, Insightful

      Don't assume that because they are buzzword compliant (AES 256-bit encryption!!!) that they have implemented it correctly.

      That was the first mistake which led to all the war-driving originally - early WEP implementations used good algorithms, but chose a weak Initialisation Vector, which made it easier to decrypt the traffic.

      Let's hope that they've learned their lesson this time, and aren't just trying to get people on the upgrade cycle again - WEP -> WPA -> WPA2 -> when will it stop?!

  12. WEP security by rips123 · · Score: 2, Insightful

    WEP is a LOT more secure than people imagine these days. Most AP's and clients refuse to use weak IV's making the statistical attack used by Airsnort and other apps effectively useless.

    Theres a very small minority of people still using weak 64-bit ASCII key generator algorithms that were found to be only 21-bits of effective keyspace. These can be cracked offline in about 15 seconds with a single encrypted frame but other than that, offline cracking of WEP is still a hard thing to do (from a practical point of view).

  13. Actually... by TPS+Report · · Score: 5, Insightful
    ...keep my access point wide open for anyone to use. If you want to look at my GF's reciepe's or our photos, go right ahead.


    Yesss.. that sounds like a great idea.

    However, if you don't mind, I think I'll skip all the "take a look at my recipies" formalities and go straight to

    - sniffing your email passwords,
    - reading your email,
    - sending email under your account from your IP,
    - using your wireless access point to spam,
    - surf some underage porn using your IP,
    - seed my "next big worm" from your connection,
    - browse/sample your internal network from the IP your WAP so conveniently gave me,
    - and finish up by making various explicit threats against the president on the newsgroups while simultaneously using your cable connection to make VoIP calls to the NSA and reading them some of your previously mentioned fine recipes.

    I almost forgot to say thank you for the free access point. Where are my manners...
    ;)
    --
    I was told that I could listen to the radio at a reasonable volume from nine to eleven...
  14. Re:Serious answer form geeks in the know...? by Anonymous Coward · · Score: 1, Insightful

    Unless you like being the scapegoat when someone breaks into your boss's notebook, you should strive for real security. With WPA it is possible to implement reasonable security about as easily as it is to screw up with WEP.

    Here is a good article detailing various attacks against WEP. Choice quote: Tim Newsham discovered that there are a number of problems with the key generators for several vendors. [...] This reduced the actual entropy of the PRNG seed to 21 bits. Using a PIII/500 MHz laptop performing 60,000 guesses per second, Newsham was able to crack a 40-bit WEP key from a key generator in 35 seconds.

  15. VPN by mrph · · Score: 3, Insightful
    Why not just set up a VPN? For example, OpenVPN is quite easy to configure and maintain, and also
    allows for a variety of client systems to connect.

    I'm thinking of setting up a small WLAN using old equipment that i can get almost for free.
    I would just plug another NIC in my OpenBSD firewall and keep nothing but the necessary ports for the VPN open.
    There's a broad range of encryption and authentication methods available, and if the one I use
    would be too weak, I could just change to another one instead of having
    to buy new hardware such as PCMCIA cards, APs etc.

  16. Re:"Easy to circumvent"? by virtual_mps · · Score: 2, Insightful
    All of the known WEP attacks are based on receiving weak IV frames (usually after sifting through gigabytes of data). Modern WiFi chipsets (i.e., those made within the last 2 years or so) do not send weak IV frames all that often, if at all.

    That's actually not true. There were certain attacks that relied on weak IV's. So manufacturers stopped sending out the weak IV's--which means the keyspace is reduced and now other attacks are more feasible. I don't know of a script kiddie tool to do this, but there have been papers published.