Slashdot Mirror

← Back to Stories (view on slashdot.org)

Stronger Encryption for Wi-Fi

Posted by michael on from the huff-and-puff-and-blow-the-house-down dept.

sp00 writes "The first products certified to support Wi-Fi Protected Access 2, the latest wireless security technology, were announced by the Wi-Fi Alliance on Wednesday. The Wi-Fi Alliance says WPA2 is a big improvement on earlier wireless security standards, such as Wired Equivalent Privacy (WEP), which hackers have found easy to circumvent. It includes Advanced Encryption Standard, which supports 128-bit, 192-bit and 256-bit keys."

14 of 175 comments (clear)

  1. Sssssh! by FooAtWFU · · Score: 4, Funny

    Please don't tell my neighbors about this technology. Thanks. :)

    --
    The World Wide Web is dying. Soon, we shall have only the Internet.
  2. upgrades to old equipment by the_denman · · Score: 4, Insightful

    The real question is will the manufacturers come out with new drivers/firmware to take advantage of this new technology?

    1. Re:upgrades to old equipment by aredubya74 · · Score: 4, Insightful

      Nope. They'll come out with new equipment, which we will buy. Sigh.

      --

      RW

  3. overhead by a3217055 · · Score: 4, Interesting

    All these new ways of encrypting data over wireless is great. Security of data is a good service. But how much will it cost, do you need more expensive hardware to create such encryption, will there be a loss of performance and other related factors. These are important and must be tested before we start saying that wap2 is the world's greatest thing for wireless encryption.

  4. "Easy to circumvent"? by Anonymous Coward · · Score: 5, Informative
    All of the known WEP attacks are based on receiving weak IV frames (usually after sifting through gigabytes of data). Modern WiFi chipsets (i.e., those made within the last 2 years or so) do not send weak IV frames all that often, if at all.

    It is not as easy as everyone says. Try it with some brand-new, high quality equipment and you may be surprised at the result.

  5. Re:Question by ericpi · · Score: 4, Informative

    At first, you don't trasmit anything. (Since, as you point out, the whitelist would prevent the access point from responding to you, anyway.) However, you just listen to the existing legitimate traffic. Then clone your device with the same MAC as one of these legitimate (and already on the whitelist) devices.

  6. Pointless.. by mcknation · · Score: 5, Insightful


    As long as these acess points are shipped with encryption turned *OFF* by default this is like pissing in the wind. It could be 1 billion bit one time pads and woulnd't make any difference. In my neighboorhood there are 10 unencrypted networks....all on the default channels. Out of the box straight onto the network is how they are set up. Joe Sixpack doesn't have time to deal with encryption.

    *don't worry much residential war drivers..there will still be free lunch for a long time to come... /-McK

  7. Re:Hmm by gad_zuki! · · Score: 4, Insightful

    >Unless companys start requiring it

    That's a bit out there. Do you really want the ISP doing what they think is best for you (or them)? "Oh, so you're running a webserver." Block port 80. "Oh, so you aren't using Microsoft's Firewall?" It gets installed by a tech and they charge you 50 bucks for the trouble, even though you have a hardware firewall, etc. Trust me, you don't want to be punished by rules set for the lowest common denominator.

    The problem here is the problem we see everywhere when it comes to computers: usability. WEP is counter-intuitive to implement. WPA is a step in the right direction with a single password (as people understand the concept of passwords). The new MS wireless manager in SP2 goes a lot way to simplifying wifi also.

    Make no mistake about it, there are lot of people who tried to get WEP to work only to have it fail. I know I've had bizarre issues with WEP that could only be fixed with a hard reset on the device and falling back to default settings, a firmware downgrade, upgrading firmware on the card, generating new keys every so often because the thing just didn't like the old ones, playing around with advanced wireless settings, etc. I don't think that level of troubleshooting should be expected from a typical end user.

  8. Re:Why not get users to use what they have by gad_zuki! · · Score: 4, Insightful

    > on most residental points will take several weeks

    Try months (and thats on old equipment with no firmware upgrade to filter out weak frames). Try not getting spotted sitting there with your laptop and running airsnort all day.

    Do these WEP fatalists also refuse to lock their cars/house doors because anyone with some skill and one easily gotten tool can open their doors? Do these people also make their own padlocks in their basement because every manufacturer has a master key? Do these people also use blank passwords because cracking NTLM or most passwd files is very doable, etc.

  9. AES protects entire frame by jonabbey · · Score: 4, Interesting

    I believe the AES implementation they are using actually does encrypt the ethernet (MAC) address, unlike WEP. (See Tying It All Together in this article for corroboration of that.)

    WPA2 with AES is the real deal.

    --
    - jon

    Ganymede, a GPL'ed metadirectory for UNIX
  10. Re:WPA2? by lizrd · · Score: 5, Informative
    Not exactly. Wi-Fi/WPA/WPA-2 are all industry standards based on the various 802.11? IEEE standards. The difference is that WECA (Wireless Ethernet Compatability Alliance) actually does testing rather than just publishing standards like IEEE does. In order to get the fancy sticker on the package you need to pay a couple of grand and get your product tested to the standards. The benefit of certification is that you have some idea that the product was actaully implemented to the standard correctly.

    That said, WPA-2 provides basically zero benefit over WPA. WPA relies on the same RC-4 algorithm as WEP, but has a few patches put in place to resolve the problems it had. The most important one is using a new key for each frame. Given a choice between an algorithm that can be broken given 11MB of data and one that has no known attacks, do you think that it matters which you use to encrypt 1500 bytes? Not really.

    The good news about WPA-2/802.11i (same thing, just certified and a less scary name for the PHBs) is that it breaks hardware compatibility, and that means there's a chance that things have been done right this time.

    --
    I don't want free as in beer. I just want free beer.
  11. So I have to upgrade...again? by Powertrip · · Score: 4, Interesting

    So this means to take advantage of the latest security, I would again have to upgrade all my AP's and Clients... $ $ $ When will this whole industry be commoditized enough that we have 'soft' radios for wireless (Like AC97 Audio) that allow us more flexibility in upgrading older hardware to newer standards? Heck, with a true soft-wireless chipset we could use one RF device for WiFi and Bluetooth and whatever they dream up next...

  12. Actually... by TPS+Report · · Score: 5, Insightful
    ...keep my access point wide open for anyone to use. If you want to look at my GF's reciepe's or our photos, go right ahead.


    Yesss.. that sounds like a great idea.

    However, if you don't mind, I think I'll skip all the "take a look at my recipies" formalities and go straight to

    - sniffing your email passwords,
    - reading your email,
    - sending email under your account from your IP,
    - using your wireless access point to spam,
    - surf some underage porn using your IP,
    - seed my "next big worm" from your connection,
    - browse/sample your internal network from the IP your WAP so conveniently gave me,
    - and finish up by making various explicit threats against the president on the newsgroups while simultaneously using your cable connection to make VoIP calls to the NSA and reading them some of your previously mentioned fine recipes.

    I almost forgot to say thank you for the free access point. Where are my manners...
    ;)
    --
    I was told that I could listen to the radio at a reasonable volume from nine to eleven...
  13. Re:802.1x by ImaLamer · · Score: 4, Interesting
    Why not solve the problem by putting another line of authentication in place?

    My school *shudder* has access points in many of the labs but after a student said he was going to "hack" into it there was a simple warning:

    1. We know the MAC address to every computer in the building...
    2. We keep logs of MAC addresses that don't match our set (apparently he went around reprogramming the MAC addresses to a now defunkt card maker's line for easy log watching, except for one lab which was un-re-programmable)
    3. Breaking the WEP key is a crime, during the investigation we will try to track your MAC to you (hope you didn't pay with a credit card - your breaking into "protected" systems, in fact a federal crime)
    4. You can't get anywhere, you must authenticate through the NT (blah) server for network access
    5. It's pointless


    Really, it made sense. He simply stated that there was no point in getting a signal without access rights. The man's first job was to secure the wired network. Once the AP's were put in, it wasn't a problem.

    Could you run wild on your companies network by just plugging into the next available switch?

    If so, fix that problem first.

    --
    Get your Unix fortune now!