WEP Broken Even Worse

collin.m writes in with news of results out of Darmstadt. Erik Tews and others there have demonstrated how to recover a 104-bit WEP key in under a minute, requiring the capture of fewer than 10% the number of packets the previous best method called for. The paper is here (PDF). Quoting: "We were able to extend Klein's attack and optimize it for usage against WEP. Using our version, it is possible to recover a 104 bit WEP key with probability 50% using just 40,000 captured packets... for 85,000 data packets [the success probability is] about 95%... 40,000 packets can be captured in less than one minute under good condition. The actual computation takes about 3 seconds and 3 MB main memory on a Pentium-M 1.7 GHz..."

Re:Who even still users WEP?

[ukatoton]

2 words: Legacy Hardware I have 2 computers in my house with cards that don't support WPA. If I were to set my router to run with WPA, then my sister would not be able to connect to the network. If i told her the security implications, she wouldn't understand nor care. Upgrading the network would mean me footing the bill for new wireless cards unless I can convince my dad that there is a real reason to upgrade to better security. However, this is unlikely.

Re:Can ARC4 be used properly at all?

[Belial6]

I agree with you. That is why I really annoys me that in this day and age, builders are still not putting conduit in walls during construction. I understand a 20 year old house not having conduit in the walls. I can even understand a 10 year old house not having conduit, but any house built in the last 5 years should have conduit to every room. We already know that whatever is in the walls today will be inadequate in another 10 years.

Re:Can ARC4 be used properly at all?

[valkraider]

Unless you live in an apartment, this is not remotely true. Running your own wires is, well, trivial unless you are physically disabled in some significant way.

Uhmm, methinks you have not actually done this much... Or at least not in many houses.

Things like lath&plaster, plumbing, strange placement of studs, lack of crawlspaces, windows, carpet, laminates, tile, doors, fireplaces, and foundations - all sorts of stuff really makes it not, well, trivial.

Re:Can ARC4 be used properly at all?

[kakos]

Get a clue. The weakness in WEP has everything to do with a vulnerability in RC4 (specifically this one). The vulnerability is due to the fact that there is a weakness in RC4's key scheduling algorithm that allows an attacker to obtain the whole key from only a very few bits that just happen to be in the first 24-bits of the key. Since the IV does repeat, it is easy to obtain packets with the weak key bits. However, if WEP did not use RC4, that vulnerability wouldn't be there and you couldn't break WEP using that attack.

Re:Can ARC4 be used properly at all?

[rossz]

You've obviously have never been married.

Re:Can ARC4 be used properly at all?

[thealsir]

Common Slashdot Format(TM)

1. Story posted about $SECURITY_PROTOCOL being broken on $BROKEN_DATE at $SEVERITY
2. Comments ensue recommending ridiculously complex/impractical solutions (in typical slashdot lore) getting modded up
3. Comments ensue about how ridiculous and complex those impractical solutions are, getting modded down/up on a 50/50 basis
4. Actual common-to-do, easy to implement solutions, like the WPA2 in linksys routers, are not discussed or modded
5. Extreme architecture biases/overall naivete about NO security implementation being completely secure is prevalent in a lot of comments
6. Sometimes, people come in to right these fallacies in the free market way, by posting.

Put short, wires are not a solution, no encryption protocol is flawless, the risks/rewards of wireless should be known and the technology should be used accordingly. But improvements in protocol and advancements in technology, especially relatively easy to implement ones, should be emphasized.