Elcomsoft Claims WPA/WPA2 Cracking Breakthrough

secmartin writes "Russian security firm Elcomsoft has released software that uses Nvidia GPUs to speed up the cracking of WPA and WPA2 keys by a factor of 100. Since the software allows them to network thousands of PCs, this anouncement effectively signals the death of wireless networking in business networks; any network handling sensitive data should start using VPN encryption on machines connecting over Wi-Fi networks, or stop using these networks altogether."

Looks Like I'm Safe

[linuxmeepster]

"Brute Force Attack will take up to 128299838271 years" at 500,000 passwords a second. ElcomSoft is claiming a 20x improvement in speed, but that won't make a dent into an exponential-sized problem. See http://lastbit.com/pswcalc.asp for calculation.

Re:Looks Like I'm Safe

[Daimanta]

True, buy most people will use a alphanum pass with 10 characters or less.

(26*2+1)^10 = 839299365868340224

Which is a lot more crackable.

Re:Looks Like I'm Safe

Uh, where are you getting that number? (26*2+1)^10 works out to 1.7488747 * 10^17. Wouldn't it be more like ((26*2)+10)^10, assuming no spaces?

Re:Looks Like I'm Safe

[risinganger]

true but that's a weakness in people - not the protocol. I was a little worried until I also read it was nothing more than a brute force attack using a faster processing unit.

WEP is broken. It's broken because with a little time I can crack it on my G4 iMac. WPA isn't.

Re:Looks Like I'm Safe

[Sasayaki]

"Brute Force Attack will take up to 128299838271 years"

Look, I understand that's enough security for your mortals, but I plan to live forever. I don't want someone getting my data just after my 128,299,838,295th birthday!

Re:Looks Like I'm Safe

Look, I understand that's enough security for your mortals, but I plan to live forever. I don't want someone getting my data just after my 128,299,838,295th birthday!

Ray Kurzweil, how ya doin'?

Re:Looks Like I'm Safe

[Daimanta]

Yeah, it's a typo. 26*2 for the letters including caps and 10 for the numbers.

Re:Looks Like I'm Safe

[Ironsides]

That sounds like a reason to go out and get your own router that supports full WPA2 encryption. If nothing else, flash it with DD-WRT and you get that.

Re:Looks Like I'm Safe

[ksd1337]

I don't want someone getting my data just after my 128,299,838,295th birthday!

Tell us if they release Duke Nukem Forever by your 128 billionth birthday.

Re:Looks Like I'm Safe

[Pentium100]

Or maybe he does not want his now-current data to fall into wrong hands after 128 gigayears?

Re:Looks Like I'm Safe

[Tubal-Cain]

Heh, my old password would have taken 1,559,007,293,804,841,500,000,000 years (20 chars, uppercase/lowercase/digits/common punctuation) to crack at 500,000 combinations/second. I recently moved up 23 chars, but it won't calculate that for me.

Although while 500,000 combinations/second may sound impressive, it is a useless metric without comparing it to how many combos/second a normal machine can pump out.

Re:Looks Like I'm Safe

[Tubal-Cain]

Agreed. My brother's password gets a measly 4 years.

Re:Looks Like I'm Safe

[Korin43]

Look, I understand that it's inconvenient to change your passwords ever 128 Billion years, but that's the sort of inconvenience you'll have to live with if you want security..

Re:Looks Like I'm Safe

[Threni]

That's (one reason) why you change passwords.

Re:Looks Like I'm Safe

[Anonymous+Brave+Guy]

<sigh> 128,299,838kyears ought to be enough for anyone!

Re:Looks Like I'm Safe

[houstonbofh]

"Brute Force Attack will take up to 128299838271 years" at 500,000 passwords a second. ElcomSoft is claiming a 20x improvement in speed, but that won't make a dent into an exponential-sized problem. See http://lastbit.com/pswcalc.asp for calculation.

Yep. And computers won't get any faster in the next 128 billion years...

Re:Looks Like I'm Safe

[pdbaby]

If you were around to be told wouldn't you have the same chance of knowing about its release? I know I'm overanalysing the joke and breaking it but... :-P

Re:Looks Like I'm Safe

[Annymouse+Cowherd]

No one would waste that much time attempting to crack your password unless you are a large corporation or you are very, very rich.

Re:Looks Like I'm Safe

[kabocox]

Look, I understand that's enough security for your mortals, but I plan to live forever. I don't want someone getting my data just after my 128,299,838,295th birthday!

Um, I plan to live forever too. I'm to the point that I don't care if anyone gets any of my data as I'd be so senile as not to remember any passwords so its some what safer to have all that porn unencrypted.

That's the real problem of living forever is forgetting all that somewhat important crap. Of course what ever you do, don't go for the super perfect memory as that's even worse since you'll never forget some horrible things/websites no matter how much you long to do.

Re:Looks Like I'm Safe

[tftp]

I recently moved up 23 chars, but it won't calculate that for me.

Do not worry, the keylogger inside of your keyboard has plenty of memory.

Re:Looks Like I'm Safe

[hvm2hvm]

It won't be released. That is proven by the fact that no future people came back in time to tell us it's actually released. Maybe in a Universe or two later it will be here.

Re:Looks Like I'm Safe

[TheRaven64]

So, computing speed doubles roughly every 18 months. At this rate, it will be down to one year in 55 years (assuming computers keep getting faster at the same rate - 55 years is about as long as we've had commercial computers).

Of course, if you add another alphanumeric to the password, you multiply the complexity by 56, which adds another 10 years to the time before computers will be fast enough to crack it in a year. Another alphanumeric takes it up to 73 years, another up to 81, and so on.

There are some physical limits to the maximum speed of computation. All of the ones we've come close to so far have been practical engineering problems, rather than theoretical ones. 21 more doublings in transistor density and IC features are smaller than the nucleus of an atom (9 more and they're smaller than a helium atom including its electron cloud) - only possible if you're building your CPU out of neutronium, so it seems unlikely that we'll get to 54 without some brand new physics. Increasing transistor density isn't the only way of increasing computational power, but so far it's been the easiest (although each doubling does require an R&D budget measured in billions of dollars).

Re:Looks Like I'm Safe

[Lennie]

maybe by that time they will have invented time-machines and he could send back a message telling you about the release, then again, if they did, he could have done it 'now'...?

Re:Looks Like I'm Safe

[JohnstonDJ]

The calculator wont let me work out how long it would take to crack. When you don't type your password all your time, why would you only use a password up to 20 characters. Seeing as my password uses the full 63 characters, and has all the tick boxes ticked I'm not worried quite yet.

Re:Looks Like I'm Safe

[geoffaus]

Have you taken Moore's Law into account when working out how long it will take to crack?

Re:Looks Like I'm Safe

[beav007]

AHA! Now we know what happened!

DNF Took so long to develop that the studio actually managed to create time travel first. Then they went 128,299,838,271 years into the future, and picked up a copy as it was released. Then they sent it back to 2002. Now they are just waiting for hardware that can run it...

Re:Looks Like I'm Safe

[Myraq]

Maybe he is some sort of a religious leader... he wouldn't want people to find out he was browsing for porn.

Re:Looks Like I'm Safe

[hellop2]

"if you add another alphanumeric to the password, you multiply the complexity by 56, which adds another 10 years to the time before computers will be fast enough to crack it" Wouldn't it add another order of magnitude? Not just 10 years?

Re:Looks Like I'm Safe

[Eskarel]

Well ya see, the complexity increases exponentially, but the speed also increases exponentially, and they sort of cancel each other out.

Of course all of this is really rather immaterial as you're talking about breaking todays encryption with computers from 50 years hence, which isn't going to happen, as none of the devices using todays encryption will still boot in 50 years, let alone actually support whatever protocols we're using by then.

Re:Looks Like I'm Safe

[QuestionsNotAnswers]

Your "neutronium" example presumes we are not allowed to play with any other dimensions.

a) Going 3d with the same transistor size gives an easy 32768 increase = 2^15 increase (1 billion transistors is approx 32768 by 32768 transistors)
b) Increasing the size from 1 cubic centimetre to 1 cubic meter gives a 100x100x100 increase = 1000x1000 approx = 2^10 * 2^10 = 2^20
c) You want 2^54, so we are still short a hefty 2^19. To increase density by 2^20 needs 100x100x100 cells per existing cell, so a 45nm process goes to a 0.45nm process.

Meanwhile, if we presume we don't reduce heat output our new processor will output 2^54 more heat than our current processors. We can use the waste heat to run our cars for free :)

Re:Looks Like I'm Safe

[serge587]

Well, the expectation is that they'd find the password in 1/2 of that time.

Re:Looks Like I'm Safe

[kickdown]

> True, buy most people will use a alphanum pass with 10 characters or less.

Most halfways sane enterprise deployment will not use passwords at all, but WPA2-*Enterprise* with 128-Bit random seeds per user session.

Re:Looks Like I'm Safe

[PhilJC]

DNF Took so long to develop that the studio actually managed to create time travel first.

Don't know about anyone else but when I read DNF I automatically translated it into racing terminology - "Did Not Finish". How apt!

Re:Looks Like I'm Safe

[GameboyRMH]

I was a little worried until I also read it was nothing more than a brute force attack using a faster processing unit.

My thoughts exactly. This is like fitting two bigass turbochargers and jumbo cams to a big 'ol American V8 and calling it a breakthrough in engine design. The headline should be "Elcomsoft turns WPA/WPA2 brute force attack speed up to 11"

Re:Looks Like I'm Safe

[MrAngryForNoReason]

When you don't type your password all your time, why would you only use a password up to 20 characters.

I would have agreed with this but with wi-fi now in use on so many devices it is a real ball-ache to punch in 63 characters including punctuation and upper/lower case on a mobile phone. Or having to plug in a keyboard every time I move the Wii or 360 to a different network.

Does this surprise anyone?

[Mad+Merlin]

This doesn't surprise me. Anyone who wasn't already assuming that anything you sent via wireless was already in the hands of your enemies (unencrypted) is a bit naive.

Re:Does this surprise anyone?

I don't care how you're accessing the net, if it's important encrypt it.

Re:Does this surprise anyone?

[Paracelcus]

How about pushing out new keys every XX hours to all wireless devices? I do this manually on my little network.

Re:Does this surprise anyone?

[Ironsides]

So, all I need to do is record the data, crack the first set of keys and then I can decrypt all subsequently sent packets as you have convieniently provided the new keys in the (now decrypted) data stream.

Re:Does this surprise anyone?

[nullchar]

That only works if you can crack the current key (whichever it may be) in the required XX hours.

Re:Does this surprise anyone?

[Krabbs]

Are you seriously claiming that secure wireless communication is impossible?

Re:Does this surprise anyone?

[Ironsides]

He's pushing out the new key over the network using the existing key. I record all data over the network starting with key XX1. Say he gets to key XX3 when I finally crack key XX1. I use key XX1 to decrypt all the data I have recorded from the wireless, I get key XX2 by decrypting it and then I also get key XX3.

Re:Does this surprise anyone?

[h4rm0ny]

Not if they're recording all the data. They have as long as they like - once they've cracked the first one, they'll catch up rapidly. Yes - it's an additional constraint, though.

Re:Does this surprise anyone?

[SanityInAnarchy]

Nope. It only requires that someone is recording that data, just as GP said.

So, suppose you're pushing a new key every hour. It takes me 12 hours to crack your key.

If you're not thinking too clearly, it looks like you're safe.

But with modern wireless technologies, how much data can you really push in 12 hours? Let's say you're on a -g network -- 54 mbits -- you'll probably send at most 5 megabytes per second. Suppose you're saturating that constantly -- that means roughly 18 gigs an hour.

So, it takes me 12 hours to crack that -- which means I have to record at most 216 gigs worth of (encrypted) data.

At the end of 12 hours, I've cracked the key from hour 1. I can then go back and decrypt all traffic you sent during that time, including the key you set for hour 2. Then I can decrypt all the data from hour 2, and so on. This will probably take less than an hour.

At that point, I'm caught up, and you're kindly pushing updated keys to me.

So, in other words, your rotating key scheme only works against people who either aren't recording your data, or aren't interested in cracking it at all (for instance, it'd be great if you give a houseguest access for an hour, then the next hour, the key changes from under them)...

Re:Does this surprise anyone?

[hedwards]

That was my reaction, the standard advice going back a long ways was use WEP, but for the love of god also use VPN between the devices. I can't imagine why WPA or WPA2 would make people think that you should be ditching the VPN.

Admittedly I've been guilty of not doing it, but it was more a matter of inferior Windows facilities than anything else.

Re:Does this surprise anyone?

[robosmurf]

You don't even need to record the data.

Cracking keys isn't a fixed time, it's just a probability.

The attacker just needs to try cracking the current key. If they haven't succeeded in the hour, then they just move on to the next key.

Re:Does this surprise anyone?

[collinstocks]

I think that the way I would do it would be as follows:

Have a secret key SECRET. SECRET is never directly used.

When you first initiate the connection, you ask the wireless network for the current salt, SALT in plaintext.

You then use a very secure hash (I think that the one that I wrote a while ago is probably secure enough, though this is an unwarranted assumption, as I haven't shown it to any security experts) and take the hash of SECRET salted with SALT. You use the hash value as the key.

Every XX minutes, SALT changes. Therefore the key changes. However, someone cannot get the new key even if they have broken the old key because they need the SECRET as well as the current salt.

The way to break this would be to break the hash, but with a sufficiently strong hash, that should be difficult to do in a reasonable amount of time, especially if SECRET and SALT are very long.

Re:Does this surprise anyone?

[virtual_mps]

That was my reaction, the standard advice going back a long ways was use WEP, but for the love of god also use VPN between the devices. I can't imagine why WPA or WPA2 would make people think that you should be ditching the VPN.

Since WPA2 uses the same encryption that you'd find in a VPN, I wonder why you think it would be less secure?

Re:Does this surprise anyone?

[Hucko]

I'm not real good at maths, how long would a case-sensitive, alphanumeric, randomly inserted, symbol, punctuated, 56 character pass-phrase take?

Re:Does this surprise anyone?

[FLEB]

IIRC, though, you lower your security by repeatedly encrypting the same password with known salts. It's kind of a "narrowing down" effect-- you allow quicker finding and verification of a sure answer by giving more clues.

A simplification would be: "I'm thinking of a number. The number mod 4 is 1. The number mod 5 is 4. The number mod 6 is 3." With the first answer, the secret number could be any of a wide selection, but after every subsequent equation with different input data, the secret number can be narrowed down.

[This is where someone else who knows something about crypto chimes in... I just know this because I'd seen someone else getting called out on this misconception.]

Re:Does this surprise anyone?

[FLEB]

It's not that difficult. You just need a secure wireless network tunnel-- get a grounded conducting metal tube-- something like a flexible aluminum dryer vent pipe with a ground strap might work-- and run it in a straight line from the access point to the client machine.

Re:Does this surprise anyone?

[collinstocks]

[This is where someone else who knows something about crypto chimes in... I just know this because I'd seen someone else getting called out on this misconception.]

W007! I actually do know something about crypto (as well as number theory, which is useful and fun).

You are right about the fact that, if SALT were transmitted through plaintext every time, it would only be a matter of time before SECRET would be able to be deduced (assuming that the method of breaking the overall WPA encryption allows you to figure out the encryption key being used [I don't know too much about WPA in particular, so I'm not sure if it is public key or not]).

I should have been clearer. Every XX minutes, a different SALT is transmitted via ciphertext.

This increases the complexity of the problem significantly:

You must break the first encryption key and gain the full key. The key looks something like:
a8fbcd1db5a6bf013763fd45a32f2b319bfba413

You must break the second encryption key. Again, the key looks something like:
216cd69e6e4112b6adffec1853ae415b0fa45fcf

[Wash, rinse, repeat]

You eventually have enough keys lined up to figure out that they use the sha1sum and all start with "this is insanity ", therefore SECRET="this is insanity ".

The problem is that you have to break the encryption scheme enough times to gain enough keys to establish what SECRET is. Then you have to break the hash. If it is a particularly good hash (i.e. NOT MD5 OR SHA1!) and the key that you are hashing has sufficient entropy (i.e. consists of random data) then you shouldn't be able to break the hash using a rainbow table, and brute force might be necessary.

Now, you can always try to mathematically find a flaw in the hash or encryption scheme, but that is a different problem. Personally, I wouldn't trust an encryption scheme designed by someone else unless I had the mathematical background to prove it, which, in the case of RSA, I do. Therefore, I would use RSA with as large a key and block size as is feasible. I'd probably also write my own implementation.

(I must confess, though, that the implementation I wrote to which I have linked is not by any means secure as it stands. It is also probably buggy, as I spent maybe half an hour on it at most. Someone commented on another recipe that writing RSA should be simple, and so I took the opportunity to write it.)

Re:Does this surprise anyone?

[ozphx]

Hey I've heard of those "cable" things before!

Re:Does this surprise anyone?

[SanityInAnarchy]

This essentially requires that both SECRET and SALT be sufficiently large as to be secure.

The attack from TFA can be defeated by using a WPA key which is sufficiently large as to be secure.

It's a cool-sounding method, but completely unnecessary, in this case.

Re:Does this surprise anyone?

[Krabbs]

Security by assuming nobody can tap into your communication channel is terrible security practice. If wireless is not secure, neither is cable.

Re:Does this surprise anyone?

[ciderVisor]

If you use upper- and lower-case letters, the numbers 0-9 and the easily-accessible symbols on your keyboard, you have roughly 80 characters available to you. If you create a random password using 56 of these characters, you end up with 80^56 possible combinations. This is a seriously HUGE number. The password would be cracked on average by only half that seriously HUGE number.

One of the strengths of a strong encryption algorithm like Blowfish is that it takes a long time to set up the encryption machine relative to the time it actually takes to encode the plaintext stream. This means that testing each password involves a lengthy process which multiplies the checking process by a factor of thousands. You're talking roughly 3 * 10^106 / 2 * 1000, which is greater than 1 * 10^109.

Even implementing a counter in hardware which ran through all the binary combinations of the password requires an INSANELY HUGE amount of time and energy:

http://en.wikipedia.org/wiki/Brute_force_attack#Theoretical_limits

Re:Does this surprise anyone?

[marcosdumay]

Ok for you, but I'd use SSL.

Re:Does this surprise anyone?

[Narnie]

Would there be any wisdom in using the previous example but not only salting SECRET with SALT but also salting the SALT with the current timestamp?

Re:Does this surprise anyone?

[collinstocks]

In short, the answer to your question is that, no, there is no wisdom in salting SALT with the current timestamp.

I originally thought of doing this as the primary method of salting SECRET, but then I thought that transmitting SALT would be a much better idea.

Here's why:
Think about it. Where does the timestamp come from? A time server, most likely. Or, more directly, from the network to which you are connected.

Using the timestamp requires that the clocks of the router and your wireless card be synchronized, thus meaning that you must get the timestamp from the network to which you are connected.

So, why should you let the attacker be able to predict what SALT is going to be (assuming that SALT=timestamp)? In either case, SALT originally comes from the router. It is just a matter of the predictability of the value of SALT.

Also, another argument against the use of timestamps in general for salting passwords:
It requires that the times be absolutely synchronized. They cannot even be off slightly, especially if you need to have five nines of uptime when connected to the network. The reason for this is that, even if you only use the hours to salt and the clocks are only off by a second, you lose that second because during that time, the encryption keys are different.

Assuming that the difference is one second per hour, you now only have about four nines of uptime assuming that you never have any other problems (probably an unlikely scenario).

Re:Does this surprise anyone?

[collinstocks]

Unfortunately, that is vulnerable to man-in-the-middle attacks.

A tries to connect to B.
C is a router in between.
C pretends to be B when talking to A and pretends to be A when talking to B.

The result:
A has connected securely to C and C has connected securely to B. A and B, however, think that they are securely connected to each other, while C secretly collects as much information as it wants.

Attempted solutions to this include using signatures, since those cannot (feasibly) be forged. However, if the man-in-the-middle attack is elaborate enough, C can also pretend to be the signature registrar. In this scenario, C simply signs with its own signature, and then when A queries it for the information it needs to check the signature, C gives A its own information, so the signatures match.

There is no way around this without using some alternative and fully trusted method of getting the key from B to A. With man-in-the-middle and public-key cryptography, A receives a public key, but it might not actually be B's public key. The whole idea with WPA and WEP is that you have to physically enter the key at both ends. Since you have physically seen and changed both ends, you know that the communication is actually between these two devices.

Another method of secure key sharing is quantum cryptography, because an eavesdropper has cannot listen without destroying data. Even in that case, both ends have physically been set up to communicate with each other, so there is no doubt as to whether there is a man-in-the-middle. On the web, there most certainly is a man-in-the-middle. In fact, there are many. Every router between A and B is a potential eavesdropper.

</paranoia>

Re:Does this surprise anyone?

[marcosdumay]

That is why SSL includes a key sharing algorithm, that uses a certificate to be sure that nobody in the middle can read or change the key. Of course, you'll have to exchange public keys somehow, that is usualy done manualy, by copying a file (or by validating with a trusted entity whose key you know). On an aftertought, I wouldn't really use SSL, I'd tunel everything trough SSH, like I already do since I have a firewall between my LAN and WLAN at home.

Also, quantum key exchange doesn't really protect against man-in-the-middle attacks. It promisses to do that, but doesn't deliver.

Re:Does this surprise anyone?

[collinstocks]

Also, quantum key exchange doesn't really protect against man-in-the-middle attacks. It promisses to do that, but doesn't deliver.

This is true. I remember reading an article about that a while back which said something to the effect that making an imperfect copy of the message allows a man-in-the-middle attack. I don't remember the details, though.

Re:Does this surprise anyone?

[virtual_mps]

Because they all technically had the same class of encryption you'd find in a VPN

Not true. WEP had a lousy encryption scheme designed by electrical engineers rather than cryptographers. WPA was built on the same foundation, to try to buy more life for obsolete hardware. IEEE 802.11i (rebranded "WPA2" to be less scary for consumers and make "WPA" sound like an ancestor rather than a bastard stepchild) was designed by cryptographers, and is built on much more robust standards and is no more or less vulnerable to crypto attacks than a well-implemented VPN (assuming that you're not trying to use PSK, which the standard says not to use).

Re:Does this surprise anyone?

[Paracelcus]

"That only works if you can crack the current key (whichever it may be) in the required XX hours."

My point exactly!

How many supercomputers do need to decrypt 50 gigs of strong encryption in less than 24 hours?

Rotate your keys

[Legion_SB]

With good keys, even a 100x increase in cracking speed is still not fast

Don't use a little 8-character passphrase. Use long keys, and don't just leave them in place forever. Change them periodically.

Re:Rotate your keys

[JackassJedi]

Better even, change them randomly.

Re:Rotate your keys

[Kjella]

Rotating keys is not a smart way to try to extend the keyspace, if he can brute force one password he can quite probably do it again. Rotating passwords is a good idea if unwanted people may have had access to the password or a device it was on like say in a corporate network, guest network or whatever. For the traditional home network where the overwhelmingly likely scenario is that he's got no inside knowledge, just set one password at maximum length with some special characters so you're using the full keyspace. He'll have a much harder time breaking one 128 bit key than ten 80 bit keys.

Re:Rotate your keys

[Legion_SB]

He'll have a much harder time breaking one 128 bit key than ten 80 bit keys.

Which is a meaningless statement, because it's not a choice between one strong key versus ten lesser keys.

There's nothing stopping anyone from using ten strong keys.

if he can brute force one password he can quite probably do it again.

That's true, but misses the point. The POINT is that if it takes a loooong time to break a key (as it does with strong WPA/WPA2 keys), changing the key closes the window on successful cracks. By the time he cracked the old key, you've moved on to a new one. Keep using fresh keys, and you significantly reduce the window of opportunity for a brute force attack on any given key.

Re:Rotate your keys

[Tatsh]

How many people at home really care? I have WPA (cannot enable WPA2 because one laptop does not support it for now) and a decently long password with capitals and numbers in not-so-predictable places. I still see a TON of open or WEP-encrypted neighbourhood wi-fis just driving around, especially when I was a 'on-site tech'. For the people I worked with I tried to explain the importance and used the extreme example of someone coming in, downloading child pornography, and then leaving. I certainly would never want that to happen to me. How do you claim non-fault when it is YOUR network?

Overall, consumers do not realise why it is important to enable AT LEAST WEP. It just makes it so the 'wardriver' has to do at least a little work. Besides, I have seen so many non-encrypted networks where even the administration for the router settings were not even touched. I could log in with the default user name and password and potentially change things and even disable Internet. The owner would probably not know what to do, and they think they are safe simply because of the neighbourhood they are in. I am not sure how people treat their wireless in a place like NYC (I imagine there are many more informed people on security than in the 'sticks' neighbourhoods like mine). WPA is not uncrackable, it is just harder to do so. Dictionary attack is pretty much guaranteed not to work if the consumer is smart enough to not make a word password.

Unfortunately for DS owners, Nintendo is in backwards world and still will not add WPA to their device (but that is another story).

Re:Rotate your keys

[robosmurf]

Rotating the keys doesn't help that much to close the window for attacks.

Cracking a key is a matter of chance. At a certain rate of checking trial keys, you'll have a certain chance in an hour of cracking it (except that admittedly the chance does go up with time with a fixed key as you exhaust possibilities).

As long as the attacker is constantly attacking the currently active key, then it's not much harder to break a changing key than a fixed one. Though with a fixed one, there is an upper bound (once the entire keyspace has been checked) on how long it can take.

It is helpful though for is shutting out an attacker once they have got in. But that assumes that you are not pushing out new keys over the network.

Re:Rotate your keys

[John+Hasler]

> Overall, consumers do not realise why it is important to enable AT LEAST WEP.

They don't know. They went to Best Buy, they bought the box, they took it home, they plugged it in, and it worked. It hasn't occurred to them that there any more to do.

The manufacturers are partly at fault. They could at least make the serial number the default password and enable WEP, but they're terrified of the sales they'll lose when the consumer plugs the box in, finds that it "doesn't work", and returns it to WalMart.

> I am not sure how people treat their wireless in a place like NYC (I imagine there are
> many more informed people on security than in the 'sticks' neighbourhoods like mine).

I hope you are not implying that you think a larger fraction understand security in NYC.

Re:Rotate your keys

[Kjella]

Which is a meaningless statement, because it's not a choice between one strong key versus ten lesser keys.

There's nothing stopping anyone from using ten strong keys.

In theory that's true, in practise try keeping a family network with say 3-4 laptops going with rotating keys like "aDgWTgGS&)=DG&%T4/3fDH5d532NF3" and see how long it lasts before you're cursed at and asked to turn that damn thing OFF! Because you are talking about typing in that manually each time it changes, not broadcasting a new key on the wireless which the WPA standard already does, right?

Re:Rotate your keys

[RiotingPacifist]

Actually changing keys weakens your security.
Assuming your not using one of the 1000 most popular wifi names, an attacker will first have to generate possible keys for your system (slow as hell) then he will have to compare them to the captured packets (really quick)
If an attacker can tell youve changed your password (or if he gets lucky and thinks you have) then he has a better chance of guessing your one of your keys.

chance of correct guess = (number of keys)/96^(length of key)

I mean the important factor is still the key length (96 times more important to be exact) but bad advice is still bad advice

with 1 key i the attacker checks 1/2 the key space he has 50% chance off success
with 2 keys he has a 75% chance of success
with 4 keys he has a 93% chance of success

Re:Rotate your keys

[brusk]

I hope you are not implying that you think a larger fraction understand security in NYC.

Probably not the case, but in densely populated areas there is more likelihood that an open router will be heavily used, to the point of affecting the uninformed user's bandwidth, so that the user looks at the router manual to figure out how to stop it. In a less densely populated area, that's less likely to happen, so for a given level of initial user ignorance you'll end up with a higher rate of encryption (and, in the process, people will learn about security).

Re:Rotate your keys

[Eskarel]

I don't think you understand how crypto, or for that matter computers, work.

Generating the key space is not hard, it's time consuming because there's a whole lot of entries. Testing that key space involves going through each and every entry and testing that entry. The test is actually computationally more intensive than generating the next key, so trying to "generate the key space" and then "testing against what you generated" would be just about the most mentally defective way to do this as you'd spend more time pulling the next bit of data from disk than you would generating it from scratch.

The key space is not hard to work out. For WPA it's the full set of characters that can be entered using a keyboard(unicode supports 95,156 plus control codes which probably don't work)to the power of the number of characters you've entred.

Realistically you're going to be looking at far less than that because people are unlikely to use anything that's not directly on their keyboard, but the point is the same.

Re:Rotate your keys

[Walles]

Change [your keys] periodically.

That could be dangerous advise. What kind of attack scenario are you protecting yourself against by changing keys periodically?

Re:Rotate your keys

[RiotingPacifist]

I dont think you understand how WPA cracking works. Perhaps i used the wrong word when i said keyspace, im no cryptography expert. What i meant was computing the hash into a form where you can compare it with the captured packets takes a long time, but comparing it doesn't

a quick read of church of wifi tells us that a computer with 15 GPUs could manage ~9000 hashs per second, even with a 20fold speed increase ~180,000 hashes per second, a p3/700 could check 18,000 of these hashes a second, so a dual core 2.5ghz machine can probably compare 180,000 hashes per second ( i couldnt find any benchmarks or comparison to p3/p4 flops to verify the speed increase ). So while the 1st run of an attack requires substantial power to generate the hashes (unique for your SSID) a 2nd attack will be 1500 times faster (or 75 if the checking speed isnt affected by the "breakthrough")

Realistically if you know the victim changes the passkey you only need to generate the hashes for a smaller subset of the all the possible passphrases to get the same chance of success, thus reducing the attack time and security of the system

t = G/n + nC
where
( t is the time taken for an attack , G is time taken to generate hashes , C is time taken to check the keys, n is the number of key)

Assuming G = 75C [ its probably still 1500 ] for the same chance of success
1 key takes 76 time units (75 to generate 1 to compare) [1501]
2 keys take 39.5 time units [752]
9 keys take 17 time units [196.5]
above 9 keys the attacker can just take a sample of 9 keys to work on

Changing keys does mean that if your key is broken youll loose less data however it does weaken your security and the time to get all your keys is still 75+n unless you change your SSID with your key changes

Newsflash: Most "Business Networks" Aren't Secure

[Llywelyn]

Most businesses I've seen have had easily guessable passwords, used open relays, or WEP encryption. Many don't change their keys even after firing someone. Saying that this is a "death knell" is serious hyperbole since, for many companies, convenience trumps hardened security.

That said, the biggest risk is still always going to be insiders and former insiders who won't need to crack into the wireless network: they will already know how to get access.

Thats not really news...

[imsabbel]

There is no special flaw or exploit in use. They just throw more transitors at a special problem.

Everybody who really want to crack into some network (think NSA or industrial espionage) could have used FPGAs for even bigger gains.

And for joe sixpack, weeks on a small cluster is still not a viable way for free internet...

Re:Thats not really news...

[stinerman]

Exactly.

Apparently you can brute-force easily guessable passwords. Film at 11.

Re:Thats not really news...

[Pentium100]

While I am not your average user, if there were no internet connection where I lived (but I could "see" a wireless network) or the only available was quite bad, I would get that which was available and then wait years until the wireless network was cracked.

Thankfully, I have a quite good internet connection 2x (4096kbps down 768kbps up)(two connections - one ADSL and the other free wireless from the same provider), and also see a lot of OPEN networks, one has a very good signal strength and it is my "unofficial" backup connection. If that also fails, there are about 20 more available once I connect a 7db antenna to my laptop or access point.

Re:Thats not really news...

[ksd1337]

And for joe sixpack

Palin? Is that you?

Re:Thats not really news...

[the_B0fh]

No, she's off making backups of her yahoo email account per court orders

Re:Thats not really news...

[dbIII]

The problem is now a botnet IS a cluster, and not a small one at that. While still unlikey I suppose it makes short passwords vunerable. Wireless security people were already suggesting that your wireless connection should be just as untrusted as your net connection anyway.

Why does wireless security suck so bad?

[mcrbids]

Seriously. We've had a number of standards with names like "Wired Equivalency Protocol" and "Wifi Protected Access" and yet they seem to be falling, one-by-one, to relatively trivial attacks. I'm not saying that WPA is as bad as WEP, but how come they can't copy/paste something as good as good old-fashioned SSL?

SSL has withstood the tests of time, over, and over, and over, and over again. SSL is the gold standard for encryption. It's used on every HTTPS website, it's used for SSH, it's used as part of kerberos, IMAPS, POPS, TLS, and just about every other good-quality security tool.

So why are wireless chipset manufacturers trying to re-invent the wheel, when it's widely known that these kinds of wheels are FRIGGEN HARD to re-invent well?

Start with normal, unencrypted wireless. Getting that to work was solved long ago. Embed an SSL engine into your wireless device, with a randomly generated private key. Provide a means to access the public key, and copy/paste that key into your high security wireless driver. If you want to be paranoid, your local driver generates a private/public key pair as well, and that can be copy/pasted to your wireless device.

Done! Now you *KNOW* that if you are accessing the Internet through the driver, you are doing so through the correct wireless hotspot. Who cares about wireless MITM attacks at that point? The SSL protocol *ASSUMES* that there are MITM attempts, and foils them quite effectively, over the equally open and unsecured Internet.

Seriously, folks. This is a problem that was solved over a decade ago. Why are we doing this again?

Re:Why does wireless security suck so bad?

[swillden]

Seriously. We've had a number of standards with names like "Wired Equivalency Protocol" and "Wifi Protected Access" and yet they seem to be falling, one-by-one, to relatively trivial attacks.

"Seem" is the key word in this paragraph.

The claimed attack is nothing more than a brute force search on WPA/WPA2 pre-shared keys, a search that will fail if the keys are well-chosen. It has no effect whatsoever on WPA or WPA2 when used with any of the EAP authentication modes. But PSK requires the network admin to choose a key, and the key is typically chosen by typing in a passphrase. If that passphrase is weak, then given enough computation power an attacker can guess it. Big surprise.

WPA and WPA2 ARE just as solid as SSL. The only difference is that everyone knows that if you're doing SSL you should use a good random number generator to help generate your key pair and to generate the session keys.

Re:Why does wireless security suck so bad?

[Shados]

So what you're saying is, since I'm using the longest freagin key that my router allows, and I used a cryptosecure generator to create it (its totally random), I'm more or less safe?

Re:Why does wireless security suck so bad?

[Dahan]

40-bit SSL was broken over a decade ago. "But everyone uses 128-bit keys! It's not SSL's fault if someone chooses to use such a short key!," I hear you exclaim. Well the same thing applies to WPA. Choose a strong key and you'll make brute force attacks impractical. And as for MITM attacks, do you really want to pay some CA a yearly fee so you can use your wireless network? I guess if you know what you're doing, you can set up a self-signed certificate and tell your access point to only trust that cert, but that's beyond the ability of the average user who just wants to watch Youtube on their laptop. And if you do know what you're doing, a pre-shared passphrase isn't the only way to authenticate--you can use certificates if you're willing and able to set up the infrastructure for it. In fact, EAP-TLS is basically the same protocol as SSL.

Re:Why does wireless security suck so bad?

[GrenDel+Fuego]

What you're describing is EAP-TLS, and its definitely the way to go if you're running wireless for a larger business.

Re:Why does wireless security suck so bad?

[Simon+(S2)]

Yes.

Re:Why does wireless security suck so bad?

[databeast]

Better yet, use 802.1x (WPA + RADIUS) which completely avoids all the key-exchange weaknesses of WEP and WPA.

Re:Why does wireless security suck so bad?

[buchner.johannes]

If you are wise, you will use encryption on higher OSI layers for your important services anyway. Also, a WPA/WPA2-password doesn't protect you from other legimate users in the network sniffing on you ...

Re:Why does wireless security suck so bad?

[donkeyoverlord]

How secure is data when using EAP-TLS? I understand that the device is authenticated by a certificate and the users credentials are also validated. But what protects the data? WEP? WPA2? TLS?

Re:Why does wireless security suck so bad?

[Pentium100]

I used this. Not so for the security (I think a 63 character really random password would be enough), but for convenience - it was easier to copy two files (user certificate and CA certificate) to my cell phone than type ten 63 char password (which for some reason was reset after each phone reboot)...

Now I do not use wifi for my local network. For some reason the AP usually failed to authenticate users, so I scrapped the idea and now use the same AP as a client to my ISPs wifi network. It works now...

Re:Why does wireless security suck so bad?

[dpilot]

So this means that though I'm using the longest key my router allows, because I only used a decent pseudorandom generator instead of a true random generator, I'm toast. Oh, Noooooooooo!

Incidentally, I've usually powered my wireless router off when I'm not going to be using it. But then at some point I realized that cracking requires snooping on a successful connection. If there's no successful connection, about all they can get is my SSID.

Re:Why does wireless security suck so bad?

[eric2hill]

Almost, but your key may not be as truly random as you might think. Post your key here so we can verify it's really secure.

Re:Why does wireless security suck so bad?

[GrenDel+Fuego]

EAP-TLS is used for the key exchange process. The encryption used for the connection can either be TKIP, which uses rotating RC4 keys or CCMP which uses more secure AES encryption keys.

CCMP is the more secure choice, but is incompatible with older wireless cards. If you care about the security of your network, you are better off choosing hardware that supports CCMP.

Re:Why does wireless security suck so bad?

[jd]

Well, SSL is one option, sure. Sun's SK/IP system would be another, since it was designed with unreliable connections in mind. Requiring client-side certs and using any of the public-key systems (ECC, for example) would be vastly superior to a shared key system. If privacy is not as big of a concern as just authenticating who sent the packets, 802.1x offers some interesting possibilities. Of these, how many are implemented in low-cost COTS wireless devices? 802.1x appears in a few, but not many. The others - well, "none at all" might be an overestimate. Sure, you can roll your own image for some wireless routers, so you can install something like ENSKIP (the Linux version of Sun SK/IP), but that ceases to be a true COTS solution, and businesses are fanatical about COTS-only as it means they can blame someone else when things screw up.

(The ability to blame someone else is vitally important in any country where lawsuits are commonplace but accountability is optional. Why do you think the British government outsources security? They don't trust GCHQ's experts? Or because it becomes Somebody Else's Problem - SEP fields are wonderful things - and they get to fingerpoint?)

Re:Why does wireless security suck so bad?

[Tuoqui]

Problems...

1) SSL as it stands for HTTPS and what not typically uses key lengths anywhere from 128-bit all the way up to 4096-bit.
2) WEP/WPA requires the router to decrypt all packets over the wireless network so it can route them.
3) Longer keys = More Processing power required.
4) Encrypting and Decrypting everything may involve a performance hit without more processing power.

End Result: You want it more secure, the router is gonna need more RAM and CPU power to pull it off which means instead of picking up a wireless router for $40-60 for consumer grade stuff it'll probably end up more like $80-120.

Re:Why does wireless security suck so bad?

[dgatwood]

Okay. My key is 1...

2...

3...

4...

...

...

5.

Re:Why does wireless security suck so bad?

[SCPRedMage]

It's rather trivial for an attacker to de-authenticate your systems and force a reconnect...

Re:Why does wireless security suck so bad?

[Anonymous+Brave+Guy]

Must...

not...

Uuuuuuungh...

<slashbot>That's amazing! I've got the same combination on my luggage!</slashbot>

Grrrraaaaaaaaaaaaaaaaaargh! Damn you, dgatwood, and your Spaceballs meme!

Re:Why does wireless security suck so bad?

[ProzacPatient]

I was thinking something along the lines of that. Basically if worse came to worse you could tunnel pre-encrypted data over the air so if your WPA fails then the hacker mob has a whole different beast to deal with.

Re:Why does wireless security suck so bad?

[WK2]

Seriously. We've had a number of standards with names like "Wired Equivalency Protocol" and "Wifi Protected Access" and yet they seem to be falling, one-by-one, to relatively trivial attacks. I'm not saying that WPA is as bad as WEP, but how come they can't copy/paste something as good as good old-fashioned SSL?

Wow.

1) WPA is good. It has never been broken. 2) SSL has never been broken, but there have been implementation problems in the past, as with WPA 3) SSL (asymmetric encryption) is inappropriate for this type of communication, because: a) asymmetric encryption is not as secure as same keysize symmetric encryption b) asymmetric encryption requires a lot more processing power

WPA uses AES, which is a good choice. The sun will burn out before a random WPA key is cracked (at modern computer speeds). In contrast, industry standard 128-bit or 256-bit SSL takes hours or days to crack on a single modern computer, and 1024-bit SSL would take years for a supercomputer.

SSL is designed for another purpose entirely, and is inappropriate for low level wireless security.

I am sure that you felt that your suggestions were good when you made them, but it is important to understand that you don't understand encryption well enough to make good suggestions. Your suggestion of using standard, well-proven communication methods, however, are good. And that is why we will be continuing to use WPA.

Re:Why does wireless security suck so bad?

[TheRaven64]

Meh. I just have a one-time pad sent back in time containing the key for decrypting all of the data I will want to download from background cosmic radiation. Radio is so passe.

Re:Why does wireless security suck so bad?

[swillden]

But if WPA/WPA2 can be made weaker as a protocol by the user's choice of a weak password, then it's a flawed protocol. If the protocol is created correctly, the most a user's choice of a weak password should compromise is to make it easier for an unauthorized user to gain access to the wireless access point. It should not allow the attacker to monitor traffic between the access point and other connected clients.

That is the case with WPA and any of the enterprise authentication modes. The reason WPA-PSK isn't better is becuase using DH key agreement or anything similar would require some additional infrastructure in place to prevent MITM attacks.

Re:Why does wireless security suck so bad?

[omuls+are+tasty]

I am sure that you felt that your suggestions were good when you made them, but it is important to understand that you don't understand encryption well enough to make good suggestions.

Encrypting everything with asymmetric encryption would be idiotic. SSL/TLS designers are not idiots. SSL only uses asymmetric encryption for the key exchange, though other methods can be used as well. After that, it switches to one of the symmetric algos.

Re:Why does wireless security suck so bad?

[RiotingPacifist]

if 40bit was broken a decade ago, wouldn't 256bit be broken now?
120/18 ~= 64 times the computational power

Re:Why does wireless security suck so bad?

[dpilot]

My point was that right now, nobody is authenticated to my wireless at all. Where there is no connect there can be no reconnect. My wireless router is simply sitting there broadcasting its SSID, and there are no conversations to sniff or de-authenticate. It's about as safe as unplugged.

To be honest, I forgot which wall-wart the wireless is on, and which wall-wart powers my main switch. I suppose I could trace the wires or trial-and-error, but so far I've been lazy, and it's been nice having a few extra ports.

Re:Why does wireless security suck so bad?

[zippthorne]

You want it more secure, the router is gonna need more RAM and CPU power to pull it off which means instead of picking up a wireless router for $40-60 for consumer grade stuff it'll probably end up more like $80-120.

The only problem with this is that $40 routers have been a reality for much longer than 18 months. Therefore, there is now more than enough RAM and CPU available for that price to do it in consumer gear.

On the off chance that you mean that today it'd end up costing that much, I would point out that that range is well within the pricing of the top-priced consumer gear on the market.

Re:Why does wireless security suck so bad?

[WK2]

Thank you for your insight on the details of how SSL works, oh wise and powerful omuls. However, it has got nothing to do with the topic at hand, unless you are suggesting that SSL is indeed just as fast and secure as symmetric encryption, just because it uses symmetric encryption at a lower level. Of course, that would be idiotic, because the key-exchange part of SSL is still slow, still the weakest point against cracking, and useless in the case where symmetric encryption can and should be used from the start.

Thinking back, I never even mentioned MITM attacks, which an SSL-based router would be vulnerable to.

Re:Why does wireless security suck so bad?

[Nursie]

SSL is the gold standard for encryption.

It's good, but I wouldn't go that far. Also, all the cool kids are calling it TLS these days.

It's used on every HTTPS website,

That's what https:/// means

it's used for SSH,

No it isn't, that's a different protocol. It's also good, but it's not the same thing.

Re:Why does wireless security suck so bad?

[B+Nesson]

Maybe you can take a look at mine. It's '4444444444444444444444444444444444444444444444444444444444444444'.

I know, I know, it doesn't look very random. But you can never really be sure with random numbers, you know?

Re:Why does wireless security suck so bad?

[dieman]

I agree with this -- I don't think that WPA/WPA2 enterprise can be any worse than the security of SSL.

Re:Why does wireless security suck so bad?

[omuls+are+tasty]

It's really preposterous that you're prompt to make condescending remarks such as the one I quoted in the first paragraph of my post, yet obviously have never heard of TLS-PSK

.

F@H

[Kooty-Sentinel]

I wonder how long it would take for the entire Folding@Home grid would take to crack a single WAP/WAP2 key. Can anyone do the math?

Re:F@H

[93+Escort+Wagon]

I wonder how long it would take for the entire Folding@Home grid would take to crack a single WAP/WAP2 key. Can anyone do the math?

So that would be Cracking@home?

Re:F@H

For a ballpark:

total time / number of active cpu's

From another comment:

Brute Force Attack will take up to 128299838271 years at 500,000 passwords a second.

And F@H has well over a million users (but less than 2, and many inactive), so I'll highball guesstimate at 2million.

The result: 64,150 years, optimistically.

Re:F@H

[Krabbs]

Even combining all the computing power in the world the sun will have become a red giant and burned all life from this planet before you have broken a 256 bit AES key by brute force.

Re:F@H

[plasmacutter]

I hope you applied a logarithmic curve to that to account for moore's law.

Re:F@H

[zippthorne]

Yeah, but there's a 3000th % chance that they'd guess it a mere 10 weeks.

Re:F@H

[Sam00]

F@H has around 300,000 active CPUs right now. If a cpu is a machine then, a 8-digit pass takes 22 minutes, a 9-digit takes 22 hours, a 10-digit takes 57 weeks, and a 11-digit takes 10 years. (lower/upper/digits) Impressive that even with 300,000+ machines it takes quite some time.

Re:Newsflash: Most "Business Networks" Aren't Secu

In terms of quantity of seperate attacks, partner networks and outsiders are the biggest risk. In terms of records stolen per breach (still arguably not the biggest risk, since Verizon didn't report cost/record) insiders were top.

http://www.verizonbusiness.com/resources/security/databreachreport.pdf [pdf]

Wires.

Proof that the best solution, by far, is to use wires. Wireless is fine when you don't care what's being sent over them (browsing, etc), but for any serious business or otherwise sensitive information, I want to be plugged into an actual, physical network. Not that it's 100% secure, of course, but at least your information isn't flying around in the air waiting for someone to decrypt it, and given time, *anything* can be decrypted.

I will never own a wireless router in my home for that reason.

Re:Wires.

[jjohnson]

What are you doing in your home that shouldn't be seen by anyone else? How's that basement fusion reactor going?

Re:Wires.

[Ash-Fox]

What are you doing in your home that shouldn't be seen by anyone else?

Using credit cards, online banking, personal e-mail, personal instant messages, personal voice calls...

Re:Wires.

[aaron.axvig]

Yet you probably give your credit card to a waitress at several restaurants per month, who walks off with it to who knows where.

Re:Wires.

[rtfa-troll]

• Being there or not being there. When you leave your wife/girlfriend/etc. alone at home for a long time should be nobody's business but your own.
• Sex.
• Bathing children. Note; your own opinion of this is irrelevant. The question is, for example, whether photos could be illegal and used against you.
• Not wanting to be interrupted whilst dying of a "prolonged illness".
• memorising my new PIN number
• Nobody's business but my own.

Privacy is a security issue.

Re:Wires.

[Free+the+Cowards]

What makes you think that your traffic isn't being snooped and recorded just because it's running over wires?

Re:Wires.

[Creepy+Crawler]

Ok. Try this:

Take your receipt and your credit card. Now put the receipt OVER the raised numbers and your name. Now holding the paper steady, rub and imprint the paper with the raised letters and numbers.

Now, flip over to the security number. remember the 3/4 digit number on the back.

You just duplicated that card and nobody will ever know.

RFIDs are even easier. Scan and save. meh.

Re:Wires.

[jonaskoelker]

given time, *anything* can be decrypted.

Do you really care what happens after the heat death of the universe? Or when your great-great-grandchildren have all died. Or just whet you are dead?

For really massive RSA keys, we may be talking about these time scales.

Also, if you can decrypt the one-time pad, please show me your algorithm. If you don't know it, here's the brief version: I think of a number, either 0 or 1. Then I flip a coin, with heads=1. You get to look at the coin, and have to tell me which number I'm thinking of.

Your statement is true, but in its current form is not really relevant to your point. You may want to be more specific.

Re:Wires.

[eniacfoa]

UK gov is launching a program to spy on the entire populations email and phone calls. Its already received 1 billion pounds in funding. Once its in operation, I can't see it not being the envy of all western governments and they will scramble to build their own database's...

Re:Wires.

[Ash-Fox]

Take your receipt and your credit card. Now put the receipt OVER the raised numbers and your name. Now holding the paper steady, rub and imprint the paper with the raised letters and numbers.

Now, flip over to the security number. remember the 3/4 digit number on the back.

Generally, you're supposed to be the only one who touches the card and receipt. But, I will just take the assumption that someone somehow got my card details.

You just duplicated that card and nobody will ever know.

If anyone uses my card, I get a SMS instantly about each transaction - I can block the card immediately (though a automated telephone system) and get the charges reversed if something happens.

Re:Wires.

[Ash-Fox]

How is this flamebait? They really do bring the card reader to the table.

Worst case scenario, I walk up to the till and use the card reader there.

Oh, pull the other leg...

[subreality]

This is seriously overhyped. #1:

This anouncement effectively signals the death of wireless networking in business networks;

Bullshit. The underlying encryption is based on AES*. AES is not a toy algorithm, and is designed to defend against specialized cracking hardware, and all other known attacks. It is *plenty* strong enough to hold up to a 100X increase in cracking speed, as long as you use good keys, which hopefully you are in a business environment.

I'm willing to believe that a key handling vulnerability might exist in WPA, or a flaw in AES, but the notion that brute force has brought about the death of WPA in business networks is just absurd. At best, this is a reminder to use good keys.

any network handling sensitive data should start using VPN encryption on machines connecting over Wi-Fi networks, or stop using these networks altogether.

Do you think your VPN software has a better underlying algorithm than AES?

* Unless you're using TKIP, which is a toy algorithm, which exists for backwards hardware compatibility, and in my experience isn't used by anyone who cares about security... But even there, the potential attack vectors are through algorithm weaknesses, not brute forcing the keys.

Re:Oh, pull the other leg...

[secmartin]

When used with any authentication scheme that is *not* PSK-based, WPA is still pretty secure. VPN connections are perfectly fine as well, as long as you don't choose a simple guessable pre-shared key...

Re:Oh, pull the other leg...

[Kizeh]

Also, any real business (even my university) is using WPA2-Enterprise, which is AES / 802.1X based. There are not pre-shared passwords that suffer from possibly being too short, and each client negotiates the actual encryption per connection, and there's re-keying so even if you could crack the encryption for one client at one time, you still would have to repeat the task for every other client and other sessions.

Re:Oh, pull the other leg...

[swillden]

I'm willing to believe that a key handling vulnerability might exist in WPA, or a flaw in AES

WPA does not use AES. WPA2 does.

Unless you're using TKIP, which is a toy algorithm, which exists for backwards hardware compatibility, and in my experience isn't used by anyone who cares about security

Umm, WPA is the Wi-Fi Alliance's name for WEP+TKIP. It's no toy.

Re:Oh, pull the other leg...

[virtual_mps]

Umm, WPA is the Wi-Fi Alliance's name for WEP+TKIP. It's no toy.

No, the GP was right--WPA is a joke in terms of security, and any serious installation should be using WPA2. (Which is really IEEE 802.11i, a reasonably good international standard for wireless security. WPA is a stripped-down subset of 802.11i for manufacturers too cheap to implement the full standard [which requires them to implement a strong encryption algorithm].)

Re:Oh, pull the other leg...

[spinkham]

WPA-TKIP was built as a "transitional" standard. It is good enough for today, but we expect that to not last for very long.

WEP=breakable by your grandma.
WPA-TKIP = very little security margin, was designed for a 5 year "transitional" period to move to AES. Not recommended for long term or high security use.
WPA2-AES = strong.

Re:Oh, pull the other leg...

[swillden]

No, the GP was right--WPA is a joke in terms of security, and any serious installation should be using WPA2.

Care to support this with ANY evidence that it has been broken or rationale as to why it could be broken? It's a bit ugly, but the logic behind it is solid. Barring new weaknesses discovered in RC4, WPA is and will be quite secure.

Re:Oh, pull the other leg...

[swillden]

WPA-TKIP = very little security margin, was designed for a 5 year "transitional" period to move to AES. Not recommended for long term or high security use.

Care to support this, or explain why WPA has "very little security margin"?

AFAIK, there is no research that indicates that WPA will ever be broken, barring discovery of new weaknesses in RC4.

Re:Oh, pull the other leg...

[spinkham]

Sure. Briefly, Micheal sucks.
The Michael MIC sucks so badly in ways we know about that the spec says you need to drop the connection for 1 minute if you detect any possible tampering. It was chosen in order to be able to be implemented on the hardware of the day without much performance loss, not for security.
WPA with TKIP is still considered strong, though theoretically attackable for today, but I will be greatly surprised (as would the designer of the MIC) if it lasts much longer.
Once the MIC falls, the scheme becomes open to similar attacks that killed WEP.

The plan espoused by most wlan security people is get the heck off WEP 5 years ago towards something stronger, and be planning all your new equipment purchases in order to get off of WPA-TKIP to WPA2-AES soon.

Here's a supporting blurb from the 802.11i standard that defines the basis for WPA and WPA2:

The TKIP MIC trades off security in favor of implementability on pre-RSNA devices. Michael provides only weak protection against active attacks. A failure of the MIC in a received MSDU indicates a probable active attack. A successful attack against the MIC would mean an attacker could inject forged data frames and perform further effective attacks against the encryption key itself. If TKIP implementation detects a
probable active attack, TKIP shall take countermeasures as specified in this subclause. These countermeasures accomplish the following goals:

MIC failure events should be logged as a security-relevant matter. A MIC failure is an almost certain indication of an active attack and warrants a follow-up by the system administrator.

The rate of MIC failures must be kept below two per minute. This implies that STAs and APs detecting two MIC failure events within 60 s must disable all receptions using TKIP for a period of 60 s. The slowdown makes it difficult for an attacker to make a large number of forgery attempts in a short time.

As an additional security feature, the PTK and, in the case of the Authenticator, the GTK should be changed.

From http://standards.ieee.org/getieee802/download/802.11i-2004.pdf section 8.3.2.4
Also:

The confidentiality and integrity mechanisms of TKIP are not as robust as those of CCMP. TKIP is designed to operate within the hardware limitations of a broad class of pre-RSNA devices. TKIP is suitable for firmware-only, hardware-compatible upgrade of fielded equipment. RSNA devices should only use TKIP when communicating with devices that are unable or not configured to communicate using CCMP.

Section 8.3.1 of 802.11i-2004, emphasis mine

Also see Security Analysis of Michael: the IEEE 802.11i Message Integrity Code

Re:Oh, pull the other leg...

[swillden]

I'm aware of the Michael weaknesses, and they do provide an avenue for either DoS or perhaps even data corruption attacks, but what people are typically worried about with wireless security is the integrity of the encryption, and MIC weaknesses don't affect that at all.

Re:Oh, pull the other leg...

[virtual_mps]

You mentioned yourself that the encryption is based on RC4 (and then talked about "potential new weaknesses", which is weird, because RC4 has already been attacked quite a bit and is deprecated for any new application). More importantly, the TKIP algorithm depends on an integrity check routine based on a home grown hash called Michael which is cool from a "wow, they managed to shove a lot into obsolete hardware" standpoint, but is a material weakness compared to the CCMP implemented in 802.11i. Look at it this way: for most intruders, WEP (hell, even ROT-13) would be sufficient to protect your network. If you think that your level of risk necessitates encryption, why would you be using a solution which has known weaknesses compared to another solution which uses the best available cryptography? (It's also worth pointing out that this isn't a unique opinion--the reason 802.11i looks like WPA2 instead of WPA is that, based off discussions I had with people involved in the process at least as far back as '02, there was no chance that it would be approved by IEEE without standardizing on strong cryptography.) WPAs stated goals (look it up, the docs are there although increasingly hard to find since WPA2 was announced) were to paper over the worst problems with WEP, to give a little more life to hardware which couldn't handle stronger algorithms, and to provide a bridge to full 802.11i by allowing people to start implementing 802.1x EAPs. Note that none of those goals are anything like "implement the strongest available cryptography" or "deploy long-term wireless security". At this point everything you can buy implements WPA2, so why would you even consider using WPA?

Re:Oh, pull the other leg...

[swillden]

You mentioned yourself that the encryption is based on RC4 (and then talked about "potential new weaknesses", which is weird, because RC4 has already been attacked quite a bit and is deprecated for any new application).

RC4 has issues if you use the first few bytes of the keystream (a fact that was well-known long before WEP was created), but in 20+ years of cryptanalytic attacks that is the only weakness that has been found, and given that it's THE most widely-used stream cipher, that's a pretty strong indication that, barring new cryptanalytic techniques, RC4 is not likely to be broken soon.

More importantly, the TKIP algorithm depends on an integrity check routine based on a home grown hash called Michael which is cool from a "wow, they managed to shove a lot into obsolete hardware" standpoint, but is a material weakness compared to the CCMP implemented in 802.11i.

A weakness how? Michael's deficiencies might enable DoS attacks, or perhaps even random packet corruption, but it doesn't have any effect on the security of the encryption.

At this point everything you can buy implements WPA2, so why would you even consider using WPA?

You wouldn't, obviously. Given a choice, there's no reason not to choose WPA2. That's completely different from your claim that the security of WPA is "a joke", however. If you're running an old access point that doesn't support WPA2, there's no reason to run out and replace it. WPA security has not been broken and is not likely to be broken any time soon.

Re:Oh, pull the other leg...

[virtual_mps]

RC4 has issues if you use the first few bytes of the keystream (a fact that was well-known long before WEP was created), but in 20+ years of cryptanalytic attacks that is the only weakness that has been found, and given that it's THE most widely-used stream cipher, that's a pretty strong indication that, barring new cryptanalytic techniques, RC4 is not likely to be broken soon.

For example, see http://en.wikipedia.org/wiki/Rc4#Security
which lists far more than the first few weak bits issue. After a point, enough "theoretical weaknesses" add up to a crypto system which is past the expiration date.

A weakness how? Michael's deficiencies might enable DoS attacks, or perhaps even random packet corruption, but it doesn't have any effect on the security of the encryption.

Because Michael is part of the TKIP strategy to prevent replay attacks. The mitigation for the weaknesses in Michael is to drop the session if there are more than two errors (which then leads to the DoS possibility, but note that the DoS was added to mitigate--not solve--problems with Michael).

So I guess the evaluation depends on your definitions. If you want to say that WPA is fine until someone invents a GUI for reading anything on the network, I guess it's fine. (Of course, so is WEP for many use cases in the real world.) I personally define "joke" security to be based on things that are known to be weak in the hope that nobody has put all the known weaknesses together into a simple exploit (as opposed to basing the security on the best available techniques). If you've got a risk assessment that says people are actively trying to break your security, WPA is not for you. If you've got regulatory requirements to use strong crypto, WPA is not for you. If you don't think crypto attacks are a risk and you have no requirements, why even have the conversation? Use WEP or plaintext and be happy. I think it's dangerous to imply that WPA is just as good as WPA2, and there's no need to change, because you're setting people up for a really bad day when WPA is finally broken and they have to scramble to deploy something they should have already deployed.

Re:Oh, pull the other leg...

[swillden]

For example, see http://en.wikipedia.org/wiki/Rc4#Security which lists far more than the first few weak bits issue.

Umm, you need to go re-read that page. All of the described weaknesses are bias in the first few bytes, with the exception of the combinatorial problem, which doesn't really belong in the "weaknesses" section.

If you want to say that WPA is fine until someone invents a GUI for reading anything on the network, I guess it's fine.

Bah. The present state isn't just a lack of script kiddie tools. The present state is that no one knows ANY way to defeat WPA's encryption.

I personally define "joke" security to be based on things that are known to be weak in the hope that nobody has put all the known weaknesses together into a simple exploit (as opposed to basing the security on the best available techniques).

So by your own definition, WPA's security is not a joke.

I think it's dangerous to imply that WPA is just as good as WPA2

Who said that WPA was just as good as WPA2? Not me. All I said is that it's perfectly adequate at present, and for the foreseeable future barring some new cryptanalytic results.

It's highly likely that WPA2 is stronger than WPA (barring cryptanalytic results against AES which, it should be pointed out, is much younger than RSA and which many cryptographers think may have insufficient rounds -- 7-round AES has been broken, and the cipher only uses 10 rounds. Also, several implementations of AES have been shown to be vulnerable to timing attacks, against which RC4 is inherently resistant. Does all of this make AES a "joke"?).

You're setting people up for a really bad day when WPA is finally broken and they have to scramble to deploy something they should have already deployed.

I see no evidence that this is at all likely.

Re:Oh, pull the other leg...

[virtual_mps]

Umm, you need to go re-read that page. All of the described weaknesses are bias in the first few bytes, with the exception of the combinatorial problem, which doesn't really belong in the "weaknesses" section.

Ditto. The first weakness was in the first 2 output bytes. Then there was a weakness in the first 512 output bytes. Current thinking is to discard the first 3k or so. There's a trend there, which intersects at "discard all output bytes". I think it's disingenuous to paint a rosy picture of an encryption algorithm that's had practical attacks described on its output as long as you just dump that part of the output (because, presumably, the rest of the stream is fine?)

3DES

[Detritus]

The article says that 3DES has been broken. I think they are mistaken. DES was cracked by a brute force attack but 3DES is still considered secure.

How is their distributed processor system going to crack a 128-bit key that has 128 bits of entropy? Maybe the solution is to update the wi-fi software to make it easier to generate, transport, and install, truly random keys.

Re:3DES

[secmartin]

Mea culpa, I just updated the article. I meant DES of course, 3DES is about 2^52 times more secure.

Re:3DES

[this+great+guy]

The more common variation of 3DES uses 3 keys and provides effectively 112 bits of security. This is 2^56 more secure than DES, not 2^52.

Security vs Usability

[xswl0931]

The reality is that most businesses and home users don't want to deploy a Certificate Authority to make use of SSL. WEP, WPA, and WPA2 are "cheap" encryption solutions. If you are really worried about it, there are existing cert based solutions available that are independent of the wifi router/access point.

Re:Security vs Usability

[mcrbids]

You don't need a certificate authority to use SSL. SSH works fine without a Certificate Authority. The only value that a Certificate Authority provides is in positively identifying/validating a participant that you didn't previously validate.

The protocol I mentioned requires no certificate, since the public key is being copy/pasted with a mechanism that is otherwise trusted.

Re:Security vs Usability

[Rekolitus]

The TLS standard (effectively SSL 4) mandates that the server present a certificate for perusal by the client. Sure, you can use a self-signed certificate, but then you're not using TLS in a secure fashion.

SSH and Kerberos are not based on SSL/TLS. SSH probably uses similar techniques to SSL, but Kerberos is out there doing it's own wacky thing. See here for an explanation of Kerberos's operation.

Re:Security vs Usability

[mcrbids]

I was talking about setting up a wifi hot spot. SSH is definitely dependent on SSL/TLS, but doesn't use certificates. Look for "For many of its cryptography features, OpenSSH relies on the non-GPL'd OpenSSL library...."

Kerberos uses a dual-key system similar to SSL, but replaces the Certificate Authority in realtime.

Re:Security vs Usability

[Rekolitus]

The OpenSSL library provides a varied array of cryptographic services, not just an SSL implementation. Just because something uses OpenSSL doesn't mean it's SSL-based. I suggest you grep the SSH RFCs for 'SSL' and 'TLS'; you won't find anything of note.

You can get hard passwords

Steve Gibson has a site that generates random passwords on the fly (unique for you): https://www.grc.com/passwords.htm

These are especially good for wireless routers since you normally don't need to type them yourself and they don't get changed that often. (Of course, you should still change them once in a while.)

Re:You can get hard passwords

[mlts]

I personally recommend KeePass for password generation. It can generate 63 char passwords for WPA/WPA2 keys with cryptographically random unpredictability as it uses keyboard/mouse movements as part of seeding. Because its done on the local machine, there is no chance of the password being leaked as compared over the web. With a 63 character password, that is far more entropy than the 128 or 256 bits keys used for AES, so for someone to guess a password of that length, they either have to be able to brute force AES at full strength, or find a weakness in the algorithm's implementation.

I generate a KeePass password, save it to a USB flash drive, then paste it into my router's config. I then take the USB flash drive to the physical machines and do a copy and paste of the 63 char key into their network preferences. This is a lot easier than typing it. Should I lose the key... not hard to fix -- generate another one and rekey the 3-4 machines on my network. Because the WPA/WPA2 key is easily resettable with physical access to the machines, there is no reason to go less than the maximum character length, and it doesn't matter if the password gets forgotten, as long as you remember your router and machine's access passwords. (This for a home network. Businesses should use a RADIUS server where all the machines are not reliant on a single shared encryption key.)

If you have to use fewer characters, I'd say never use fewer than 20 characters, but even that is cutting it thin, factoring in Moor's law, botnets, and usage of GPUs for additional number crunching.

Re:You can get hard passwords

[Deekin_Scalesinger]

I'll second KeePass and its UNIXy-OSXy variant KeepassX (the DB file that it stores passwords in can be read on all three platforms). In addition to its password generating abilities, it makes a handy home for my network/web logins. Sourceforge has both programs in all their gleaming, open source goodness.

Re:You can get hard passwords

[Bert64]

What's amusing, is that devices like mobile phones encourage people to use weaker passwords, as typing a long complicated password into a cellphone is quite a hassle.

Re:You can get hard passwords

[pipatron]

If you run a debian-ish system: aptitude install pwgen

Re:You can get hard passwords

[darkonc]

Yeah, that's great.... But it doesn't work too well for the "I'll set up our 200 unit network for wireless in 2 hours" crowd. Those are the ones who are likely using WPA with PSK and easy-to-type-in passwords.

Re:You can get hard passwords

[thePowerOfGrayskull]

I'm not sure I understand the need. Here, watch: cc09-x5k}d4asedf*&@!liusdf98054fhpw2lxgb94j2-fh0z345j@#[[]{9dx^aDDsic[of9yeSZDt4$566@@DfdsclocvobS(I9x7@(#&$ Seems redundant to use software to do the same thing? I understand the 'extra' security by using keyboard/mouse movement so that the generated password is not predictable. On the other hand, the one I just created is equally unpredictable; I certainly could not generate it again myself. That password is not going to get cracked if I use it, and all the other steps you described could be followed just the same.

Re:You can get hard passwords

[rtfa-troll]

You would trust some random other person's web site to generate a critical password? I admit it's probably better than what many people do, but it's almost certainly not acceptable in a commercial situation.

Other's have already provided some downloadable solutions, but here's a solution which should be available on most modern operating systems. Just get to a command line and type the following.

dd if=/dev/urandom bs=200 count=1 | tr -cd 'A-Za-z0-9!@$#%_'; echo

Use /dev/random if you want even better quality randomness (probably not really needed). Note that you can control the the character set to match the place you are using by editing the tr command and the length by either taking a section of the password or by doing it multiple times and sticking them together. This is nicer than systems which feed through uuencode or base64 in that it should provide an even distribution between different characters in your character set.

On the other hand; should you be trusting a random slashdot poster :-)

Re:You can get hard passwords

[Hork_Monkey]

If you're setting up a 200 device wireless network with WPA PSK, you're doing it wrong.

Re:You can get hard passwords

..no way... that is MY excact password to my wireless router.... how did you guess?!?!?

Re:You can get hard passwords

[tftp]

Your example password is not random. Look at the letters of it, one by one, and you will notice that each next letter is either in direct physical proximity (QWERTY-wise) to its predecessor, or in a similar proximity for the other hand. This is a serious weakness because password crackers will exploit it in an instant.

Re:You can get hard passwords

[Mozk]

There are quite a few q's, c's, and 7's in there. Smashing keys like that isn't quite as random as (pseudo-)random characters considering that most people's fingers lay in a certain area of the keyboard and certain keys are more likely to be pressed.

Re:You can get hard passwords

[xSauronx]

i tried typing my random 63 character password for my wpa-aes network into a ninteno wii with the wiimote...

that mother fucker doesnt have internet connectivity. after *twice* getting the key in perfectly, i dont even care anymore what the problem is.

Re:You can get hard passwords

[BillyBlaze]

Randomly banging on the keyboard clearly produces less than ideal entropy. Case in point, your password contains "asedf", which I'm willing to bet was the result of you drumming the fingers of your left hand. Now, whether it matters for such a long password is another matter, but if you're paranoid enough to use a password like that, you may as well go the extra mile.

Re:You can get hard passwords

[Winckle]

The wii supports USB keyboards, you should give it a try.

Re:You can get hard passwords

[darkpixel2k]

I don't see why I would need software generating a random password for me if I can do it as well just by smashing keys.

In fact, I can see several reasons to not use software to generate random passwords for you.

Some software lacks randomness.
Some software is not open and you don't know what's happening with your secret key.
That's a good reason to not use a web page to generate a secret key.

Re:You can get hard passwords

[brusk]

That's a good reason not to used closed source software or a web page. It's not a good reason not to use Keepass, the program suggested above, which is open source, offline, and has high-entropy random number generation. Saying some software is bad so I won't use any is like saying some clothes are bad so I won't wear any.

Re:You can get hard passwords

[zippthorne]

Why use some shady passgen software when

dd if=/dev/random ibs=1 count=48 | base64 -w 63

will do the job more than well enough?

Re:You can get hard passwords

[Animaether]

yes, but cell phones typically operate on a 3-strikes-you're-out principle. Sure, you *could* hit the right pass in those three tries, or even on the first try, but it is statistically unlikely.
And once you -are- out, you'll need the PUC or PUK ( http://en.wikipedia.org/wiki/Personal_Unblocking_Code ) to get back in - which is not likely something you have memorized at all.. it'll be on some piece of paper that hopefully you saved and stored away securely. If you don't have that code, then the only way back in (in theory, I should say), is to wipe the device clean; at which point the perp can use your phone, but none of your data is going to be on it anymore.

wireless access points really should act the same way... get the password wrong more than 3 times, and lock the MAC address out. Enable MAC filtering so only known devices can get on in the first place - if the MAC is spoofed.. sure, you can't get on anymore either, but you'll know quite clearly that somebody is spoofing you in your vicinity -and- they were trying to hack your access point.
( this does open up mischief, I suppose - so something a bit more elaborate - while still transparent to the user - might be more appropriate )

Re:You can get hard passwords

[InfiniteLoopCounter]

i tried typing my random 63 character password for my wpa-aes network into a ninteno wii with the wiimote...

that mother fucker doesnt have internet connectivity. after *twice* getting the key in perfectly, i dont even care anymore what the problem is.

I wrote my own password generating program that generated a long password. The Wii didn't like the pipe character '|', but was fine with all the other characters. Try replacing it with a capital I or something if it is part of your password.

Re:You can get hard passwords

[Guspaz]

But it doesn't do the job nearly as well as it could. Base 64 is virtually alphanumeric, with only two non-alphanumeric characters. You're not including any punctuation or similar characters, making things dramatically easier to crack.

Re:You can get hard passwords

[ozphx]

I'm not sure what the need is to use some half-baked home made entropy generator (have they even tested it?), when modern OS's have a cryptographically strong RNG avaliable (with an entropy pool, which (at least on win uses key/mouse as part of its inputs).

I mean... test it with the goddamn NIST suite or GTFO imo.

Re:You can get hard passwords

[zippthorne]

Well, someone else posted one which uses tr, which I'll bet is on even more systems than base64.

These are well-known standard tools, and they easily accomplish this very simple task when strung together. Precisely what the unix utilities were designed for.

Do you really trust some niche product's assurances over what are among the most used and reviewed tools, and whose open source implementations are manifold?

Re:You can get hard passwords

[darkonc]

If you're setting up a 200 device wireless network with WPA PSK, you're doing it wrong.

... And your point is????

Re:You can get hard passwords

[X0563511]

Believe it or not, the movements of your hands on the keyboard follow a pattern. This is enough of a pattern for a true cryptanalyst to latch onto and destroy it with.

Your run-of-the-mill script kiddie or even talented hacker.... not so much.

So, technically you are wrong, practically I would say you're good. Heaven help you if they can employ actual mathematicians to crack your network.

Re:You can get hard passwords

[DemoLiter3]

Shouldn't a network with 200 wireless clients be considered ... ummm ... an "enterprise"? Rings a bell? No? RADIUS? EAP?

Re:You can get hard passwords

[russ1337]

you think that is a coincidence,

it is the combination to my luggage!

Re:You can get hard passwords

[jtgd]

I got my random password here.

Re:You can get hard passwords

[martinlp]

So you are essentially trusting Steve Gibson and his website with you passwords, rather get a utility that generates random passwords locally. I have a spare tin foil hat here if you like?

Re:You can get hard passwords

[Maguscrowley]

First, that goes over the 63 printable character limit. Second, losing that key means that you have to reset the device in order to put in a new key and redo all the settings.

For a large network in say a hospital*, this kind of downtime is unacceptable since many essential things, including security systems and mobile stations for taking vitals. I imagine that the fear of this kind of downtime would either be enough to convince people to swallow the cost of installing ethernet wiring or ensure that SOMEONE will be able to remember the password. I'm going to assume that the reason for going wireless is to avoid swallowing that cost, so that leaves them in hoping that the memorable pass can't be formed from a dictionary/combo attack and the ssid isn't on a rainbow table somewhere.

*I remember from my time in a mental institution: fucking everything was connected and dependent on their wifi. Security handsets, the mobile nursing units that were used every day to do our vitals AND commit them to our file [yes, my records were going through wifi ... not cool], front desk information, the security cameras and the like. Note that if you were on suicide watch or had just got admitted, that means that when you took a piss, you could wave to the camera knowing that the image of you was being broadcast on WiFi. Great ... I also, upon being transferred to partial, found that I could move fairly far away from the building, off the premises actually, and could launch an attack. It was WPA. An easy social engineering target (underpaid IT staff) confirmed my observations and reasoning as to the bottom line inspiring the WiFi. Every floor was even the same network, when really there was no reason for the same UNIT to share the same network. The nurses did not have logins, though each unit did. What's more, only the head nurse could "technically" log nurses and mental health staff into the network. The mobile testing stations (dell inspirons with their proprietary software installed and some USB connected medical devices) never left any single unit even!!! There was every good reason to separate the networks except that the entire system was inspired by laziness. I never bothered trying to crack the WPA encryption, because I saw little point in getting into the network. Except maybe getting my file, which cost me $50 to print out ... bastards.

Re:You can get hard passwords

[thePowerOfGrayskull]

I suppose; as long as you're aware that you need to hit different keys, and not "asdfasdfasdf", it seems that that "ideal entropy" becomes irrelevant.

Re:You can get hard passwords

[thePowerOfGrayskull]

Technically true - humans can no more be truly random than computers. But as much as I've heard similar statements to yours, I've not seen anything to indicate anybody actually /has/ found a way to algorithmically determine that kind of password.

There was something on slashdot a while ago about using a typing pattern /instead/ of a password - but even that wouldn't serve to predict a one-time random tapping of the keys.

Re:You can get hard passwords

[UnderCoverPenguin]

With a 63 character password, that is far more entropy than the 128 or 256 bits keys used for AES

Except that those 63 characters are being distilled down to those 16 (or 32) bytes of key material.

Re:You can get hard passwords

[darkpixel2k]

That's a good reason not to used closed source software or a web page. It's not a good reason not to use Keepass, the program suggested above, which is open source, offline, and has high-entropy random number generation. Saying some software is bad so I won't use any is like saying some clothes are bad so I won't wear any.

Agreed--but using software that does nothing to increase security is bad too.

Are there any studies out there that say using a random password generator is more secure than me attempting to smash a spider on my keyboard and using that? At some point, what's the difference if you are using a 25-character random password generated by software, or spider smashing?

In fact, I'd bet mine is more secure--as much as I hate them, Spiders seem to provide good entropy.

Re:You can get hard passwords

[ThePromenader]

"cc09-x5k}d4asedf*&@!liusdf98054fhpw2lxgb94j2-fh0z345j@#[[]{9dx^aDDsic[of9yeSZDt4$566@@DfdsclocvobS"

...you can do the same thing without all the cussing.

Re:You can get hard passwords

[RichiH]

No one should ever trust a third party for generating their passwords. For no reason. Get pwgen.

Re:You can get hard passwords

[RazzleDazzle]

What about an enterprise of say over 2000 access points in a single network where most of the APs talk to each other for their backhaul connections? Doing PSK is really your best and only bet there. Of course one would hope and expect that the PSK in this type of scenario would be very secure.

Where might this type of network exist you ask? You might check out the successful wifi network in Minneapolis. Of course the actual end users have two assosciation choices with regard to wifi security. The wide open unencrytped SSID and the fully encrypted 802.1x + PEAP/EAP-TTLS.

Re:You can get hard passwords

[sigxcpu]

my scheme for semi-random hard to guess passwords is
$ date | md5sum
74c00fbcc57e789e98b5b13d62adad65

esp good when you can cut&paste the password

Re:You can get hard passwords

[squiggleslash]

Exceptionally bad though if someone knows you generally do this, and is determined to access your network, as you've essentially reduced the number of possible passwords to a 32 bit number.

Re:You can get hard passwords

[CatsupBoy]

dd if=/dev/urandom bs=200 count=1 | tr -cd 'A-Za-z0-9!@$#%_'; echo

Damn, i keep getting the same password: "1+0 records in"

Re:You can get hard passwords

[dougmc]

I would never trust a website to generate my passwords. Sure, it's SSL encrypted, but there's nothing to prevent the web site from logging all the passwords it generates.

Now, the website wouldn't know where each password was being used (though it might also log IP addresses, which might be of some use) but all a cracker would have to do is throw in all the passwords it's generated into their dictionary. Perhaps it's generated 50,000 passwords -- when your password generator does 500,000/second, that's only 0.1 seconds more.

And then there's always the possibility that the passwords aren't really random. Being a web site, the source is closed. Even if they give you the source, it's still closed, because you have no way of verifying that the source they gave you matches the source of what they're actually running.

Either way, it's a risk I'm unwilling to take. Using a program to generate passwords is fine, but make sure it's running under your control. It's also nice if it's open source, so you (or others) can verify that it doesn't do anything funny. I'm not really qualified to critique cryptographic software myself (except for simple stuff), but it's reassuring that others out there will also be looking at it.

Re:You can get hard passwords

[Hork_Monkey]

Cisco Wireless LAN Controllers?

The AP's are basically dumb devices that obtain their config from central controllers. You can create a hierarchy to deploy policies and configurations. It also scales into the thousands.

Re:You can get hard passwords

[brusk]

When you smash a spider, you are VERY likely to bash several keys near each other on the keyboard, and you are VERY unlikely to input characters that involve multiple-key combinations (and even more unlikely to use characters that are not directly accessible on your keyboard). So it would be possible to create a dictionary of "spider-bash space" -- those combinations possible/likely by smashing a QWERTY keyboard -- which would be orders of magnitude smaller than the entire universe of truly randomly-generated keys.

In any case, there's NO way your spider-bash method is MORE random (and thus more secure) than a random number generator for which every combination has an equal likelihood.

Re:You can get hard passwords

[dnoyeb]

Which is exactly why I don't get it. Ethernet networks are rarely unsecure. You cant just plug into the port and get instant access to all the servers, etc. So who cares if the wireless network is exposed or not. Your only giving out free internet access at best. If not, your not giving out anything because your servers are already secure...

I use WPA-PSK at home with one of my standard passwords. I don't see it as a big deal.

Re:You can get hard passwords

[ultranova]

Steve Gibson has a site that generates random passwords on the fly (unique for you): https://www.grc.com/passwords.htm

So let me get this straight: you're recommending I set my password to what some dude on the Internet is telling me to, and who can trivially connect it to me since he knows the IP address it was sent to ? And the dude, who's presumably advocating this practice since he's going out of his way to enable it, is supposedly a security expert ?

Suddenly, in a flash of pure black light, it dawned on me: all hope is lost. We are doomed.

...Unbelievable. Just plain unbelievable.

Re:You can get hard passwords

[PReDiToR]

This is either utter ignorance, or a mediocre troll (in the nicest way, of course).

Firstly, get rid of this idea of a "standard password". Get PasswordHasher and use your NEW standard password to access some highly complex passwords at no extra brain power.

Next, your next door neighbour can't plug into your router from their sofa if you use a cable and see you moving home pr0n between your laptop and your desktop.
If you're using WiFi then all that lovely data could be shared with them, if they have a sniffer program running and your network key.

Other things that go over your network in plain text that could be sniffed by your neighbour: Notice the httpS:// on Slashdot.org? Me neither. Your password would have been in a packet that they sniffed. Same for any site you visit. URLs to your bank, your fave pr0n sites, the software you're using and which versions. If they are as good as me (and I'm not even that good at this crap), they could wait for your browser to look for an update, have an already altered version of the last update with a backdoor in it, hijack the DNS request and punt you a file that rootkits your box. If your post wasn't a troll, you might need this: Rootkit.

Seriously, why do you think everyone talks about wireless security as if it was important? Are you the only one that is "in the know" and they are all wrong?

Exceptions do apply. NX, VPNs, SSH, and other encryption can be sent over totally open WiFi because the encryption is done before stuff hits the network card.

Re:You can get hard passwords

[Schraegstrichpunkt]

What's the problem? It's a password with 384 bits of entropy.

Re:You can get hard passwords

[thePowerOfGrayskull]

I'm not sure I follow? I wasn't equating entropy to repetitions - when a human is 'randomizing' there's no such thing as entropy. But when a human is randomizing, that becomes irrelevant. In the end, I guess that's my point...

Re:You can get hard passwords

[darkpixel2k]

When you smash a spider, you are VERY likely to bash several keys near each other on the keyboard, and you are VERY unlikely to input characters that involve multiple-key combinations (and even more unlikely to use characters that are not directly accessible on your keyboard).

I guess you've never tried to smash a camel spider.

You hit every key on the keyboard trying to kill one of those bastards.

Re:You can get hard passwords

[skeeto]

Your key smashing doesn't produce as much entropy as you think. In fact, there is very little entropy in there at all (there are patterns and many repeated characters), and is probably equivalent to just a few randomly generated printable characters.

However, it is true that you don't need software to generate a good password. Use Diceware.

Re:You can get hard passwords

[blhack]

Find me a radius client that will run on my 1990s era Intermec handhelds and I'll buy it.
Find me some wireless handhelds with GOOD barcode readers that have a 5250 client and the ability to run a Radius client (or a VPN client) and I'll buy those.

Re:You can get hard passwords

[geirnord]

I don't crack WPA passwords, I read them using http://nirsoft.net/utils/wireless_key.html.

Cracking is for whimps :-)

Re:You can get hard passwords

[JThundley]

I recommend gpg for password creation:
gpg --gen-random 1 16 | gpg --enarmor | sed -n 5p | cut -c -22

Re:You can get hard passwords

[Guspaz]

The problem is that you can trivially do MORE in the same amount of space. There's no harm in including more printable characters.

Re:You can get hard passwords

[timmyf2371]

I think the parent was referring to the fact that the proliferation of mobile devices, such as cell phones, encourages users to use less secure (shorter) passwords, as these are easier to enter using a non-standard keyboard.

But in response to your point, the codes you're talking about only relate to the SIM card. If you forget the password (PIN) to the SIM card after three tries, then you need to get the PUK but this can typically be retrieved by the network. The actual mobile device, unless you're using a separate manufacturer supplied locking mechanism, remains unaffected by this.

Re:You can get hard passwords

[Mr.+Slippery]

Ethernet networks are rarely unsecure. You cant just plug into the port and get instant access to all the servers, etc.

You can plug into an Ethernet LAN, set yourself into promiscuous mode, and see all the data - such as passwords - that goes back and forth along the network. An Ethernet network is not secure.

So who cares if the wireless network is exposed or not. Your only giving out free internet access at best.

You're giving out every bit of information that goes over your network.

Re:You can get hard passwords

[cornjones]

OK, I can only hope that he, like many (myself include) was firewalling his wifi from his ethernet network.

I actually have 3 networks. The DSL router has complete open wifi as I believe in free wireless. Mine is cool enough to shape my traffic as higher priority (I don't mind sharing but i *am* the one paying for this). Then a wireless gateway with WPA for my local roaming use. This dmz network has specific holes poked in the backend firewall for certain uses (streaming video/music from the fileserver). Then behind the firewall, i have my fixed/wired machines.

hmmm... i really had no need to post that. I guess I am just trying to avoid work...

Re:You can get hard passwords

[PIBM]

If you are out there relying on heaven help ... I believe it's too late :)

Re:You can get hard passwords

[Lord+Kestrel]

Ethernet networks are rarely unsecure. You cant just plug into the port and get instant access to all the servers, etc.

You can plug into an Ethernet LAN, set yourself into promiscuous mode, and see all the data - such as passwords - that goes back and forth along the network. An Ethernet network is not secure.

Only if the network was designed by a complete idiot, or someone who just doesn't care about security.

Re:You can get hard passwords

[brusk]

You should probably be smashing it with the keyboard.

Re:You can get hard passwords

[Mr.+Slippery]

Only if the network was designed by a complete idiot, or someone who just doesn't care about security.

How do you intend to design a network to prevent this? Security (if any) on such a network comes at the application level, not at the transport level. Barring link encryptors - which are quite rare - if you have an Ethernet and your applications use unencrypted connections, anyone with physical access to the cable can see the packets going to and from every host on that segment.

Ethernet networks are rarely secured. Fortunately, the applications that use those networks are more often secured.

Re:You can get hard passwords

[RockDoctor]

Seriously, why do you think everyone talks about wireless security as if it was important?

The same question has occurred to me regularly too. Why do people think wireless security is important? I don't use wireless because I don't trust it. So it's security is unimportant. End of problem.
My last laptop came with a removable wireless card. So I removed it. End of problem.
My current laptop has a switch for switching off the wireless (and BlueTooth); switch that off. End of problem.
My work's laptops ... well, wireless doesn't work too well through steel-plate walls. And when we're handling explosives, all the radio transmitters go under lock and key anyway. End of problem.

Re:You can get hard passwords

[MrResistor]

These things are pretty trivial to write.

If you're paranoid enough that you don't trust rand(), writing your own random number generator isn't that hard (the hard part, determining good magic numbers, has already been done for you).

Re:You can get hard passwords

[rtfa-troll]

UUEncode does not guarantee even use of characters. You lose some randomness. Within an 8bit character set and assuming /dev/random is working right, my code gives perfectly even spread (I hope :-). Also, the UUEncode solution limits you to only certain characters which may be less than are available for your password or may be more than you want. Not that that matters compared to using your dogs name as a password :-) It does matter, however, against people like Elcomsoft who will use absolutely any weakness they can find to help you "recover" your password.

Re:You can get hard passwords

[rtfa-troll]

Damn. I didn't think anyone would spot that. Oh well back to the drawing board Pinkey. :-)

Summary is quite silly!

[Qwavel]

Businesses that are serious about their security use one of the many types of WPA-Enterprise. The method described in this article only applies to WPA-Personal which is targeted at home users.

Those businesses that do use WPA-Personal can simply institute a policy that requires better passwords to secure them against this exploit.

Some businesses will continue to use WPA-Personal with poor passwords, and that's fine, but those businesses are probably not too worried about security and have many other bigger vulnerabilities.

So, the claim that "this anouncement effectively signals the death of wireless networking in business networks" is ridiculous.

Re:Summary is quite silly!

[Chabil+Ha']

So today I feel a bit pedantic, so let's burn some karma:

First, The terms "WPA-Enterprise" and "WPA-Personal" are inventions of Apple (or at least used by them) to describe what is really going on ('cause, hey, why use crazy acronyms?).

"WPA-Personal" refers to WPA-PSK (pre-shared key) meaning that in order to get into the network all you need is a password. This means the single password is used by everyone to join the network.

"WPA-Enterprise" refers to using 802.1x authentication, which means you have a set of users setup in LDAP or ActiveDirectory to validate who you are. This means that access control is done on who you are, not some generic password (WPA-PSK) that everyone passes around. You use your credentials to get access. A RADIUS server acts as the liaison of asking LDAP if the supplied UID/password are correct and do they have the permissions to join the AP. If so, the RADIUS server signals the AP that they are clear to join the network. Certificates are thrown in there to ensure that network is who they say they are.

Now, what the article is talking about is the WPA-PSK problem of people setting goofy short password and passing them out to anyone who needs access to the point. This is insecure in and of itself, but isn't wise because all you have to do is hack that one password and you are in. Or even scarier, someone malicious could publish that key and the network would be none the wiser. The method outlined here could be mitigated by going to the 802.1x method of authentication where you would need to use a UID *and* password to get it, greatly increasing the difficulty of getting in.

Hype-Sicle

[sarkeizen]

Weird that this article seems to call down doom for WPA in general and particularly in the enterprise.

a) 100x increase, even using 10,000 machines seems insignificant if you are using the maximum WPA key length employing uppercase, lowercase and punctuation? Even a 30 char password seems to last far longer than most of us will be alive. So at worst all this changes is the minimum key length that can usefully be employed on WPA.

b) In the enterprise in my experience you either use no encrypting and rely on protection at other layers (VPN, SSL, etc) or you use a RADIUS based system that hands out a new key for each session. This seems even less likely to be affected by this. Unless...and I admit I've never checked this...they keys being used have some weakness (short, not very complex, etc...) which, again at worst seems to be a wake-up call for hardware vendors if nothing else.

So wrt wireless this is interesting but hardly industry changing.

Re:Hype-Sicle

[Tuoqui]

You're forgetting how many zombie computers there are in existence that can be used at a hacker's whim to crack such... But that aside being able to use processing power on other things like PS3's and what not could help speed things up particularly if you can make their GPU's do what you want as well.

Re:Hype-Sicle

[Captain+Segfault]

You're forgetting how big 2^256 is.

Re:Hype-Sicle

[sarkeizen]

You're forgetting how many zombie computers there are in existence that can be used at a hacker's whim to crack such.

What I'm actually doing is addressing the actual article. The software itself boasts a theoretical maximum of 10'000 nodes.

Now if for some reason you're making up a completely different question and trying to apply my answer to it. It's a) Understandable why you're confused and b) weird how you're still wrong.

Assuming we are still talking about brute forcing WPA and we will also assume that this can be done by distributing a packet capture of some adequate size. So they don't all have to be in range of the same AP system.

Kraken is, as far as I know the largest documented botnet. It comes in around 400,000 machines. Now let assume a worst case scenario. All of these machines are capable of 60 000 cracks/second, all of them have four of these GPU cards in them giving them a 100x speedup. And that this process can scale almost perfectly linearly. Given that WPA has a max key length of 256 bits. A brute force attack would take: (((2^256) / 2400000000000)/31536000) years to complete. Google's calculator shows this to be: 1.52989294 * 10^57

So again....I'm not worried.

We're okay

Hah! My company is okay- we're only using MAC filtering for our security, none of this insecure WEP/WPA crap.

Re:We're okay

So all I have to do is listen to a couple of packets, set my machine to use one the MAC addresses on your network and I am in? Cool. Now I just need to figure out where the headquarters of "anonymous coward, inc." is.

Re:We're okay

[hvm2hvm]

It seems you replied before the moderators made the GP +funny. Can anyone here realize that a post is supposed to be funny without looking at the rating?

PS: I'm too new here to use the 'whoosh' response

Re:We're okay

[K-Man]

No way. My Macbook has the MAC printed on the label inside the battery compartment. Obviously it can't be changed.

The important thing is,

[Vadim+Makarov]

can I get this software on The Pirate Bay? It's not like breaking into neighbour's network to use it for free is going to be worth an EUR 600 investment.

Already GPL'ed ...

All of this is already available as a GPL'ed tool that has been out for about a month. See http://pyrit.googlecode.com

SSL keys aren't entered by hand

[Joce640k]

....that's the difference.

So long as people use convenient passphrases for their security then no amount of fancy algorithms will save them.

This realization is why the US Government eventually dropped all the regulations they used to have on exports of strong encryption.

Re:SSL keys aren't entered by hand

[Kjella]

This realization is why the US Government eventually dropped all the regulations they used to have on exports of strong encryption.

They did that because the algorithms were trivially available outside the US and everyone that really needed to use them used them anyway, while US companies were struggling for no good reason. They would have loved to keep the restrictions in place but it just wasn't feasible.

Re:SSL keys aren't entered by hand

[ciderVisor]

So long as people use convenient passphrases for their security then no amount of fancy algorithms will save them.

A passphrase can be both convenient and strong. So long as you use a combination of single letters, symbols and numbers, you can create strong passwords that can only be cracked using brute-force methods. You can use multiple dictionary words and still be unable to use a dictionary attack, so long as you intersperse single random characters. Consider this:

Slashdot_is_OvEr9000_of_my_F4v3_websites:*^*EVAH*^*!!1!!

Convenient and memorable, yet as strong as a random string of characters of the same length.

Wireless isn't secure????

[ConfrontationalGrayh]

One word. RADIUS Try googling "cracking RADIUS" sometime and see how much information you can find.

Re:Wireless isn't secure????

[Krabbs]

"cracking RADIUS" is two words.

Re:Wireless isn't secure????

[SCPRedMage]

Now, see, proper punctuation would've prevented this bout of confusion. "RADIUS" was the one word, and "cracking RADIUS" was part of a follow-up.

Re:Two steps behind...

[HAKdragon]

I'm in the same boat, but because Nintendo has decided not support any form of WPA on the DS for some reason.

..since as we know, ...

[Marcika]

... Most people use passwords. Some people use passphrases. Bruce Schneier uses an epic passpoem, detailing the life and works of seven mythical Norse heroes.

Re:..since as we know, ...

[Tubal-Cain]

Obligatory Dilbert.

I can't find the one where Mordac changes Dilbert's password to "the entire text of The Da Vinci Code, except the parts he doesn't believe".

Re:..since as we know, ...

[Sanat]

http://dilbert.com/fast/2005-08-01/

Bullshit, FUD and the worst summary I've ever read

Using GPUs to crack is not "new", it's a well known tachnique. Furthermore, an increase of a factor a 100 is insignificant relative to the number of years it would take to crack a key, hence the crypto is not weakened, dispelling their whole "death of wireless networking" doommonger bullshit. The only thing this actually does is speed up already feasible attacks against bad passphrases, nothing new, and certainly not a "breakthrough".

Please send me your password, so I can verify ...

[PolygamousRanchKid+]

My Dearest Friend,

I am the Minister of the Nigerian Ministry of Butt-loads Of Networked Nvidia PCs (NMBNNP). We would like to test this software, but in order to determine if the software has successfully cracked the password, we need your login password, so that we can verify.

Afterward, you will be granted unlimited access to the NMBNNP grid.

Oh, and please send your bank information, as well.

I'd trust 3DES more than AES

[Joce640k]

DES is one of the most analyzed algorithms in history and no weaknesses have been found. The key for 3DES is plenty big enough to prevent brute-forcing.

AES has some advantages (eg. speed) but 3DES is as secure as it gets.

Re:I'd trust 3DES more than AES

[the_B0fh]

Umm, you should probably talk to IBM. When they were designing DES, NSA told them "block out that keyspace". It wasn't until a few years back that we understood why - that particular chunk of keys were more vulnerable. NSA knew about it when IBM was designing DES. I'm spectacularly impressed by their publicly stated "We will be 7 years ahead of any commercial cryptography blah blah".

Re:I'd trust 3DES more than AES

[pyite]

AES has some advantages (eg. speed) but 3DES is as secure as it gets.

Are you nuts? 3DES is by no means "as secure as it gets." It's a hack. Its strength maxes out at 112 bits due to the true DES key length combined with a meet in the middle attack. The Triple DES Wikipedia Entry states, "NIST considers 3-key TDES to be appropriate through 2030." Honestly, 2030 is not that far away.

yeah right

[Lord+Byron+II]

wpa2 with a shared key is only crackable with a brute force attack. Assuming that an alphanumeric character is used for each character of the attack, then for a key of length 8 (the minimum) the attack takes 26+26+10+10=72^8 (lowercase+uppercase+numbers+shifted num keys) time which is 7x10^14. A factor of 100 isn't a big deal - it reduces it to 7x10^12.

Even worse, if the key is longer than the minimum, say 14 digits, then the number of brute force keys are 1x10^26 and improving that to 1x10^24 isn't going to make much of a difference at all.

Where I work, we call this FUD

[Roskolnikov]

The WIFI at my workplace is available, there is little if any security and the traffic isn't encrypted; why? well it has always been associated with being insecure, so when WIFI was rolled out it was placed on the Big I instead of the little i and to get anywhere internal you must bring up a VPN tunnel to work, add some poisoned routing information on both sides to account for the networks being used (internal versus internal) and you have some hope of preventing someone from bridging i to I.

You shouldn't use WIFI for anything that you wouldn't want to share openly and even if you believe that what you are doing is secure you should know that someone could still be capturing your session and working on it offline; the vendors haven't helped either, most wireless routers will 'work' right out of the box, purchase at worst-buy, plug it into your cable modem and in 60 seconds your on, I can't tell you how many networks I've found this way, most still have the default admin account set (just google the model number being advertised by the network)
and your in....

Re:Where I work, we call this FUD

[WuphonsReach]

when WIFI was rolled out it was placed on the Big I instead of the little i

So someone can sit out in the parking lot, or a neighboring building and hijack your connection to the big internet?

That'll be amusing when the feds come knocking on your front doors looking for the person sending and receiving illegal content.

(I don't know which is scarier some days... hackers bypassing the firewall or snooping on internal communication, or the risk of abuse and getting investigated by the authorities.)

Munitions

[nurb432]

Just declare GPU's a munition ( like supercomputers are ) and restrict access/require registration.

Then incorporate chip level DRM/TPM so only 'approved' applications can run.

Hey, its for the children, right?

Re:Munitions

[Bryan_W]

Just declare GPU's a munition ( like supercomputers are ) and restrict access/require registration.

Then incorporate chip level DRM/TPM so only 'approved' applications can run.

It's comments like these that require a +1, Scary moderation

Nothing special

[PingXao]

Their approach seems to be doing nothing but speeding up brute-force searching for the key. If it's a "bad" key, like a simple word, this will speed up the search greatly. If it's a "good" key then speeding up the search 100 times is, for all practical purposes, meaningless. Get back to me when you've achieved a 100 * 100 * 100 * 100 * 100 * 100 *100 * 100 faster search.

The wireless weakness is in the flesh

[louarnkoz]

The flesh of the wireless user, that is. Or their brains. With the "personal" version of WPA or WPA2, the user enters a password or a passphrase, and the key is essentially a sophisticated hash of the password. As many have already pointed out, the article basically describes "automated password guessing". This is basically the same tool that we used in the old days to "recover" passwords from the hashes in the password file. Try a password, check if the hash match. Repeat with many plausible passwords. With more CPU, or with parallel processing in the GPU, they can make much more elaborate guesses than simply trying all the words in the dictionary, or adding numbers, or changing cases. In these days and age, anything that relies on a password or a passphrase and exposes a hash should be viewed with suspicion. If the key was generated by a meat-based processor like your brain, then it can certainly be discovered in a "small" number of guesses, where small is millions or billions, i.e. small for the computer. In fact, if your brain can remember the key, it can probably be discovered. This does not just apply to wireless. Pretty much anything based on passwords or passphrases should be considered insecure. -- Louarnkoz

The BEST key...

[Colin+Smith]

-1

 

What moron was doing this anyway?

[shaitand]

How many morons were actually using wifi on business networks anyway?

Bad news for personal networks, not companies

[mrbah]

Businesses that implement 802.11 use 802.1x authentication anyway, so a more feasible attack on WPA is more likely to be a threat to personal networks than corporate ones (most of which don't use wireless anyway).

Re:Newsflash: Most "Business Networks" Aren't Secu

[the_B0fh]

Please, why are you inserting logic into a security discussion? What we need is MORE security theater please, because that will stop the terrorists!

Open Source Framework released at DEFCON

[dr.ka0s]

These guys are late to the party.

FYI, Adam Bregenzer released an open source framework at DEFCON this year that provides pseudo-automatic multithreading, distributed password cracking capabilities AND takes advantage of existing commercial cloud computing services (ala Amazon, et. al.). The framework is easily adaptable to any number of computationally intensive applications, though he provided hard numbers and demonstrations from his work using coWPAtty and John the Ripper.

https://www.defcon.org/html/defcon-16/dc-16-speakers.html#Bregenzer

Also

[Sycraft-fu]

A "100x" increase in the speed of cracking an encryption system is not necessarily impressive, or indeed meaningful.

It sounds like a lot, and would be if it were a situation of "It used to take 100 years to crack a password, now it takes 1." Ok well that just moved the problem from something impossible or at least totally worthless (the technology will be outdated by the time you get the answer) to something potentially useful for a determined attacker.

However, that isn't the sort of timescale we are talking about for modern encryption. We are instead talking about amounts of years that are generally expressed with exponents. Ahh, well now that changes things. If an encryption system currently takes 10^14 years to crack and you've sped up cracking 100 times so it now only takes 10^12... Well that still doesn't get you anything. You are talking many times longer than the universe has been around. Even an increase of 1,000,000 times doesn't get you anywhere near anything useful.

So while announcements like this are cool in an academic sense, they have no real application or threat.

Data/Content value....

[OldHawk777]

Wireless will always be used.

There is low/no value content.
Most internet traffic....
Wireless no WPA....

There is transient value content.
There is personal value content.
Some internet traffic....
Wireless WPA....

There is institution/state content.
There is criminal/paranoid content.
Keep it on trusted/secured cable.

Most intelligence has a very short actionable lifecyle....
Intelligence with a long shelf-life will be controlled or used.

Not correct

[omuls+are+tasty]

SSH is not dependent on SSL/TLS - it's just that one particular implementation of SSH (OpenSSH) is dependant on the OpenSSL library for its cryptographic primitives.

More details

Re:Dear script kiddie

[RiotingPacifist]

what wireless chipset are you using?

Use PGP/GPG to generate a new key

[Chris+Tucker]

Sodding lameness filter won't let me post a 2048 bit PGP public key as an example.

(NOT my public key, by the way. One just generated a few minutes ago as an example.)

Re:Use PGP/GPG to generate a new key

[Slashcrap]

Sodding lameness filter won't let me post a 2048 bit PGP public key as an example.

How is posting 2048 bits of random garbage not lame? You'd better hope they never implement a stupid ideas filter because you're posting career will be over.

Re:Use PGP/GPG to generate a new key

[Chris+Tucker]

OW! I'm SO not going to the prom with you!

My reason for attempting to post that was to get an opinion from any experts as to potential "weakness" of it as a password.

But DO keep posting such helpful and courteous comments. They help maintain the polite tone and high level of informative discourse that makes Slashdot the shining beacon of Fact and Truth on The Internet.

Who DOESN'T use a VPN?

[gelfling]

And by who, I mean non-retard who.

I live in NYC..

[cculianu]

... and it's nealy impossible to find an unencrypted network. Everyone knows that they need to encrypt or their internet connection will be hyper-abused by strangers.

Even the "free wireless" cybercafes have a daily changing password to prevent abuse from the people living above the shop, etc.

So yeah, in NYC people are definitely smarter about it than in the sticks..

Company where I work had WiFi encrypted for years.

[Ungrounded+Lightning]

Cracking WEP/WPA will hardly be the end of business WiFi.

For instance: The company where I'm working has operated for years on the assumption that WiFi's own encryption is just a warning sign and trivially broken.

They have the WiFi on its own subnet with its own firewall. Get on (with the WEP key) and you can only reach the nameserver, VPN server, and SSH server. Use an encrypted tunnel or you might as well be standalone.

WPA-PSK is NOT broken, this affects VPN more

[George_Ou]

This is NOT a Wi-Fi Protected Access (WPA) specific attack; it's for any authentication scheme that relies on PSK or Password complexity which affects many VPN solutions as well. If anything, WPA probably has one of the more resilient PSK schemes in use because it was deliberately designed with 100 rounds of SHA-1 hashing to make brute force attacks much more expensive. This affects some VPN and some WPA wireless security implementations.

It generally affects home users who use the home implementation of WPA which uses pre-shared keys (PSK) which are just longer passwords. Some businesses also use WPA in PSK mode so they're affected to. Some VPN authentication mechanisms like PPTP VPN and some IPSEC VPN implementations that rely on passwords or PSKs are also at higher risk.

It has zero affect enterprise mode WPA deployments which use TLS protected authentication such as PEAP or EAP-TLS. Internal LAN authentication schemes such as NTLM and LDAP are also significantly weakened. SSL authentication schemes are not vulnerable to this particular attack.

http://www.formortals.com/Home/tabid/36/EntryID/119/Default.aspx

Easy

[aepervius]

People which use weak password, never use combination of lowercase/uppercase. They mostly use lowercase. 26^10=141167095653376 ; combine that with the fact that they use name of kids, name of parents, name of pets, and even if not not all combo are represented in the space : you go down to what is "readable" for example "pollux" is probably more represented among weak paswword than "gpkqwxz".

Comment removed

[account_deleted]

Comment removed based on user account deletion

So what this means is...

[acb]

if the Russian Mafiya decides to devote a few hours on a 500,000+-machine botnet to cracking your WAP password, you're screwed.

Which is not really news. If you're sufficiently important a target to merit such attention, you should probably be taking a lot more precautions than WAP encryption in the first place, though it doesn't scale to drive-by attacks on random low-value targets (i.e., the average user). If the payoff is merely probing your network, sending spam from your ISP account and/or pwning your unpatched Windows PCs, your WAP network is safe for now.

Re:So what this means is...

[TelcontarX]

Sure, everyone important enough to warrant the attention always uses good security. Like.. say.. a US vice-president candidate?

large networks...

[leuk_he]

For large networks you use a radius server. not a pre shared keyword.

If you want better updatime you go with cabeling anyway, because wireless can fail without ginving a clue what is going on.

It is a misunderstanding that with wifi you don't have any connection problems because there are no cables.

I second that

[marcosdumay]

KeePass is an excelent tool for creating and keepng track of passwords. It is multiplataform, easy to use, portable (on the "no instalation required" sense), uses a simple file oriented database protected by common libraries and can keep a lot of informations about each password, what includes a quite porwerfull hierarchical organization for them.

Just a small rant: Can't those multiplataform tools use /dev/urandom where it is available? Some systems already have a tool that turns mouse and keyboard events into randomness, and it is better than yours since it is always on and can work with a much bigger amount of events.

Re:I second that

[ForestDemon]

i'll third that. been using KeePass for over two months and very pleased with it's capabilities and functionality.

Palin? Is that you?

[h.ross.perot]

That's Vice-President Palin to you ... ;)