On Wed, 12 Oct 2005 12:00:25 GMT, neillmassello@earthlink.net (Neill
Massello) wrote:

>Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:
>
>> If the user selects a WPA pre-shared key that's longer than 20
>> characters (63 chars maximum) and is not found in a typical word list
>> dictionary, then WPA-PSK is fairly safe from dictionary attack.

>Assuming that an attacker does guess the WPA passphrase, however long or
>random it is, what does that get him? Will he then be able to decrypt
>all traffic to and from all clients on the wireless network?

Yes. With WPA-PSK, the pass phrase is the decryption key. If the
attacker can recover the WPA-PSK phrase, he can:
1. Impersonate an existing user.
2. Sniff all traffic and recover embarrassing documents and plain
text passwords from other users.
3. Run the recovered WPA key on the capture log and recover the
contents in unencrypted form.
4. Inject spoofed or counterfeit traffic.
5. Instigate denial of service attacks.
6. Bypass all the firewall rules (because he's on the LAN side of the
firewall).
7. Provide business for network security consultants.

Note that with WPA-TKIP and WPA-RADIUS, the WPA encryption key is
unique by the connection. There is no system wide common pass phrase.
Therefore, the attacker would need to recover each key for each user
individually. Since this is a temporary key that is rather long,
changes often, and changes with each session, chances of recovering
this key are minimal. Even if the key were recovered, it would not be
useable for the aformented exploits.

You should read the references supplied by John Navas. There's quite
a bit in there on how it all works and what can go wrong, go wrong...

--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558