Thread: ALERT: WPA isn't necessarily secure
View Single Post
  #2 (permalink)  
Old 11-20-2006, 10:33 PM
chicagofan
Guest
  
Posts: n/a
Default Re: ALERT: WPA isn't necessarily secure
Does this apply to WPA2 as well? Mine is 28... should I make it 32 or more?
bj


John Navas wrote:
> SUMMARY:
>
> WPA-PSK is vulnerable to offline attack.
>
> TO AVOID THE PROBLEM:
>
> USE A PASSPHRASE WITH MORE THAN 20 CHARACTERS. Examples:
> BAD: "vintage wine"
> GOOD: "floor hiking dirt ocean"
> (pick your own words, even longer is better)
> FOR HIGH SECURITY, USE MORE THAN 32 CHARACTERS.
>
> BACKGROUND:
>
> Weakness in Passphrase Choice in WPA Interface
> By Glenn Fleishman
> By Robert Moskowitz
> Senior Technical Director
> ICSA Labs, a division of TruSecure Corp
> <http://wifinetnews.com/archives/002452.html>
>
> ...
> The offline PSK dictionary attack
> ...
> Just about any 8-character string a user may select will be in the
> dictionary. As the standard states, passphrases longer than 20 characters
> are needed to start deterring attacks. This is considerably longer than
> most people will be willing to use.
>
> This offline attack should be easier to execute than the WEP attacks.
> ...
> Using Random values for the PSK
>
> The PSK MAY be a 256-bit (64 hexadecimal) random number. This is a large
> number for human entry; 20 character passphrases are considered too long
> for entry. Given the nature of the attack against the 4-Way Handshake, a
> PSK with only 128 bits of security is really sufficient, and in fact
> against current brute-strength attacks, 96 bits SHOULD be adequate. This is
> still larger than a large passphrase ...
> ...
> Summary
> ...
> Pre-Shared Keying is provided in the standard to simplify deployments in
> small, low risk, networks. The risk of using PSKs against internal attacks
> is almost as bad as WEP. The risk of using passphrase based PSKs against
> external attacks is greater than using WEP. Thus the only value PSK has is
> if only truly random keys are used, or for deploy testing of basic WPA or
> 802.11i functions. PSK should ONLY be used if this is fully understood by
> the deployers.
>
> See also:
> Passphrase Flaw Exposed in WPA Wireless Security
> <http://www.technewsworld.com/story/32070.html>
>
> Wi-Fi Protected Access. Security in pre-shared key mode
> <http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access>
>
> Cracking Wi-Fi Protected Access (WPA)
> <http://www.ciscopress.com/articles/article.asp?p=369221>
> <http://www.ciscopress.com/articles/article.asp?p=370636&rl=1>
>
> WPA Cracker
> <http://www.tinypeap.com/html/wpa_cracker.html>

Reply With Quote