ALERT: WPA isn't necessarily secure

SUMMARY:

WPA-PSK is vulnerable to offline attack.

TO AVOID THE PROBLEM:

USE A PASSPHRASE WITH MORE THAN 20 CHARACTERS. Examples:
BAD: "vintage wine"
GOOD: "floor hiking dirt ocean"
(pick your own words, even longer is better)
FOR HIGH SECURITY, USE MORE THAN 32 CHARACTERS.

BACKGROUND:

Weakness in Passphrase Choice in WPA Interface
By Glenn Fleishman
By Robert Moskowitz
Senior Technical Director
ICSA Labs, a division of TruSecure Corp
<http://wifinetnews.com/archives/002452.html>

...
The offline PSK dictionary attack
...
Just about any 8-character string a user may select will be in the
dictionary. As the standard states, passphrases longer than 20 characters
are needed to start deterring attacks. This is considerably longer than
most people will be willing to use.

This offline attack should be easier to execute than the WEP attacks.
...
Using Random values for the PSK

The PSK MAY be a 256-bit (64 hexadecimal) random number. This is a large
number for human entry; 20 character passphrases are considered too long
for entry. Given the nature of the attack against the 4-Way Handshake, a
PSK with only 128 bits of security is really sufficient, and in fact
against current brute-strength attacks, 96 bits SHOULD be adequate. This is
still larger than a large passphrase ...
...
Summary
...
Pre-Shared Keying is provided in the standard to simplify deployments in
small, low risk, networks. The risk of using PSKs against internal attacks
is almost as bad as WEP. The risk of using passphrase based PSKs against
external attacks is greater than using WEP. Thus the only value PSK has is
if only truly random keys are used, or for deploy testing of basic WPA or
802.11i functions. PSK should ONLY be used if this is fully understood by
the deployers.

See also:
Passphrase Flaw Exposed in WPA Wireless Security
<http://www.technewsworld.com/story/32070.html>

Wi-Fi Protected Access. Security in pre-shared key mode
<http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access>

Cracking Wi-Fi Protected Access (WPA)
<http://www.ciscopress.com/articles/article.asp?p=369221>
<http://www.ciscopress.com/articles/article.asp?p=370636&rl=1>

WPA Cracker
<http://www.tinypeap.com/html/wpa_cracker.html>

Any security system which uses a passphrase is vulnerable to a poor
choice of passphrase.

Additionally, if the passphrase is not kept secret, the security can be
breached.

This is not a weakness in WPA, it is just that any such system is
subject to breach is the passphrase is 'guessable'. Passphrases should
contain non-dictionary constructions for better security.

John Navas wrote:
> SUMMARY:
>
> WPA-PSK is vulnerable to offline attack.
>
> TO AVOID THE PROBLEM:
>
> USE A PASSPHRASE WITH MORE THAN 20 CHARACTERS. Examples:
> BAD: "vintage wine"
> GOOD: "floor hiking dirt ocean"
> (pick your own words, even longer is better)
> FOR HIGH SECURITY, USE MORE THAN 32 CHARACTERS.
>
> BACKGROUND:
>
> Weakness in Passphrase Choice in WPA Interface
> By Glenn Fleishman
> By Robert Moskowitz
> Senior Technical Director
> ICSA Labs, a division of TruSecure Corp
> <http://wifinetnews.com/archives/002452.html>
>
> ...
> The offline PSK dictionary attack
> ...
> Just about any 8-character string a user may select will be in the
> dictionary. As the standard states, passphrases longer than 20 characters
> are needed to start deterring attacks. This is considerably longer than
> most people will be willing to use.
>
> This offline attack should be easier to execute than the WEP attacks.
> ...
> Using Random values for the PSK
>
> The PSK MAY be a 256-bit (64 hexadecimal) random number. This is a large
> number for human entry; 20 character passphrases are considered too long
> for entry. Given the nature of the attack against the 4-Way Handshake, a
> PSK with only 128 bits of security is really sufficient, and in fact
> against current brute-strength attacks, 96 bits SHOULD be adequate. This is
> still larger than a large passphrase ...
> ...
> Summary
> ...
> Pre-Shared Keying is provided in the standard to simplify deployments in
> small, low risk, networks. The risk of using PSKs against internal attacks
> is almost as bad as WEP. The risk of using passphrase based PSKs against
> external attacks is greater than using WEP. Thus the only value PSK has is
> if only truly random keys are used, or for deploy testing of basic WPA or
> 802.11i functions. PSK should ONLY be used if this is fully understood by
> the deployers.
>
> See also:
> Passphrase Flaw Exposed in WPA Wireless Security
> <http://www.technewsworld.com/story/32070.html>
>
> Wi-Fi Protected Access. Security in pre-shared key mode
> <http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access>
>
> Cracking Wi-Fi Protected Access (WPA)
> <http://www.ciscopress.com/articles/article.asp?p=369221>
> <http://www.ciscopress.com/articles/article.asp?p=370636&rl=1>
>
> WPA Cracker
> <http://www.tinypeap.com/html/wpa_cracker.html>
>

You're missing the point. Read more carefully. The big issue with WPA
is that it's subject to *offline* attack.

On Fri, 01 Sep 2006 15:32:19 -0500, Jerry Park <NoReply@No.Spam> wrote
in <pN0Kg.23366$y7.14741@bignews6.bellsouth.net>:

>Any security system which uses a passphrase is vulnerable to a poor
>choice of passphrase.
>
>Additionally, if the passphrase is not kept secret, the security can be
>breached.
>
>This is not a weakness in WPA, it is just that any such system is
>subject to breach is the passphrase is 'guessable'. Passphrases should
>contain non-dictionary constructions for better security.
>
>John Navas wrote:
>> SUMMARY:
>>
>> WPA-PSK is vulnerable to offline attack.
>>
>> TO AVOID THE PROBLEM:
>>
>> USE A PASSPHRASE WITH MORE THAN 20 CHARACTERS. Examples:
>> BAD: "vintage wine"
>> GOOD: "floor hiking dirt ocean"
>> (pick your own words, even longer is better)
>> FOR HIGH SECURITY, USE MORE THAN 32 CHARACTERS.
>>
>> BACKGROUND:
>>
>> Weakness in Passphrase Choice in WPA Interface
>> By Glenn Fleishman
>> By Robert Moskowitz
>> Senior Technical Director
>> ICSA Labs, a division of TruSecure Corp
>> <http://wifinetnews.com/archives/002452.html>
>>
>> ...
>> The offline PSK dictionary attack
>> ...
>> Just about any 8-character string a user may select will be in the
>> dictionary. As the standard states, passphrases longer than 20 characters
>> are needed to start deterring attacks. This is considerably longer than
>> most people will be willing to use.
>>
>> This offline attack should be easier to execute than the WEP attacks.
>> ...
>> Using Random values for the PSK
>>
>> The PSK MAY be a 256-bit (64 hexadecimal) random number. This is a large
>> number for human entry; 20 character passphrases are considered too long
>> for entry. Given the nature of the attack against the 4-Way Handshake, a
>> PSK with only 128 bits of security is really sufficient, and in fact
>> against current brute-strength attacks, 96 bits SHOULD be adequate. This is
>> still larger than a large passphrase ...
>> ...
>> Summary
>> ...
>> Pre-Shared Keying is provided in the standard to simplify deployments in
>> small, low risk, networks. The risk of using PSKs against internal attacks
>> is almost as bad as WEP. The risk of using passphrase based PSKs against
>> external attacks is greater than using WEP. Thus the only value PSK has is
>> if only truly random keys are used, or for deploy testing of basic WPA or
>> 802.11i functions. PSK should ONLY be used if this is fully understood by
>> the deployers.
>>
>> See also:
>> Passphrase Flaw Exposed in WPA Wireless Security
>> <http://www.technewsworld.com/story/32070.html>
>>
>> Wi-Fi Protected Access. Security in pre-shared key mode
>> <http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access>
>>
>> Cracking Wi-Fi Protected Access (WPA)
>> <http://www.ciscopress.com/articles/article.asp?p=369221>
>> <http://www.ciscopress.com/articles/article.asp?p=370636&rl=1>
>>
>> WPA Cracker
>> <http://www.tinypeap.com/html/wpa_cracker.html>
>>

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

I don't think I missed the point. The point is that systems using
passphrases are vulnerable when weak passphrases are used.
Online/offline -- doesn't matter.

WPA is not known to be breakable with a good choice of passphrase. WEP
on the other hand is breakable regardless of passphrase due to the
implementation of the algorithm.

John Navas wrote:
> You're missing the point. Read more carefully. The big issue with WPA
> is that it's subject to *offline* attack.
>
> On Fri, 01 Sep 2006 15:32:19 -0500, Jerry Park <NoReply@No.Spam> wrote
> in <pN0Kg.23366$y7.14741@bignews6.bellsouth.net>:
>
>
>> Any security system which uses a passphrase is vulnerable to a poor
>> choice of passphrase.
>>
>> Additionally, if the passphrase is not kept secret, the security can be
>> breached.
>>
>> This is not a weakness in WPA, it is just that any such system is
>> subject to breach is the passphrase is 'guessable'. Passphrases should
>> contain non-dictionary constructions for better security.
>>
>> John Navas wrote:
>>
>>> SUMMARY:
>>>
>>> WPA-PSK is vulnerable to offline attack.
>>>
>>> TO AVOID THE PROBLEM:
>>>
>>> USE A PASSPHRASE WITH MORE THAN 20 CHARACTERS. Examples:
>>> BAD: "vintage wine"
>>> GOOD: "floor hiking dirt ocean"
>>> (pick your own words, even longer is better)
>>> FOR HIGH SECURITY, USE MORE THAN 32 CHARACTERS.
>>>
>>> BACKGROUND:
>>>
>>> Weakness in Passphrase Choice in WPA Interface
>>> By Glenn Fleishman
>>> By Robert Moskowitz
>>> Senior Technical Director
>>> ICSA Labs, a division of TruSecure Corp
>>> <http://wifinetnews.com/archives/002452.html>
>>>
>>> ...
>>> The offline PSK dictionary attack
>>> ...
>>> Just about any 8-character string a user may select will be in the
>>> dictionary. As the standard states, passphrases longer than 20 characters
>>> are needed to start deterring attacks. This is considerably longer than
>>> most people will be willing to use.
>>>
>>> This offline attack should be easier to execute than the WEP attacks.
>>> ...
>>> Using Random values for the PSK
>>>
>>> The PSK MAY be a 256-bit (64 hexadecimal) random number. This is a large
>>> number for human entry; 20 character passphrases are considered too long
>>> for entry. Given the nature of the attack against the 4-Way Handshake, a
>>> PSK with only 128 bits of security is really sufficient, and in fact
>>> against current brute-strength attacks, 96 bits SHOULD be adequate. This is
>>> still larger than a large passphrase ...
>>> ...
>>> Summary
>>> ...
>>> Pre-Shared Keying is provided in the standard to simplify deployments in
>>> small, low risk, networks. The risk of using PSKs against internal attacks
>>> is almost as bad as WEP. The risk of using passphrase based PSKs against
>>> external attacks is greater than using WEP. Thus the only value PSK has is
>>> if only truly random keys are used, or for deploy testing of basic WPA or
>>> 802.11i functions. PSK should ONLY be used if this is fully understood by
>>> the deployers.
>>>
>>> See also:
>>> Passphrase Flaw Exposed in WPA Wireless Security
>>> <http://www.technewsworld.com/story/32070.html>
>>>
>>> Wi-Fi Protected Access. Security in pre-shared key mode
>>> <http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access>
>>>
>>> Cracking Wi-Fi Protected Access (WPA)
>>> <http://www.ciscopress.com/articles/article.asp?p=369221>
>>> <http://www.ciscopress.com/articles/article.asp?p=370636&rl=1>
>>>
>>> WPA Cracker
>>> <http://www.tinypeap.com/html/wpa_cracker.html>
>>>
>>>
>
>

On Sun, 03 Sep 2006 20:43:35 -0500 Jerry Park <NoReply@no.spam> wrote:

| I don't think I missed the point. The point is that systems using
| passphrases are vulnerable when weak passphrases are used.
| Online/offline -- doesn't matter.
|
| WPA is not known to be breakable with a good choice of passphrase. WEP
| on the other hand is breakable regardless of passphrase due to the
| implementation of the algorithm.

Offline does matter. WPA ... as typically put into service ... is more
vulnerable than WEP. And the reason is because of this offline attack
that can be successful against weaker passphrases. It is tradeoff that
a stronger passphrase can be used to scale up the required attack. But
as the passphrase becomes longer, that creates a new weakness in the way
it has to be handled because it may have to be written in more places,
instead of just being memorized.

Here's your new passphrase. Now walk over to the other side of the house
and type it into a different computer over there:

"ut eni ad min ven qui nos exe ull lab nis ut ali ex ea com con"

.... without writing it down or carrying your laptop that displays it.

Most people tend to choose shorter passwords and passphrases. Even those
that know 8 characters is too weak might only use 12 or 16. WPA can be
made reasonably secure only with a dramatic passphrase length.

Or would you rather use a randomized string of characters you can't
remember at all?

phil@canopus:/home/phil 314> makepassword
o6wxqy44flif
phil@canopus:/home/phil 315> makepassword 16
jw3xgp83httpbx58
phil@canopus:/home/phil 316> makepassword 24
8zrvm1peppmno1wfqla474da
phil@canopus:/home/phil 317> makepassword 32
bb42b3fz1hpkrk2ngxxuizbyu07hkyju
phil@canopus:/home/phil 318> makepassword 48
uy1x85e1w5vsgo6y9q8e751mgx4jj1z1mu4rpxoucoc8zss2
phil@canopus:/home/phil 319> makepassword 63
ydwqa3eb7xhzm0lc8umqkieh1c9vmy29xo34vy9i06c6w1vv24 v7av6rtc417xi
phil@canopus:/home/phil 320>

I'll admit to using a passphrase of only 13 characters. It's probably a
bit harder than most to attack because it is the name of two cats we have
that are not normal dictionary words. But it is still not really strong
enough for confidential business work. You can probably enhance some
passphrases by modifying them, not using whole words. But word chopping
can still end up with something that's in the dictionary, anyway. Some
other kind of twist, like rotating each word by the N digits of a number
you can rememeber.

268435456 (2^28)

the lord is my shepherd i shall not want

het ordl si ym pherdshe i lshal otn antw

It scales up a dictionary attack if that attack has to use every possible
word rotation and every possible combination of rotations. If you have a
number you can remember, you can rotate according to it. Rotation is just
one possible twist, and not even the best (although relatively easy).

--
|---------------------------------------/----------------------------------|
| Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address below |
| first name lower case at ipal.net / spamtrap-2006-09-04-1454@ipal.net |
|------------------------------------/-------------------------------------|

phil-news-nospam@ipal.net wrote:
> On Sun, 03 Sep 2006 20:43:35 -0500 Jerry Park <NoReply@no.spam> wrote:
>
> | I don't think I missed the point. The point is that systems using
> | passphrases are vulnerable when weak passphrases are used.
> | Online/offline -- doesn't matter.
> |
> | WPA is not known to be breakable with a good choice of passphrase. WEP
> | on the other hand is breakable regardless of passphrase due to the
> | implementation of the algorithm.
>
> Offline does matter. WPA ... as typically put into service ... is more
> vulnerable than WEP. And the reason is because of this offline attack
> that can be successful against weaker passphrases. It is tradeoff that
> a stronger passphrase can be used to scale up the required attack. But
> as the passphrase becomes longer, that creates a new weakness in the way
> it has to be handled because it may have to be written in more places,
> instead of just being memorized.
>
> Here's your new passphrase. Now walk over to the other side of the house
> and type it into a different computer over there:
>
> "ut eni ad min ven qui nos exe ull lab nis ut ali ex ea com con"
>
Certainly, and I did note that security of passphrases was important. I
could memorize the above passphrase. I won't. You can choose a long
passphrase which is easier to remember and which still contains
non-dictionary constructions, punctuation, capital/lowercase
combinations, numbers, etc.

But go ahead and use WEP instead of WPA. Personally, I'd rather use no
encryption than to try to fool myself that WEP would be useful.
> ... without writing it down or carrying your laptop that displays it.
>
> Most people tend to choose shorter passwords and passphrases. Even those
> that know 8 characters is too weak might only use 12 or 16. WPA can be
> made reasonably secure only with a dramatic passphrase length.
>
> Or would you rather use a randomized string of characters you can't
> remember at all?
>
> phil@canopus:/home/phil 314> makepassword
> o6wxqy44flif
> phil@canopus:/home/phil 315> makepassword 16
> jw3xgp83httpbx58
> phil@canopus:/home/phil 316> makepassword 24
> 8zrvm1peppmno1wfqla474da
> phil@canopus:/home/phil 317> makepassword 32
> bb42b3fz1hpkrk2ngxxuizbyu07hkyju
> phil@canopus:/home/phil 318> makepassword 48
> uy1x85e1w5vsgo6y9q8e751mgx4jj1z1mu4rpxoucoc8zss2
> phil@canopus:/home/phil 319> makepassword 63
> ydwqa3eb7xhzm0lc8umqkieh1c9vmy29xo34vy9i06c6w1vv24 v7av6rtc417xi
> phil@canopus:/home/phil 320>
>
> I'll admit to using a passphrase of only 13 characters. It's probably a
> bit harder than most to attack because it is the name of two cats we have
> that are not normal dictionary words. But it is still not really strong
> enough for confidential business work. You can probably enhance some
> passphrases by modifying them, not using whole words. But word chopping
> can still end up with something that's in the dictionary, anyway. Some
> other kind of twist, like rotating each word by the N digits of a number
> you can rememeber.
>
> 268435456 (2^28)
>
> the lord is my shepherd i shall not want
>
> het ordl si ym pherdshe i lshal otn antw
>
> It scales up a dictionary attack if that attack has to use every possible
> word rotation and every possible combination of rotations. If you have a
> number you can remember, you can rotate according to it. Rotation is just
> one possible twist, and not even the best (although relatively easy).
>
>