Authentication Open vs Shared Key

#1 (**permalink**) 09-12-2007, 01:17 PM

Yesterday I purchased a D-Link wireless print server and set it up. I
followed the instructions in the Quick Install Guide: "Next to
authentication, select Shared Key." The server did not connect to the
Access Point. I phoned up D-Link tech support and to their credit,
they advised me to change this parameter to "Open", which solved the
problem. Unfortunately, the tech support guy was unable to explain
why. I hope someone here can enlighten me.

The Access Point is a Netopia router furnished by the phone company.
It is set up with WEP and a 10 digit hex key. It certainly seems
appropriate to configure the print server authentication to be
"Shared Key." Is the D-Link implementation (and documentation)
defective, or is "Open" actually the appropriate setting?

#2 (**permalink**) 09-12-2007, 01:51 PM

Bob Simon wrote:

> Yesterday I purchased a D-Link wireless print server and set it up. I
> followed the instructions in the Quick Install Guide: "Next to
> authentication, select Shared Key." The server did not connect to the
> Access Point. I phoned up D-Link tech support and to their credit,
> they advised me to change this parameter to "Open", which solved the
> problem. Unfortunately, the tech support guy was unable to explain
> why. I hope someone here can enlighten me.
>
> The Access Point is a Netopia router furnished by the phone company.
> It is set up with WEP and a 10 digit hex key. It certainly seems
> appropriate to configure the print server authentication to be
> "Shared Key." Is the D-Link implementation (and documentation)
> defective, or is "Open" actually the appropriate setting?

Neither WEP nor "Open Authentication Mode" are appropriate.

#3 (**permalink**) 09-12-2007, 01:53 PM

Bob Simon wrote:
> Yesterday I purchased a D-Link wireless print server and set it up. I
> followed the instructions in the Quick Install Guide: "Next to
> authentication, select Shared Key." The server did not connect to the
> Access Point. I phoned up D-Link tech support and to their credit,
> they advised me to change this parameter to "Open", which solved the
> problem. Unfortunately, the tech support guy was unable to explain
> why. I hope someone here can enlighten me.
>
> The Access Point is a Netopia router furnished by the phone company.
> It is set up with WEP and a 10 digit hex key. It certainly seems
> appropriate to configure the print server authentication to be
> "Shared Key." Is the D-Link implementation (and documentation)
> defective, or is "Open" actually the appropriate setting?

The simple answer is that the key type is set up on your access point,
so presumably your AP is set to Open and therefore your print server
would also need to be. I have read that Open is more secure; no idea if
this is true or not, I'm afraid. Shared supposedly performs some
authentication using the SSID at the beginning which is vulnerable to
attack.

#4 (**permalink**) 09-12-2007, 04:35 PM

Carl Lewis wrote:

> The simple answer is that the key type is set up on your access point,
> so presumably your AP is set to Open and therefore your print server
> would also need to be. I have read that Open is more secure; no idea if
> this is true or not, I'm afraid.

Well, why don't you inform yourself how WEP Open Authentication works?

> Shared supposedly performs some
> authentication using the SSID at the beginning which is vulnerable to
> attack.

Yeah, you could hardly show off more incompetence.

#5 (**permalink**) 09-12-2007, 10:47 PM

In article <5kqiqmF539jpU1@mid.dfncis.de>, "Sebastian G." <seppi@seppig.de> writes:
>Carl Lewis wrote:
>
>
>> The simple answer is that the key type is set up on your access point,
>> so presumably your AP is set to Open and therefore your print server
>> would also need to be. I have read that Open is more secure; no idea if
>> this is true or not, I'm afraid.
>
>
>Well, why don't you inform yourself how WEP Open Authentication works?
>
>> Shared supposedly performs some
>> authentication using the SSID at the beginning which is vulnerable to
>> attack.
>
>
>Yeah, you could hardly show off more incompetence.

If you are using shared key authentication with WEP then you are the
incompetant. Shared key authentication doesn't work and actually makes WEP even
more unsecure than it otherwise is.

See for instance

http://www.networkworld.com/research...wepprimer.html

"
Weakness: Authentication messages can be easily forged

802.11 defines two forms of authentication: Open System (no authentication) and
Shared Key authentication. These are used to authenticate the client to the
access point. The idea was that authentication would be better than no
authentication because the user has to prove knowledge of the shared WEP key,
in effect, authenticating himself. In fact, the exact opposite is true: If you
turn on authentication, you actually reduce the total security of your network
and make it easier to guess your WEP key.

Shared Key authentication involves demonstrating the knowledge of the shared
WEP key by encrypting a challenge. The problem is that a monitoring attacker
can observe the challenge and the encrypted response. From those, he can
determine the RC4 stream used to encrypt the response, and use that stream to
encrypt any challenge he receives in the future. So by monitoring a successful
authentication, the attacker can later forge an authentication. The only
advantage of Shared Key authentication is that it reduces the ability of an
attacker to create a denial-of-service attack by sending garbage packets
(encrypted with the wrong WEP key) into the network.

"

and

http://www.cs.nmt.edu/~cs553/pap29.pdf

"
Furthermore, because the same keys are used for shared key authentication and
WEP, when you use shared key authentication and it is compromised you have had
your WEP keys compromised as well, meaning that an intruder could then decipher
all traffic to and from the AP and its clients. Ironically the most secure
setting of this feature is "open authentication", allowing anyone to associate
with your access points, and relying on other methods to handle security.
While removing a layer of security may seem contradictory to making your
network more secure, this particular layer is flawed and hurts far more than it
helps.
"

Having said that WEP is now broken so easily that unless your devices offer you
no alternative you should be looking at using WPA or WPA2.

David Webb
Security team leader
CCSS
Middlesex University

#6 (**permalink**) 09-14-2007, 10:10 AM

In article <Xns99AB5DBB58009juergennieveler@nieveler.org>, Juergen Nieveler <juergen.nieveler.nospam@arcor.de> writes:
>david20@alpha2.mdx.ac.uk wrote:
>
>> If you are using shared key authentication with WEP then you are the
>> incompetant. Shared key authentication doesn't work and actually makes
>> WEP even more unsecure than it otherwise is.
>
>Uh... I suppose he knows already, hence his other post stating "WEP...
>is not appropriate" ;-)
>
>Regardless of how you exchange keys, WEP simply is too insecure to use.
>
Agreed - which is why I suggested that he look at WPA or WPA2.

David Webb
Security team leader
CCSS
Middlesex University

>Juergen Nieveler
>--
>Nolli turbare testiculos meos!