Internet Talk Internet Talk    FAQ   Search   Memberlist   Usergroups   Register   Profile   Log in to check your private messages   Log in  ALERT: WPA isn't necessarily secure          Internet Talk Forum Index -> Wireless View previous topic :: View next topic   Author Message John Navas Guest Posted: Wed Jul 16, 2008 7:19 pm    Post subject: ALERT: WPA isn't necessarily secure SUMMARY: WPA-PSK is vulnerable to offline attack. TO AVOID THE PROBLEM: USE A PASSPHRASE WITH MORE THAN 20 CHARACTERS. Examples: BAD: "vintage wine" GOOD: "floor hiking dirt ocean" (pick your own words, even longer is better) FOR HIGH SECURITY, USE MORE THAN 32 CHARACTERS. BACKGROUND: Weakness in Passphrase Choice in WPA Interface By Glenn Fleishman By Robert Moskowitz Senior Technical Director ICSA Labs, a division of TruSecure Corp <http://wifinetnews.com/archives/002452.html> ... The offline PSK dictionary attack ... Just about any 8-character string a user may select will be in the dictionary. As the standard states, passphrases longer than 20 characters are needed to start deterring attacks. This is considerably longer than most people will be willing to use. This offline attack should be easier to execute than the WEP attacks. ... Using Random values for the PSK The PSK MAY be a 256-bit (64 hexadecimal) random number. This is a large number for human entry; 20 character passphrases are considered too long for entry. Given the nature of the attack against the 4-Way Handshake, a PSK with only 128 bits of security is really sufficient, and in fact against current brute-strength attacks, 96 bits SHOULD be adequate. This is still larger than a large passphrase ... ... Summary ... Pre-Shared Keying is provided in the standard to simplify deployments in small, low risk, networks. The risk of using PSKs against internal attacks is almost as bad as WEP. The risk of using passphrase based PSKs against external attacks is greater than using WEP. Thus the only value PSK has is if only truly random keys are used, or for deploy testing of basic WPA or 802.11i functions. PSK should ONLY be used if this is fully understood by the deployers. See also: Passphrase Flaw Exposed in WPA Wireless Security <http://www.technewsworld.com/story/32070.html> Wi-Fi Protected Access. Security in pre-shared key mode <http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access> Cracking Wi-Fi Protected Access (WPA) <http://www.ciscopress.com/articles/article.asp?p=369221> <http://www.ciscopress.com/articles/article.asp?p=370636&rl=1> WPA Cracker <http://www.tinypeap.com/html/wpa_cracker.html> Back to top   Ads Advertising Sponsor Display posts from previous: All Posts1 Day7 Days2 Weeks1 Month3 Months6 Months1 Year Oldest FirstNewest First         Internet Talk Forum Index -> Wireless All times are GMT Page 1 of 1   Jump to: Select a forum Internet Talk----------------Internet TalkWireless  You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum Australian Debt Consolidation Experts medical insurance Wedding Incall and Outcall Escorts in Milan, Rome, Florence, Naples, Turin, Venice Australia Swingers Contacts Agriculture Industry Secured Loans Make Your Own Website Cheap calls to Saudi Arabia Cleaning Service black mold UK Swingers Genuine Contacts Site cleaning supplies Vacuum Bags 124 Attacks blocked Powered by phpBB © 2001, 2005 phpBB Group