WPA Wireless Security Standard Flawed

By Jim Louderback  |  Posted 2003-11-06 Print this article Print

New WPA security standard, set to replace flawed WEP, has security vulnerability of its own.

Here we go again. According to a paper by security expert Robert Moskowitz, the new WPA security scheme designed to protect 802.11 wireless networks has a fundamental flaw. The problem isnt with the scheme itself, but with how keys are exchanged.
Using a Pre-Shared Key (PSK) scheme—as opposed to 802.1X—can leave a network wide open in certain situations. The PSK is similar to a WEP key, in that it is a single string of bytes unique across an entire SSID.
When home users or naive network managers choose a PSK passphrase of less than 20 characters using English words, such as "Dragon Food" or "That Seventies Show," the PSK can easily be deciphered via a relatively simple dictionary attack. And once the PSK has been swiped, its simple to then gain the Pairwise Master Key (PMK), which is used to protect transmissions from a computer to another device. The additional parameters used to generate the PMK, including both MAC addresses and the SSID, can be found simply by passively snooping network traffic. According to Moskowitz, this type of network penetration should be easier to execute than WEP-based ones. To be safe, anyone setting up a WPA-based wireless network should use a PSK passphrase larger than 20 characters, using a mix of letters and numbers. This is standard practice for most network administrators, certainly. But because most home wireless router products let end users enter in any word or phrase, this could become a major problem for small businesses and homes—and the corporate networks they connect to. You can read the full analysis at WiFi News, and a detailed discussion of the issue at Slashdot. Discuss This in the eWEEK Forum
With more than 20 years experience in consulting, technology, computers and media, Jim Louderback has pioneered many significant new innovations.

While building computer systems for Fortune 100 companies in the '80s, Jim developed innovative client-server computing models, implementing some of the first successful LAN-based client-server systems. He also created a highly successful iterative development methodology uniquely suited to this new systems architecture.

As Lab Director at PC Week, Jim developed and refined the product review as an essential news story. He expanded the lab to California, and created significant competitive advantage for the leading IT weekly.

When he became editor-in-chief of Windows Sources in 1995, he inherited a magazine teetering on the brink of failure. In six short months, he turned the publication into a money-maker, by refocusing it entirely on the new Windows 95. Newsstand sales tripled, and his magazine won industry awards for excellence of design and content.

In 1997, Jim launched TechTV's content, creating and nurturing a highly successful mix of help, product information, news and entertainment. He appeared in numerous segments on the network, and hosted the enormously popular Fresh Gear show for three years.

In 1999, he developed the 'Best of CES' awards program in partnership with CEA, the parent company of the CES trade show. This innovative program, where new products were judged directly on the trade show floor, was a resounding success, and continues today.

In 2000, Jim began developing, a daily, live, 8 hour TechTV news program called TechLive. Called 'the CNBC of Technology,' TechLive delivered a daily day-long dose of market news, product information, technology reporting and CEO interviews. After its highly successful launch in April of 2001, Jim managed the entire organization, along with setting editorial direction for the balance of TechTV.

In the summer or 2002, Jim joined Ziff Davis Media to be Editor-In-Chief and Vice President of Media Properties, including ExtremeTech.com, Microsoft Watch, and the websites for PC Magazine, eWeek and ZDM's gaming publications.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel