Mobile & Wireless - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Mobile & Wireless


WPA Wireless Security Standard Flawed



 By: Jim Louderback
2003-11-06
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Mobile & Wireless story.


Rate This Article:
Poor Best
New WPA security standard, set to replace flawed WEP, has security vulnerability of its own.

Here we go again.

According to a paper by security expert Robert Moskowitz, the new WPA security scheme designed to protect 802.11 wireless networks has a fundamental flaw. The problem isnt with the scheme itself, but with how keys are exchanged.

Resource Library:
Using a Pre-Shared Key (PSK) scheme—as opposed to 802.1X—can leave a network wide open in certain situations. The PSK is similar to a WEP key, in that it is a single string of bytes unique across an entire SSID.

When home users or naive network managers choose a PSK passphrase of less than 20 characters using English words, such as "Dragon Food" or "That Seventies Show," the PSK can easily be deciphered via a relatively simple dictionary attack.

And once the PSK has been swiped, its simple to then gain the Pairwise Master Key (PMK), which is used to protect transmissions from a computer to another device. The additional parameters used to generate the PMK, including both MAC addresses and the SSID, can be found simply by passively snooping network traffic.

According to Moskowitz, this type of network penetration should be easier to execute than WEP-based ones.

To be safe, anyone setting up a WPA-based wireless network should use a PSK passphrase larger than 20 characters, using a mix of letters and numbers. This is standard practice for most network administrators, certainly. But because most home wireless router products let end users enter in any word or phrase, this could become a major problem for small businesses and homes—and the corporate networks they connect to.

You can read the full analysis at WiFi News, and a detailed discussion of the issue at Slashdot.

Discuss This in the eWEEK Forum



  Reader Comments: WPA Wireless Security Standard Flawed
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Mobile & Wireless Articles          >>> More By Jim Louderback
 


x}ks㶲*Q3CO#Mɶ<։mXVi)S$IV˭_zВݙĶD th4I"nZΘ\̦dwꚃ>}K$wB}NUQV C7((bP<HwO7n[cQ0Ra᳙*,>;O}1fPk5M~"3h ؕgxg4X:nNOn9n:'ݛ9^qٝN4p3 Z_Zr`Ck'^MXCEC0ʾ#3p=jI>wIAұ,Oȿ;Be}Y З?R(E34 i[2)ߖI@w[)@ +:YK7BSK3Q8nZK}0[RFp&\ ДQCלذ 1"%hJyOM XZދ"}Et"Ayq>]Q4{3Bɝ`g@IE !\J!=! g|8S%Ku}7pW-CzlNVڒ1Wb{g(1eޡ:ix>!e.ڽ^C8JjhX.B2iKB0q77Zu?1Va**rkTQnʼnl :2X jXR7HaQp: 0hv?SOiͦ89yt$AG61^zK ucb>'ݸäppw>-Fv13{Q {>0iCkJQD4i-D@wM0Ie+f!S uG νdrgoMA(oEnPX^0 vjiqHpyY?B]uCb賀B=`MkweC93(u%w2J}c>] #RRR$S]HPw9DJ B!B0HV0( ar T<ʦBICvn2V{TKh!+K@fsfd(4{~4 cbB|#'fXr`Y \d+|i)lb ը6؛ri:|:ioB{4 0sҺ<,$-X ɉ&1# IK8Y)0Azn8 DŽs w00ӊYsƾ s a0'6O(tsj9`XƄWj>!4ӇiЈ4XĽǦ笳5SN`cܒn̜07ÚL ~Dg詅m>`T4fs)wdmrn)RЛvs9n$!+xWY 2gdRUyqtʝ+PXfAװ DؚZWS{<`m1Jx>hx# d\6XbO`#Vškϧ;°w^^v˖?~F|2^ۄC=1͉V*a0Y6؋T,{|ݛtZA_` V&I?րH{A2,e,rGmAu،;s<}Zj\X,>9R>5 < đOT׃RUaT(j];12­q͝a&1 DR)Ö1Swhi'T'/咢TSАah"pHEAxZkhp\@U.)L-9Hz  [ hg [QznSCz+n `RI?I BL!2B3ݧ==1g匬~`" dRPZUU+òZp~*0yϸoGL aL:+lC30XfSf~+u08 LBl̓Oe*r1_?J= [LߴF@V1'`{7=;%(4OQ5rRl2~6P}m*lֳ>AqHlw\O+n'WaO9n7=RJRHǞ1]]2Yޘzֱ4> ʀkxG2cdYJhUm{\ cg2|]>_&I|SeYȣV)+Y+T\U񋰷8C+`-XRj#L*"Go&ŏ[o(urvOG~T>UʠˏHU*J5yUr=)i7xџ6YD+(++i-Y2ǽa m.E[& 4˷ʨKu3[*X.DД4Ϩ;Rb i kxG c[,i/.: ?Nٿ:N00vY?0+KKxi/RR9$juԹh}h0.[ltJj2m&A)pdQL?jnW۫It0lg~hy# @4Qn߽p.Z:K5?wH;m)^{%o= rHp'Bjw>\$'d0 s|n]G'6b `xѤĢ6Bz?$Y^3_{w "HlSOkԛ2L:1D&rޚSE[B {t#1QLwʩރt e~=m1결uC%<2ON)gtJē˓!=)jښIմg"8I5F4A2 uID? Mt4DPW PقZ $O kzisq^]ҹuX`M`l)ZQ!|Nr 9nG`e>R!G[yQb}b%h4eW:Bzc'?<9Gs`c*䬨t#~Mbݩc3cD1uwR;2Q杊^Y ]s>ͥ=`L̴M\gwhNPD(PQESrc㻞 Zt Ud_Rxa9yhSr?r%>iפuja~%X@2;'|$A1|MuSOF 95C/3r¸E}l(=hGt?vJow{ѧ}E4 7tRTsd;i6ӱ$BUU+jۻA\8%'+wr62Ӣ @7Yu (f~\;pOҠ%cc}d}ݸw[f1vifw ݷJP}I.=]awQxIݣw뻻P͞6vYiEU.J\ -"PnǸz {II5)x}<-J`RToy^f} m$.EB"fcME[o<ק{cef7F?m%p'xf99qi N6_(^3)nݱd{ѿu3gx"<ʖ %G*3(Pe ,?`B3CH0N@3mnFY՟GFy6Qu#Jt͍^C ;yswQT0%foUtwwwR2 ),l `2Wr7i?;s 0 ΄ayR ?; iNeJ&zR= %[(yuYҗa4gw[H &G T!gi߆.H¤8qtW=zg[q6V?ۧiMliT D_p[(||15Y%{ O<ݔ.TI?x`G^\Uk{‚J)g}Ji"Y$zcDHo/ePPy"<ͧ\eawUn 6}/ bh=&+L`Af* ""㑞a%O$F\ܛυ%UmSV+c@$ 9@pj9mϥc=4&h\{Rc-[AH J{wPj VPz TFGncw6Kn1p P w;Ex_cuC:_nivfnYyM+ kґ5^;BD#u:w=K~EJ6k.itI@j tmSkC ZQ! vB85Vͭ^ߐ=j6.I\2$!X&7; ׇ5\"Fa>0RjAZ'%^F>'TZ.QTTTT_SnUjEp抑=*-]Q׳&ٯwM}qSgԃi^w>  1IBZ?m/r=-=[ܶƗ[ןJx^H:Չxt3^=z†XGoes^߱޴?KX'`$'XzS_T~ % @ xUI0SհƋ)*YOn઄-KH}߂Gߟqr|icl]T0P{ax)NJs, `D"458lpD}.5Op甤*\±U p~棯|iwߕV[,X^CuhX-fjmvuC#rqj敾3n* X =>Rsj.kz.Ϗ(֏>3- [ ]HODnN܆;-4w6uiEsyw{1ݱ;U ^Q w" `"+lxѫGȍC9Ma鹞nD_Hޖ%Tw0{rO|kgNDD>f]u[8 Am𛷿cd;6?v=mZA+=V4 m:pXyI{_<@_1+tѥLXoJYZ([_˯Gjp,Éu]{c~BP2o2@44kIY'$FZIHgcS8#{`4cT2,,y8df9jp@$H`k_A'-gʬjgmα?=fTnCn$pK4+uwDZF/z3,M?C"Oߣ]-Y?`CP'}dɷ~1V^c.[2Qȏa&J~~'`M=wKA4`}*[fZ%24P^UߡVR*jZ?";М|}yj]SjZYS#UV /"\k׺"N ՗>-,'c0/';`^hRLM4j%)zd HO֔o_d9_K>HP)%$7IMķd0ǖC0%n4,q>+襃ڕ:ZDbW O: @W&Du#i!FY,t:sijSF;1CWIе6ARɠ{=yF-h>#Թ|׉sw?r}sι}?cxpeY_+ 66Ƕlva|DXOQ; @Lwtc2ЁHz5,?_J)m#Q^_fFܞUk}Èk`dVO_ňVSR>dDk9mFA&׈1h?91<.PW'nyVmIz .kx>a4݋R>hueaj+Y!kjb;ҁP+qܖ.0[n4C~} M&`Cq@rt7%eZS[ٓ8GG_ 6f^FGZQ)MG)}o cb2zވqn5; roEVIv# ,ŐǞ?Z,D`dgl/Ո/ul9l~swGRXȟY@SC,:Y7e{|o CROwE)d0wCE;cv:q0ra)?Ĉo8fkHjIC9Ҕ#5훟/{ʾR0F$u2C:΀ ZIhLiED#RhbGBc&~^I79mOR-i`Ik„0'ld Dps} dlSۈ+*+0阿a9=c3bw`E݁{s01Faŷ^$l;b21#bH}=% tQET&}fA=bAa~L#[C\/5Dͼ͍$vJ3Zlfp"(3[]ă0>]qw6'+נ!gm6Z!fu5KfltQQ({b8M u?؃3,ȏWHmݜ(8z1I)t#K/Hzs&H@PbJ])IdR|:PJ|+R0cU+_cPw^7Dz+YT( I+;}*w4 }:1's;cvgrڽ&-rznǣu^y@a[+ |폺Uw'WO;e<|1 kyl2/*f(H^.NQʩ`Sg̵,9%y:w8lxY̟D~+Q^e5DM@_zuL&Bu򩕼t?{Չt.^ ȤRŻs`_k(^_~NmwS__~48iCSi}>@?G(Shu֗wN IN9?t.sʡ+4y|9s_/}/r{ȡE^^'eSNS~909{ s#?0~9ׅws?]/rqWP*5u^=A֗_S^9)O@O9rߛorڿ\'I9ru S)Jy/*苼5rXB]Cy>*P/nvs ث:WK?sz9^}NNF&/Iz]!,.5P^e5vkYAm{} yW V`˼74(^xXHyE#chto$.rd&}:=WWvl+x.*ܢ}:qOXE9 8G#iPA9ЧˤD4k{HO9|\z[,G$q=PW].6p=sxL|uӚ޴Av<2k]Օ/#BAf_b 5y?'OtVfw 4;) voBgU=n{d4qa C_j'܌3X\w{A7i__WmЙM%aCeGӰXS/P3 !GaW@jer Er)<螩z$_ MW+4\h D́a[; o6eM+5VkZpwrDa3="BS]FTMVYi2ZUٯk%P<# .M3^e&MȡN!3pC&J5FG Ptl5U YmBRH6T<gu~o'2Pd S7ʄ,4wW;SŀЫِġ@΂3,ƶ7;tp6 ߄^0–,ٵ&"m,w1B85tgh[L,eށz<hxqfajx cx"m[ P`t{^=F.Ltdp!gB-Zыl^@eD˺暻x:X~ {f0aŘSkC߆"yOB;P@9óErby063OH N#śXDda|}kf!t9X v;i;{c&[c^b ]р,){+z#cE Vj ZFvHϵg9UW_.g̶ U1^{ #E3dƨz< RƠC)evݏF{A}F垓gg_5b Gyʫc3@p6+"مxދ/!ZQy|XT ,sD<>7S3U)ւ_Ź}зǁ/;K{KVo7(&\`1JqIȥIG =$nDJE{)ߠ(b<% *`>.X">m<'6}Fu;H "@"drtPŗ-;waSF)f'VFp)hFNp8C3`ܐ}oDI C_xr:`+L}v0u=ĦrR4mLepwR K?93_N 稅$Wv.tc<^:yl뎮E{ hymx:" B#/m˕bA<\n2?>%i#.}@ nSR%+7`/=2H] OqS`hwq#ƫ1ucVBR(at!L?c.vjmnJQXƺa#mhT4X %^VD'n3^m'oym ۊ|Va=rkbcΜ6 4g|X ^|޹+o=ȉe6뙣\g0^n,eH}+qd.GDI IZ']ZD!hXrE"O q~ m[PY1+ (R9K&t>0 'Ɣ ϰ"- s+׶9),cכS'>U 3 .^3Ơ`{ej x ؚտHQ#zfi!ACWqk @{kĵ6n᳇y0Ǖ2DM1F(ͦ,1f& Aixv4!M*`'΢gI^v>!T!6{xvY`Eq{Cipxy"E/(Ksx{}΂`R{WxO0m\}l4n&_!-2VjwV㛾VtƦI:1qz륍yQ'b(56lS24K_hj4>Saa%nǝlr n%96G\X P^K(