AUTHENTICATION : Open System or Shared Key

I just read that - paradoxically - Open system is more secure than
Shared Key because the Shared Key can be sniffed and cracked (iy you
pardon the expression).

I am setting up a small home system and would assume that Shared Key
is a better option as it would prevent the next door neighbour (who is
almost certainly not a hacker capable of sniffing and entering) from
associating to the network.

any thoughts on which is best for a small network ?

On Thu, 29 Jul 2004 19:24:23 +0100, (E-Mail Removed) spoketh

>I just read that - paradoxically - Open system is more secure than
>Shared Key because the Shared Key can be sniffed and cracked (iy you
>pardon the expression).
>
>I am setting up a small home system and would assume that Shared Key
>is a better option as it would prevent the next door neighbour (who is
>almost certainly not a hacker capable of sniffing and entering) from
>associating to the network.
>
>any thoughts on which is best for a small network ?
>

Why would you assume that the opposite of what you stated one paragraph
up would be better?

Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)

On Thu, 29 Jul 2004 15:33:09 -0400, Lars M. Hansen
<(E-Mail Removed)> wrote:

>On Thu, 29 Jul 2004 19:24:23 +0100, (E-Mail Removed) spoketh
>
>>I just read that - paradoxically - Open system is more secure than
>>Shared Key because the Shared Key can be sniffed and cracked (iy you
>>pardon the expression).
>>
>>I am setting up a small home system and would assume that Shared Key
>>is a better option as it would prevent the next door neighbour (who is
>>almost certainly not a hacker capable of sniffing and entering) from
>>associating to the network.
>>
>>any thoughts on which is best for a small network ?
>>
>
>Why would you assume that the opposite of what you stated one paragraph
>up would be better?
>
is that an opinion or are you just blowing your nose - metaphorically
speaking.

I am confues as to why anyone would think an Open System was more
secure than a Shared Key system but that is what the book says.

care to contribute anything useful ?

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I just read that - paradoxically - Open system is more secure than
> Shared Key because the Shared Key can be sniffed and cracked (iy you
> pardon the expression).
>
> I am setting up a small home system and would assume that Shared Key
> is a better option as it would prevent the next door neighbour (who is
> almost certainly not a hacker capable of sniffing and entering) from
> associating to the network.
>
> any thoughts on which is best for a small network ?
>
>
>

The difference is really pretty trivial. In shared-key authentication, the
AP sends out a pseudo-random sequence of bytes, unencrypted. The station
trying to associate must encrypt the string and send it back. The AP doesn't
allow the association process to complete unless it recovers the original
string by decrypting (which "proves" that the client is using the same WEP
key). In open authentication, any station is allowed to associate. But if
WEP is used, association is useless. You still have to encrypt correctly in
order to exchange any IP packets. All you've really done is push
authentication up to layer 3.

The main problem with shared-key authentication is that it gives a hacker
monitoring the network a free sample of a matched plaintext/codetext pair.
At the very least it allows the hacker to recover the exact keystream used
to encrypt that frame, which can then be directly used to decrypt the first
several bytes of any subsequent frame using the same IV value. It is also a
freebie first entry in a database that could eventually be used to recover
the shared key. Also, the plaintext may give some insight into the
pseudorandom algorithm used by the AP, which might also be used in
encryption.

On Thu, 29 Jul 2004 21:19:20 GMT, "gary" <(E-Mail Removed)>
wrote:

>
><(E-Mail Removed)> wrote in message
>news:(E-Mail Removed).. .
>> I just read that - paradoxically - Open system is more secure than
>> Shared Key because the Shared Key can be sniffed and cracked (iy you
>> pardon the expression).
>>
>> I am setting up a small home system and would assume that Shared Key
>> is a better option as it would prevent the next door neighbour (who is
>> almost certainly not a hacker capable of sniffing and entering) from
>> associating to the network.
>>
>> any thoughts on which is best for a small network ?
>>
>>
>>
>
>The difference is really pretty trivial. In shared-key authentication, the
>AP sends out a pseudo-random sequence of bytes, unencrypted. The station
>trying to associate must encrypt the string and send it back. The AP doesn't
>allow the association process to complete unless it recovers the original
>string by decrypting (which "proves" that the client is using the same WEP
>key). In open authentication, any station is allowed to associate. But if
>WEP is used, association is useless. You still have to encrypt correctly in
>order to exchange any IP packets. All you've really done is push
>authentication up to layer 3.
>
>The main problem with shared-key authentication is that it gives a hacker
>monitoring the network a free sample of a matched plaintext/codetext pair.
>At the very least it allows the hacker to recover the exact keystream used
>to encrypt that frame, which can then be directly used to decrypt the first
>several bytes of any subsequent frame using the same IV value. It is also a
>freebie first entry in a database that could eventually be used to recover
>the shared key. Also, the plaintext may give some insight into the
>pseudorandom algorithm used by the AP, which might also be used in
>encryption.

so what should i implement Open authentication or shared key ?

anyone care to comment on what they are using .

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Thu, 29 Jul 2004 21:19:20 GMT, "gary" <(E-Mail Removed)>
> wrote:
>
> >
> ><(E-Mail Removed)> wrote in message
> >news:(E-Mail Removed).. .
> >> I just read that - paradoxically - Open system is more secure than
> >> Shared Key because the Shared Key can be sniffed and cracked (iy you
> >> pardon the expression).
> >>
> >> I am setting up a small home system and would assume that Shared Key
> >> is a better option as it would prevent the next door neighbour (who is
> >> almost certainly not a hacker capable of sniffing and entering) from
> >> associating to the network.
> >>
> >> any thoughts on which is best for a small network ?
> >>
> >>
> >>
> >
> >The difference is really pretty trivial. In shared-key authentication,
the
> >AP sends out a pseudo-random sequence of bytes, unencrypted. The station
> >trying to associate must encrypt the string and send it back. The AP
doesn't
> >allow the association process to complete unless it recovers the original
> >string by decrypting (which "proves" that the client is using the same
WEP
> >key). In open authentication, any station is allowed to associate. But if
> >WEP is used, association is useless. You still have to encrypt correctly
in
> >order to exchange any IP packets. All you've really done is push
> >authentication up to layer 3.
> >
> >The main problem with shared-key authentication is that it gives a hacker
> >monitoring the network a free sample of a matched plaintext/codetext
pair.
> >At the very least it allows the hacker to recover the exact keystream
used
> >to encrypt that frame, which can then be directly used to decrypt the
first
> >several bytes of any subsequent frame using the same IV value. It is also
a
> >freebie first entry in a database that could eventually be used to
recover
> >the shared key. Also, the plaintext may give some insight into the
> >pseudorandom algorithm used by the AP, which might also be used in
> >encryption.
>
> so what should i implement Open authentication or shared key ?

Well, clearly I'm saying that shared-key offers no real advantage, and
offers a leg up to a hacker. Translation: use open authentication.

>
> anyone care to comment on what they are using .

I'm using open authentication.

>

On Thu, 29 Jul 2004 20:40:15 +0100, (E-Mail Removed) spoketh

>>
>>Why would you assume that the opposite of what you stated one paragraph
>>up would be better?
>>
>is that an opinion or are you just blowing your nose - metaphorically
>speaking.
>
>I am confues as to why anyone would think an Open System was more
>secure than a Shared Key system but that is what the book says.
>
>care to contribute anything useful ?
>

Shared key authentication is supposed to keep unauthorized wireless
client out, but as it turns out, it uses the encryption key as the
authentication key thus exposing your encryption key to anyone with a
wireless sniffer.

Using open authentication doesn't expose your encryption key like shared
key authentication does, so despite the fact that it should be the other
way around, open authentication are actually the better option of the
two...

Search www.wi-fiplanet.com for a nice article explaining it all in case
my nose blowing didn't do it for you...

Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"

Hi,

(E-Mail Removed) schrieb:
> I just read that - paradoxically - Open system is more secure than
> Shared Key because the Shared Key can be sniffed and cracked (iy you
> pardon the expression).
>
> I am setting up a small home system and would assume that Shared Key
> is a better option as it would prevent the next door neighbour (who is
> almost certainly not a hacker capable of sniffing and entering) from
> associating to the network.
>
> any thoughts on which is best for a small network ?

"Open System" is actually no authentication at all. "Shared Key" on all
WEP adapters (i.e before "Wireless Protected Access" - WPA and probably
TKIP) is an authentication that exposes a clean text / cipher text pair
to an eavesdropper that can be used to help in subsequent attacks.
For that reason, most current (i.e. before WPA) adapters do not
implement the shared key message exchange anymore at all (even if shared
key is configured). WEP adapter producers realized after some time that
shared key authentication does more harm than it helps. In this case,
the shared key is only used as paylod encryption key, but not as
authentication key.

The gist of it is:
If you have WPA, use full (shared key, "PreShared Key" - PSK in the
terms of WPA) authentication. This does not reduce your level of
security anymore. If you have WEP, it doesn't matter, since the
authentication message exchange isn't implemented at all (with most
adapters). If you have very old WEP adapters, use "Open System"
authentication.
If there is any chance, use WPA.


Hope this helps,

Michael


--
===========================================
Michael Schmidt
-------------------------------------------
Institute for Data Communications Systems
University of Siegen, Germany
-------------------------------------------
http: www.nue.et-inf.uni-siegen.de
e-mail: (E-Mail Removed)
mobile: +49 179 7810214
===========================================

On Fri, 30 Jul 2004 08:36:06 +0200, Michael Schmidt
<(E-Mail Removed)> wrote:

>Hi,
>
>(E-Mail Removed) schrieb:
>> I just read that - paradoxically - Open system is more secure than
>> Shared Key because the Shared Key can be sniffed and cracked (iy you
>> pardon the expression).
>>
>> I am setting up a small home system and would assume that Shared Key
>> is a better option as it would prevent the next door neighbour (who is
>> almost certainly not a hacker capable of sniffing and entering) from
>> associating to the network.
>>
>> any thoughts on which is best for a small network ?
>
>"Open System" is actually no authentication at all. "Shared Key" on all
>WEP adapters (i.e before "Wireless Protected Access" - WPA and probably
>TKIP)

do i need a separate RADIUS server for WPA ?

On Fri, 30 Jul 2004 13:08:18 +0100, (E-Mail Removed) spoketh

>
>do i need a separate RADIUS server for WPA ?

Not if you pick WPA-PSK. That uses a Pre-Shared Key for authentication
and dynamic, negotiated keys for encryption.

Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"