WPA real life security ?

Hi!

This is my first post about WLAN and I'm not sure if this is the
correct group. Is it ?

OK, to the topic:
A guy claims that "any kid, who masters linux, can crack WEP and WPA"
(translated by me to english).

I know WEP can be cracked in minutes, but WPA ?
If WPA-PSK is used, with a non-trivial passphrase, can it be easily
cracked ?
In real life, not in theory ?

AFAIK, WPA-PSK with a good pass provids very good security, so that
guys claim confuses me :-)

Regards,
David Balazic



david.balazic@hermes.si

[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]

In <(E-Mail Removed) .com> on 17 Nov 2005
06:57:19 -0800, (E-Mail Removed) wrote:

>A guy claims that "any kid, who masters linux, can crack WEP and WPA"
>(translated by me to english).
>
>I know WEP can be cracked in minutes, but WPA ?
>If WPA-PSK is used, with a non-trivial passphrase, can it be easily
>cracked ?
>In real life, not in theory ?
>
>AFAIK, WPA-PSK with a good pass provids very good security, so that
>guys claim confuses me :-)

You are correct. That guy is misinformed.

--
Best regards, FAQ FOR CINGULAR WIRELESS
John Navas <http://en.wikibooks.org/wiki/Cingular_Wireless_FAQ>
MY HELP FOR CINGULAR GSM & SONY ERICSSON PHONES:
<http://navasgrp.home.att.net/#Cingular>

> A guy claims that "any kid, who masters linux, can crack WEP and WPA"
> (translated by me to english).

Incorrect. No need to master linux.

Just download a live CD with all the tools pre-loaded and follow the
online tutorial.

> I know WEP can be cracked in minutes, but WPA ?
> If WPA-PSK is used, with a non-trivial passphrase, can it be easily
> cracked ?

No

> AFAIK, WPA-PSK with a good pass provids very good security, so that
> guys claim confuses me :-)

Ask him to point a linux master at your network and see how they get
on...

You mean :
- he can crack it in his lifetime
or
- he could crack it in 100 billion years, if he lived that long
?

Later he also said interesting things like :
- by hammering udp port 27xxx on some LinkSys systems with older
firmware, they would eventualy "crack" and send out all the settings
and codes !??
- it is supposedly possible to get on the WLAN for a second, before
the AP "notices" that you don't belong there, and in that short time
you "can get in"

(i think he talks mostly about firmware bugs, but that does not mean it
shouldn't be taken seriously)

Regards,
David

Because WPA-PSK has some weaknesses, you should follow these guidelines to
be truly secure:

a.. Pick your key carefully: Don't use words that can be found in the
dictionary or common names, even if you change O's to zeroes, and I's to
ones. Try to use a combination of nonsense sounds, digits and punctuation.
b.. Make sure your key is at least 20 characters long (not including blank
space).
c.. If you give anyone else access to your wireless network, change your
key after they are gone. The key you gave them stays on their computer - and
could be retrieved by a hacker.
d.. To be as safe as possible, change your key every few months.
e.. Enable AES encryption if your equipment supports it. TKIP encryption
does not provide as strong protection from eavesdroppers.

In news:dlqa1q$sll$(E-Mail Removed) "tim"
<(E-Mail Removed)> wrote:

> b.. Make sure your key is at least 20 characters long (not including
> blank space).

How long can the key be? I just checked and at the moment mine's 62
characters long.

I make my keys by opening up a text editor and more or less randomly
banging on the keyboard, making sure to hit the shift key from time to
time and to get some special characters thrown in too.

--
Bert Hyman St. Paul, MN (E-Mail Removed)

[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]

In <dlqa1q$sll$(E-Mail Removed)> on Sun, 20 Nov 2005
16:59:38 +0000 (UTC), "tim" <(E-Mail Removed)> wrote:

>Because WPA-PSK has some weaknesses, you should follow these guidelines to
>be truly secure:
>
> a.. Pick your key carefully: Don't use words that can be found in the
>dictionary or common names, even if you change O's to zeroes, and I's to
>ones. Try to use a combination of nonsense sounds, digits and punctuation.
> b.. Make sure your key is at least 20 characters long (not including blank
>space).

That's overkill. If you're going to use random characters, 12 is sufficient.
With more than 20 characters, actual words are safe to use.

> c.. If you give anyone else access to your wireless network, change your
>key after they are gone. The key you gave them stays on their computer - and
>could be retrieved by a hacker.
> d.. To be as safe as possible, change your key every few months.
> e.. Enable AES encryption if your equipment supports it. TKIP encryption
>does not provide as strong protection from eavesdroppers.

TKIP is not encryption -- it's Temporal Key Integrity Protocol.
Standard WPA encryption is by 128-bit RC4, which is still considered quite
secure.

--
Best regards, FAQ FOR CINGULAR WIRELESS
John Navas <http://en.wikibooks.org/wiki/Cingular_Wireless_FAQ>

[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]

In <Xns971471E743EA2VeebleFetzer@216.250.184.7> on 20 Nov 2005 17:11:32 GMT,
Bert Hyman <(E-Mail Removed)> wrote:

>In news:dlqa1q$sll$(E-Mail Removed) "tim"
><(E-Mail Removed)> wrote:
>
>> b.. Make sure your key is at least 20 characters long (not including
>> blank space).
>
>How long can the key be? I just checked and at the moment mine's 62
>characters long.

That's almost the max. (Not all implementation can be that long.)

>I make my keys by opening up a text editor and more or less randomly
>banging on the keyboard, making sure to hit the shift key from time to
>time and to get some special characters thrown in too.

With random characters, 12 are sufficient.

I use the password generator in Password Safe, which is highly regarded.

--
Best regards, FAQ FOR CINGULAR WIRELESS
John Navas <http://en.wikibooks.org/wiki/Cingular_Wireless_FAQ>

well its only logic make sure its at least 20 characters long , so you make
a key anything from 20 to the exceeding number if you wish.But its
suggesting just do one with 20 and if you want to do a different one make
sure it starts from 20 characters long.

In news:dm2alu$oru$(E-Mail Removed) "tim"
<(E-Mail Removed)> wrote:

> well its only logic make sure its at least 20 characters long ,

But does the standard specify a maximum length? A minimum length?

--
Bert Hyman St. Paul, MN (E-Mail Removed)