Feeds

Snag in next-gen Wi-Fi security unearthed

Down to weak passwords, again

  • alert
  • submit to reddit

Providing a secure and efficient Helpdesk

Security researchers have identified a potential security problem involving use of the Wi-Fi Protected Access (WPA) protocol, the second generation wireless LAN security standard.

Although WPA itself remains cryptographically secure, a method used for making the technology easier for consumers to use is susceptible to attack, according to a paper by Robert Moskowitz, senior technical director at the ICSA Labs division of TruSecure.

The issue involves the use of Use of Pre-Shared Key (PSK) as an alternative to 802.1X based key establishment, the approach preferred by corporate environments.

Pre-Shared Keying (PSK) is provided in the WPA and 802.11i standards to simplify deployments in small, low risk, networks. A PSK is a 256 bit number or a pass phrase eight to 63 bytes long.

Cryptographic weaknesses in PSK - particular when used in conjunction with simple pass phrases - mean attackers may be able to crack into systems through passive monitoring of wireless networks followed up by offline dictionary attacks. So the consumer-implementation of WPA is subject to the same kinds of shortcomings that afflicted the weak and broken WEP system, the industry's first (now rejected) stab at a security protocol for wireless networks.

Moskowitz's paper concludes: "The risk of using PSKs against internal attacks is almost as bad as WEP. The risk of using pass phrase based PSKs against external attacks is greater than using WEP.”

"Thus the only value PSK has is if only truly random keys are used, or for deploy testing of basic WPA or 802.11i functions. PSK should only be used if this is fully understood by the deployers," he adds. ®

Related Stories

New WPA wireless security on its way
Wi-Fi Alliance drives improved WLAN security
WLAN security is still work in progress
Tool dumbs down wireless hacking (AirSnort - WEP cracking tool)

New hybrid storage solutions

More from The Register

next story
Brit telcos warn Scots that voting Yes could lead to HEFTY bills
BT and Co: Independence vote likely to mean 'increased costs'
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
Radio hams can encrypt, in emergencies, says Ofcom
Consultation promises new spectrum and hints at relaxed licence conditions
Turnbull: NBN won't turn your town into Silicon Valley
'People have been brainwashed to believe that their world will be changed forever if they get FTTP'
Blockbuster book lays out the first 20 years of the Smartphone Wars
Symbian's David Wood bares all. Not for the faint hearted
Bonking with Apple has POUNDED mobe operators' wallets
... into submission. Weve squeals, ditches payment plans
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.