Logic’s Last Stand

May 23, 2010

Idle Threats – Wireless Security Misconceptions

Filed under: Computers — Tags: , , , , , — Zurahn @ 7:46 pm

There has been a lot of confusion for a long time on the relative effectiveness of wireless security, even among the otherwise tech-savvy crowd. Last week, the other developers at work got on a conversation relating to wireless, and the typical dismissal of WPA and WPA2 was thrown into the mix as well. Simply put, this is wrong.

This attitude likely stems from the genuinely broken Wireless Equivalent Privacy (WEP) standard. WEP uses the RC4 cipher, which over time has had an increasing number of weaknesses found, but that’s not really the primary problem with WEP. RC4 is a stream cipher, so it requires an initialization vector in order to produce proper pseudo-random results. WEP’s initialization vector is too short, and not sufficiently random, and this is the source of the most successful attacks. WEP can be cracked in a matter of a couple minutes on an active wireless connection.

Wi-Fi Protected Access (WPA) is a protocol created to address the critical weakness in WEP. WPA required the use of the TKIP protocol for encryption, while WPA2 refers to WPA with the use of CCMP with AES for encryption. There have been proof-of-concept attacks against certain configurations with WPA with TKIP due to somewhat similar issues as WEP, but to a much lesser extent. The short conclusion is that with insufficiently short key renewal times, a connection with TKIP could potentially be broken in about 12 minutes. Set a key renewal time of less than 12 minutes, and there is no issue.

Meanwhile, WPA with AES encryption (WPA2) has had no such proof-of-concept attacks and remains, with a sufficient password, is perfectly safe.

There is also some confusion as to the nature of personal versus enterprise, as if having the distinction means one of them is insufficient. Enterprise is there for the use of an authentication server (RADIUS) such that user account-specific certificates are distributed. It’s irrelevant to the home or small business user, and it’s not a concern for safety.

Perhaps it’s a bit naive, but I do believe we can, with dedication and sacrifice, keep our mouths shut unless we know what we’re talking about. Someday, someday…

Blog at WordPress.com.