Elcomsoft is claiming that the WPA protocol is dead, just because they can speed up brute-force cracking by 100 times using a hardware accelerator. Why exactly is this news? Yes, weak passwords are weak—we already know that. And strong WPA passwords are still strong. This seems like yet another blatant attempt to grab some press attention with a half-baked cryptanalytic result.
I don’t know how exactly WPA works; but doesn’t this kind of brute force attack require a session-less protocol. Isn’t it like cracking passwords when you have /etc/shadow vs brute forcing a telnet server. What about WPA with a Radius backend (how is this called again), where it is trivial to implement delays on authentification?
sooth sayer • October 14, 2008 7:52 AM
Isn’t the overall security the goal.
If a protocol succumbs to simplistic hacks – it’s a flaw of the protocol and not only of the “weak passwords”.
PAul • October 14, 2008 7:59 AM
I was always wondering: can people in my WPA(2)-encrypted network encrypt my the connection between my laptop and the wifi-router?
In other words:
Alice and Bob are talking to each other WPA2 protected. Charlie is on the same network. Can he decrypt/read their conversation?
HumHo • October 14, 2008 8:13 AM
I read something about that some scientists in Europe have come up with a practical quantum encryption scheme.
Would it be possible to use the mechanism (that creates the quantum encryption keys) to crack passwords / hashes?
The fact is, that demands on the strength of a password is EXACTLY like depending upon obfuscation at the algorithm. Using a ho-hum system and then telling users it won’t work as well UNLESS they use strong passwords and change them often is EXACTLY like using secret algorithms, except no one wants to say this. It is an inherent weakness in the design of all these systems and everyone just keeps waving their hands in the air trying to keep the focus on the beauty of an underlying algorithm.
Who would buy a lock for their door, if the manufacturer said for it to work best you have to have new keys cut every 12 hours from a particular alloy, and if you do not the lock becomes easily bypassed? I mean who in the world would buy such a lock? That’s what’s going on here.
Then others could actually write columns in magazines explaining how people are the weak link and everyone is so stupid and lazy and didn’t get new keys cut every 12 hours and that’s why their house got broken into. Then manufacturers could hold seminars bragging about how strong their locks were, just so long as you didn’t pay too much attention to the demands on YOUR responsibility to have new keys cut every 12 hours from a special alloy.
Brian • October 14, 2008 8:39 AM
@PAul
If you’re using WPA2 “Personal” (preshared key), yes, Charlie can decrypt Alice and Bob’s traffic (if he captures the handshake at the start of their session). For security from everyone else on the WLAN, you need to be using some sort of EAP authentication (the “Enterprise” flavors of WPA/WPA2) to set up individual keys.
skittles are delicious • October 14, 2008 8:41 AM
@HumHo
quantum cryptography is not a type of cryptography per se; it depends on claims in the realm of physics. Since physics is a developing field, we really cannot know if information sent in this manner can be intercepted without detection. QC will never be secure unless physics answers all related questions and solves all related physics problems (and there would be no way to know when that point was reached).
I wish someone like Phil Zimmerman would work on an open source protocol for network security, to replace wpa.
Sid • October 14, 2008 8:52 AM
Some facts:
First – It is about breaking PSK authentication, clearly nothing related to RADIUS/EAP. Therefore, announces and articles fail to draw a clear line there. On purpose I think.
Second – We already know for long time that WPA(2) PSK can be attacked by dictionary, and it has always required only a few packets, i.e. one 4-way handshake authentication. WEP does need a bunch of packets to be broken, not WPA-PSK.
Third – Breaking WPA-PSK is deadly slow compared to MD5 or NTLM hashes because it involves 8192 SHA1 rounds (see PBKDF2 function). Aircrack on a Xeon runs at 650psk/s. On a GTX280, we can reach 12000psk/s[1] pretty easily. Elcomsoft does not give any figure, they just say “x100 compared to CPU”, which is pretty vague.
Fourth – Even if we round their performance at 100k psk/s, just covering the full 8 chars only keyspace will take a couple of years to say the least 🙂 so when they speak of bruteforcing, just try to compute the time they need…
kyprizel • October 14, 2008 9:14 AM
Elcomsoft just re-invented the wheel:
hxxp://code.google.com/p/pyrit/
Password spaces almost always are limited by byte to keyboard characters which represent less than half of all ASCII.
When users cannot choose “ó╗·•ö▼” as a password or username then it’s
it’s ~92^L, not 256^L. Big difference.
BTW if we’re not talking humans, then they’re not passwords. They’re something else.
Carlo Graziani • October 14, 2008 9:35 AM
Anyone know whether the 802.11 folks are working on a successor to WPA? Third time being allegedly the charm…
David • October 14, 2008 9:44 AM
“S” is right: we can’t rely on constantly changing strong passwords for security. At my house, the wireless router exists to serve two iPhones, a Wii, a laptop running Linux, and whatever my guests bring. The iPhone and Wii are wonderful devices for what they do, but neither is designed to have strong passwords entered frequently.
Therefore, if I’m going to have a router that’s both secure and worth having around, it needs to have some way of discouraging brute-force attacks. Perhaps a limit on the number of password verifications per unit time. Perhaps an active process, whereby a new device would ask for access and I’d grant it (we don’t add new devices very often).
Currently, my policy is that I don’t care much about bandwidth leeches if they don’t interfere with me, and I run Wireshark now and then to see what’s going on. Does anybody have a better idea?
Carlo Graziani • October 14, 2008 9:57 AM
Yeah, why did they use passwords in this protocol, anyway? Would it have been too expensive to have client send a public key to the access point, which caches it and returns a session key, which is refreshed every N minutes? That wouldn’t handle authentication per se, but at least it would secure the channel.
Authentication seems to be something that WEP did better than WPA, at least in PSK mode. At least users didn’t get a chance to reduce the entropy.
Rex • October 14, 2008 10:24 AM
As far as 802.11 folks working on a successor,
the 802.11s “mesh networking” group has a
PSK-based protocol that is resistant to
dictionary attack. It’s specific to one mesh
point authenticating to another mesh point.
No word yet on whether that will become
another way for a client to authenticate with
an AP though. It would be nice!
Mikey • October 14, 2008 10:50 AM
@S:
Actually, if you look at the strength of typical consumer-grade locks, they DO require constant re-keying to remain secure. An attacker could ‘brute force’ most pin tumbler locks with relative ease and the only way to keep him out once he discovered the keying of your lock is to rekey. To extend the analogy you started, the strength of the lock is a function of the number of pins and the number of possible pin heights. Most locks have, what, 5 to 7 pins? I have no idea how many possible pin heights there are but even with 10 possible pin heights there’s a total of 70 possible key configurations for the lock. How long would it take an attacker to try 70 keys? (And it would take even less time if the attacker just used lock picks to get in.)
Another Kevin • October 14, 2008 11:02 AM
@Mikey: 10 pin heights and seven pins gives 10⁷ (10,000,000), not 70, possible combinations. (Which is meaningless when you can open the lock with a bump key or pick it in seconds.)
Thomas • October 14, 2008 11:05 AM
Setting up a quite secure WLAN network at home is imho not so difficult…
1.: Choose another name for the network than ‘linksys’ or whatever the standard name is, since it is used for the key. Probably something like
‘mywirelessblabla@temporaryforwarding.com’ — so one can easily be contacted (without fearing spam) if there are channels overlapping or so.
2.: Choose a reasonable password with ‘enough’ random characters (>20). I have stored it on an old usb-drive so ‘distribution’ is pretty simple 😉
Frank B. • October 14, 2008 11:23 AM
@S, @Carlo Graziani
“Would it have been too expensive to have client send a public key to the access point, which caches it and returns a session key, which is refreshed every N minutes?”
Yeah, if only there was a way:
http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access#EAP_extensions_under_WPA-_and_WPA2-_Enterprise
UNiHacker • October 14, 2008 11:26 AM
You could also use MAC filtering which would only allow cards with certain mac addresses to connect. That could secure things up a bit more. It just amazes me that WEP is pretty much a no brainer, and now WPA brute force could eventually be the same depending on password strength.
sooth sayer • October 14, 2008 11:29 AM
@S
Bit are bits ..
You don’t need all 8 bits to be random .. You can always add another two keys (chars) and get more randomness to the password.
Carl "SAI" Mitchell • October 14, 2008 12:29 PM
So, just generate a secure, 64-character key with keepass or some similar rng, and use that. Don’t use the little “password” thing in the firmware, use the actual key. Unlike businesses houses tend not to have a large insider threat.
There is no good reason to use anything under the maximum length allowed by your router. Keep the key on a usb drive, so you can plug it in and copy it to new computers you need to give network access.
For larger networks, use RADIUS/EAP.
@UNiHacker
MAC filtering is useless. almost all network card drivers let you change the mac in the settings. Since you can observe the authentication handshake you will know a working MAC, and can use that. (forcing the legitimate computer offline, or waiting for it to go offline.)
@sooth sayer – not sure if you are thinking about salting here or not. All salting does is prevent the attacker from just searching a list for the password. It doesn’t expand keyspaces. It forces the attacker to perform the calculation each time an attempt is made, and this greatly expands the effort required to guess a password.
Merely attaching randomness to a password makes no difference. It’s just tacking on ballast. If password characters were limited to “A” and “B”, what difference would it make if you appended a lot of random characters to each? There are still two possible characters and the fact you represent each by something bigger is useless.
If the random additions were made automatically, which I think you are proposing, how would the system know the difference between George’s “A”
(internally “Asay89rawiovijnijahu”) and Janet’s “A” (internally “At740qyutoinckjnxh&”)??
Sure, the number of possible strings expands, but the choices are also proportionately fewer of those possible.
00-12-3F-60-D1-9E • October 14, 2008 1:00 PM
Anyone who proposes MAC filtering has never run a sniffer on a wireless network.
A nonny bunny • October 14, 2008 1:29 PM
@S
I think sooth sayer might be suggesting that as long as you pick enough extra characters, you can increase the “key-space”. After all 256^8 < 96^10.
And frankly, I’d much rather remember two extra normal characters than some weird characters I can’t even name.
Lengthening the password is far more effective than increasing the range of different characters.
If people need to write their password down in order to remember it, it’s not secure.
John • October 14, 2008 1:54 PM
Requiring a complex password is NOT equivalent to having a secret algorithm. We’re talking about encryption here. When OpenSSH in Debian generated one of 65000 keys, we had a 16-bit encryption key. If your password is one of 500 dictionary words, you have a weak password.
Your algorithm is flawed if I can recover the password without guessing it from scratch every time– for example, if I guess “doorman” and the password is “d00rman”, and I know I’m “close,” then there’s a flaw. If I can derive exactly that I’m right or wrong, then the algorithm works.
A password is a key. We rely on keeping the key secret. Live with it.
Sid • October 14, 2008 3:53 PM
@Carlos: “Authentication seems to be something that WEP did better than WPA, at least in PSK mode.”
Are you kidding ?!
WEP authentication scheme is awfully crippled. It is not mutual, as client has no way to authenticate AP, and is vulnerable to a known plaintext attack, even choosen plaintext if you face a rogue AP.
This means that first your authentication is useless and counterproductive, to the point most access point does not use it, even if WEP is activated (WEP network, open authentication).
See “Your 802.11 Wireless Network has No Clothes”, March 2001, http://www.cs.umd.edu/~waa/wireless.pdf
Clive Robinson • October 14, 2008 4:25 PM
@ HumHo, skittles are delicious,
“quantum cryptography is not a type of cryptography per se; it depends on claims in the realm of physics. Since physics is a developing field, we really cannot know if information sent in this manner can be intercepted without detection. QC will never be secure unless physics answers all related questions and solves all related physics problems (and there would be no way to know when that point was reached).”
Quantum Cryptography is realy a “theoretical solution” looking for a “practical problem” to solve and failing entirly.
In theory it alows two parties (Alice and Bob) to establish a “One Time Pad” that they can then use on a different insecure channel.
It does this by (supposedly) sending single photons down a fiber optic cable between Alice and Bob. If Eve or other ill doer taps the cable then the fact should be detectable by Bob.
In practice however it is not single photons but a small number that are sent to overcome cable loss. Which means that “partial taps” like “hair pin bends” close to Alice stand a chance of working.
Further the theoretical system does not consider side channel leakage of polariser position.
For instance if the photons you generate for QC are for arguments sake in the visable spectrum, your polariser is still going to work for near infered which could be generated by other parts of the circuit. Eve then only has to tap off the near IR and watch it’s polarisation changes to determin the polariser’s state.
Likewise the electromechanics used for the polariser are very likely to have a current or noise signiture that is an acurate indicator of either it’s state or when it changes state. This could leak out in any maner of ways (TEMPEST / TEAPOT / etc).
Then there is the question of “quantum entanglement”. It is not easy to generate single photons and when more than one is generated it is difficult to stop entanglment. If Eve could detect stray entangled photons then it’s game over on the theoretical security.
Also QC is not very practicale, it only works for fixed point to point communication between two entities that trust each other which realy limits the number of applications for which it is appropriate.
There is a whole bunch of other “practicle problems” to consider as well, such as the type of random number generator used by Alice to control the polariser. If you look back in previous blog pages you will find where I and others have posted them.
Don’t expect to see QC systems near you any time soon…
peri • October 14, 2008 5:32 PM
@Clive Robinson: “Don’t expect to see QC systems near you any time soon…”
Quantum encryption and the weakness of European science
“The group demonstrated a robust, ready-for-commercialization set of quantum cryptography units. These were already packaged into typical 19-inch racks that use standard fiber optic and electronic interfaces. In other words, all your encryption technology is right there, ready to go.”
Colin • October 14, 2008 7:14 PM
What about “rolling” keys in WPA? My router comes with an option to change the key every xx minutes.
And afaik QC requires a second channel to exchange polarizer settings and trivially breaks to a MITM attack, so it only protects agains passive listeners.
David • October 15, 2008 8:38 AM
I like the idea of the long key on the USB drive, except that I don’t see how it will help me with the iPhones and Wii.
Does anybody have suggestions on how to use strong passwords with those without tremendous hassle, or do I continue to give up on real security?
Clive Robinson • October 15, 2008 9:06 AM
@ peri,
Nice to speak to you again how are you getting on with the ring?
With regards to,
“The group demonstrated a robust, ready-for-commercialization set of quantum cryptography units.”
Yes I’m aware there are comercial units out there and I actually had the chance to have a play with one and some test kit and well…
My point was that the “point to point” nature on a “single uninterupted” optical fiber giving it at best 50KM or so range, and that you needed 100% authentication on the secondry channel (the one where Alice and Bob discuss their polariser settings) made the whole system extreamly specialised and only for a very very limited market.
That is it’s not a practical consideration for 99.9999% of people so it’s going to be so thin on the ground it’s virtualy going to be invisable 😉
If it was not for the range limitation my best guess for an ordinary comercial market for it would be for key distrubution on ultra high bandwidth point to point links. Where the quantity of data makes changing the symetric data encryption key very very frequently a must. And the logistics involved with transporting the quantity of keymat required somewhat prohibitive.
Likewise the non comercial market appears to be abit limited as well.
As I said it realy is a “theoretical solution” looking for a “practical problem” it can solve, at least as well if not better than existing “practical solutions”…
mat • October 15, 2008 12:53 PM
Wps [1] should be present on new device. This should help to get strong wpa passkey without the trouble of entering them by hand on embedded devices like phone.
Robert Sponge • October 15, 2008 1:09 PM
There is no security in this world. i was told that even quantum encryption scheme are being cracked ? Is this true ?
Jason • October 15, 2008 1:21 PM
I keep the plain-text and hex of my WPA PSK written down in a notebook and manually type it in each time I need to add a device to my home wireless network.
I have never put it in a text document, never stored it on a USB drive, and never emailed it.
The 24 character passphrase was “randomly” generated by my brain and manually typed into a converter to get the 64-digit hex equivalent.
I use the hex if the system allows it, otherwise, I use the plain-text.
I also use TKIP. I considered putting up a RADIUS server but considered it overkill for two people and only two wireless systems.
Clive Robinson • October 16, 2008 6:18 AM
@ Robert Sponge
“… quantum encryption scheme are being cracked ? Is this true ?”
Depends on what you mean by “scheme” and “cracked”?
There have been several attacks against “Quantun Cryptography” that would work against a non “ideal system” (ie a practicle implementation).
However the basic idea is somewhere between “not proven secure” or “not yet broken”, depending on your view point.
Issue 1, Is a single photon secure?
Well it’s a fundemental idea of quantum mechanics that it is. Which is relied upon in the original QC “ideal system” model.
However sombody came up with an idea to attack it mathmaticaly, so they moved on to using pairs of entangled photons….
Issue 2, Is the secondary channel usage secure?
Alice and Bob use a secondary Shanon channel to tell each other the state of their polariser information.
The QC “ideal system” model assumes that in the secondary channel Alice and Bob can,
A, 100% authenticate each other, and
B, that no information usefull to an evesdropper is communicated.
Both of these realy are nothing more than assumptions as they are very very implementation dependent and to put it bluntly we do not know enough to say (oh look is that a “black swan” trying to fly)….
Issue 3, Is the polariser state selection method secure?
The QC “ideal system” model assumption is that this is 100% non determanistic.
Well in a practical system this gives some very real issues to do with speed and reliability amongst other things.
Now if we assume that due to some problem (ie Eve’s intervention or a fault) the method becomes not only determanistic but also predictable to an evesdropper does this give an opening for an active attack?
The answer to this is a very nervous we don’t know but we hope not (is that a “black swan” I see flying befor me?)….
Issue 4, Can Alice and Bob reliably detect an attack in the primary channel?
Again in the QC “ideal system” model the assumption is based on Alice and Bobs ability to do statistics…
In practice however there is a problem (is that an elephant in the room?).
Put simply even if there was no tampering with the primary channel the laws of physics dictate that not all of the photons Alice sends will get to Bob.
Therefore at some level an eveadropper will be able to hide in the noise that the statistics will average out
Could such an invisable attacker gain usefull information. It’s very implementation specific so again a very nervous “we hope not”…
Issue 5, Can you 100% say only a single photon will be sent by Alice?
In the QC “ideal system” model yes, however in practice it’s determanistic, and that means you have three states that Alice might be in for every exchange,
A, No photon sent.
B, A single photon sent.
C, Two or more photons sent.
In a practicle implementation state C is probable for a whole host of reasons….
Issue 6, Is the receiving system for the primary channel secure?
In the QC “ideal system” model yes.
However a real system needs to use photomultipliers and these are problematic to use at the best of times due to the fundemental way they work…
Some real systems are therefore broken due to design / implementation issues around the photomultipliers.
like blinding the photomultipliers with out of band pulses, or other EM fields….
With a little thought you will see that issues 2/3/4/5/6 give an attacker a whole lot of room to play in when not in the QC “ideal system” model. And there are other issues as well…
Which is why there have been attacks against real QC systems, but they usually have had fairly simple solutions to resolve them.
Finaly Issue 1 is the biggie on which the security of the whole idea 100% relies.
Quantum physics is all about mathmatical modeling with probability and theory not about reality (whatever that might be). Dear old Albert amongst others got very upset about it and spoke for God’s recreational habbits.
It’s also why you occasionaly hear experimental physisists making comments such as “card carrying member of the shut up and calculate club” about their theoretical quantum counterparts.
The rub is this nobody can say honestly that it is secure simply because our quantum model tells us it is not possible to know, we simply belive it is so on faith and one heck of a lot of experimental data 😉
However history shows that our world view changes due to our improved understanding. There is a sort of joke about teaching physics in that you “get taught one lie after another each geting closer to the truth”.
Quantum Pyhsics is less than 100 years old and who knows when somebody is going to “take a walk in the park” and come up with another principle that will rock the world of physics as Heisenburg did one cold winters evening. In theory it could happen any time but is it probable 😉
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Charlie • October 14, 2008 7:14 AM
To be fair, the actual software is pretty awesome (even if the press releases aren’t). I’ve observed a roughly 10x speed increase on NTLM hashes using a Geforce 8800GTX, which is pretty neat on (relatively) cheap commodity hardware.