Monday, May 11, 2009

First results and thoughs on WPA security

I have spend the last few days reading about and playing around with the various tools available for cracking WPA and here is what i came to.

Contrary to the "hype" WPA is not cracked, as WEP was.
No "fatal" design flaw has been found that can be exploited to get access to your wifi network.
The *current* and *known* (there is no way to emphasize this more) ways of getting access to WPA protected network is by the "old" way of the dictionary and/or brute force attacks and "rainbow tables".
That been send, the "weak link" in your WPA security is actual your chosen password.
If your password can be easily "guessed" (8 characters passwords with numbers (i.e bith dates) or known words like "/dev/null" :) then you might get into trouble if someone targets you.
Another thing that i realized is that by hiding your ESSID you are actually becoming an easier target to an attack.
This has to do with the fact that your ESSID is actually part of the key and the empty ESSID is on the top 10 of ESSID's people have pre-calculated rainbow tables for.

So to make your WPA wifi more secure do the following

1)Select a unique ESSID, an as attacker could not use a ready-made rainbow table, and would have to recalculate the PMK's and that can take some time, even with the help of Pyrit and some serious hardware.

2) Try to select a random password at least 20 characters long.

3) Switch to AES insted of TKIP

2 comments:

yungchin said...

Thanks for the interesting information. Do you have any pointers for further reading? I'd be interested to learn how exactly they mix the essid into the passphrase scheme. Thanks!

skoroneos said...

The ESSID is used as salt to PBKDF2 hash function.
The Pyrit author has some info on the subject
http://pyrit.wordpress.com/the-twilight-of-wi-fi-protected-access/

also wikipedia has some info and interesting links

http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access