14

I know that WEP traffic can be "sniffed" by any user of the WIFI.

I know that WPA/WPA2 traffic is encrypted using a different link key for each user, so they can't sniff traffic... unless they capture the initial handshake. If you are using a PSK (preshared key) schema, then you recover the link key trivially from this initial handshake.

If you don't know the PSK, you can capture the handshake and try to crack the PSK by bruteforce offline.

Is my understanding correct so far?.

I know that WPA2 has AES mode and can use "secure" tokens like X.509 certificates and such, and it is said to be secure against sniffing because capturing the handshake doesn't help you.

So, is WPA2+AES secure (so far) against sniffing, and how it actually works?. That is, how is the (random) link key negociated?. When using X.509 certificates or a (private and personal) passphrase.

Do WPA/WPA2 have other sniffer-secure modes beside WPA2+AES?

How is broadcast traffic managed to be received by all the WIFI users, if each has a different link key?.

Thanks in advance! :).

jcea
  • 243
  • 1
  • 2
  • 6

1 Answers1

10

You're understanding is basically correct.

First I'd like to mention that if you know the PSK, or have a copy of the certificate, it's basically game over. Cracking the the session key is cryptographically trivial if you've got that much information. If you don't have the PSK or cert you're left with brute force, as you mentioned.

Certificates are just as "easy" to brute force as PSKs, except that certificates are usually longer. A sufficiently long PSK works just as well however (for practical purposes). Also cracking RC4 is essentially as easy as cracking AES (for the purposes of NGOs)

You are however drastically underestimating the processing power required to crack a decently complex PSK. A PSK should be at least 12 characters long, using lower case, upper case, numbers, and symbols.

If you wanted to search all the possible keys up to 15 characters long (using all the aforementioned characters) you would have to search about 800 septillion keys. If your computer can calculate a billion keys per second it would take about 24 billion years to try them all.

Now after you you get half way through those keys, you're more likely than not that the next key you calculate will be the correct key; thus for the purposes of probable key cracking, you can chop that time in half.

Best get started now, you've going to be there a while. See also, Jeff's Post.

It'd be much easier to simply break into the person's house and beat the information out of them. (I absolutely do not condone, advocate, or suggest physically harming someone or threatening to do so)

WiFi under WEP everyone shares the same encryption key anyway, so broadcasts are no trouble. Under WPA/WPA2 a Group Transient Key (GTK) is given to each endpoint after the initial PTK (session key) is setup. Broadcasts are sent using this GTK so that all endpoints can decrypt it. In infrastructure mode endpoints aren't allowed to talk to each-other directly, they always go through the AP.

Edit:
If you need to generate a good WPA password, here's a random password generator.

If you pick a weak dictionary based passphrase, it can be cracked very quickly (<5 minutes) with an average modern laptop; it does however require the cracker to intercept the 4 way handshake when a WPA is setup.

Edit2:
NGO = Non-Governmental Organization (ie, typical corporations or mad scientists, people without the resources to build or use a top100 supercomputer to break keys, even if they wanted to).

Within WEP, WPA, and WPA2 there is no way to prevent legitimate users who can "hear" the two initial nonces from cracking the PTK. Another layer such as IPSec could be grafted over the top (in fact, IPSec could be used to replace WEP/WPA). WEP and WPA are not meant to insure individual privacy. They are meant to make your wireless network as secure as a wired network (which is not very secure in the first place). While they aren't perfect, they meet this goal most of the time.

Chris S
  • 77,337
  • 11
  • 120
  • 212
  • 1
    A brute force attack on the PSK isn't really feasible for most organizations yet. Choose your passphrase to be hard against dictionary attacks. Do not underestimate the power of dictionary attacks. Choose a *hard* passphrase. – james woodyatt Jun 10 '10 at 02:49
  • I am worried about legitime users sniffing each other traffic, so they already know the PreShared Key. Also interested in the exact procedure to establish a link key when using a x.509 certificate, under WPA2+AES. Also interested in knowing if there is other modes beside WPA2+AES secure against sniffing from LEGITIME wifi users. Thanks for the effort. – jcea Jun 10 '10 at 08:38
  • Cris S, what is "NGOs" you mention in the response? – jcea Jun 10 '10 at 08:42
  • Note that you may be confusing AES (a cipher) with what is commonly referred to as "Enterprise mode". In enterprise mode, the devices use an 802.1X authentication server for authentication instead of a pre-shared key. But this is independent of the cipher (TKIP or AES) used for encryption. – ctuffli Jun 10 '10 at 15:15
  • @ctuffli: correct, in "Enterprise" mode it uses 802.1x to encrypt the nonces during the 4 step handshake. But regardless of what is used to encrypt the handshake (PSK or 802.1x) if the attacker already has the key you're out of luck. If they don't have the key, brute forcing it is practically impossible. All 802.1x does is not allow you to pick an easily guessed key (for the purposes of securing an authorized user). – Chris S Jun 10 '10 at 19:09
  • @Chris S: Absolutely agree. I was trying to clarify that 802.1X isn't tied to AES, and that you could use 802.1X authentication with either the TKIP (not that you'd want to) or AES ciphers. – ctuffli Jun 11 '10 at 13:50