Nov 06 2008

WPA broken?

Published by at 6:00 am under Encryption,Hacking,Security Advisories

I know I’m cynical, but when I start seeing headlines about this encryption technology or that wireless technology being broken, I have to wonder if it really is or if just a small portion of it was cracked. After all, it was reported a few weeks ago that Elcomsoft had broken WPA, but when George Ou did the math, it didn’t really affect anyone in the real world.  So when I read this morning that WPA has been broken, I have to take it with a grain of salt until the actual research is released.  Did they really break it or did they break WPA under a special set of circumstances?  Will this be usable in the real world?  Do I even care (by which I mean, will it affect me)?

The good news is, even if this is a real crack of WPA, the researchers are stating that WPA2 is still secure.  Until someone figures out how to work around that encryption scheme as well.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

5 responses so far

5 Responses to “WPA broken?”

  1. kurt wismeron 06 Nov 2008 at 7:28 am

    in cryptography (and therefore also in wireless security) any attack that is significantly better than brute force is the beginning of the end for algorithm in question because attacks only get better with time… md5, for example, was deprecated in the mid 90s after only finding pseudo-collisions…

  2. George Ouon 06 Nov 2008 at 10:57 am

    There’s no difference between WPA and WPA2 in terms of authentication mechanisms.

    Heck, there’s no difference in WPA and WPA2 in encryption mechanisms either except WPA makes AES optional for certification.

    These guys are just blowing smoke.

  3. George Ouon 06 Nov 2008 at 11:05 am

    Ok, I misread. They significantly weakened TKIP encryption further, so this is different from the previous story which was a brute force dictionary attack on the Pre-Shared Key. This however does not necessarily break WPA, since AES is a feature in most WPA certified devices. Only the earlier WPA certified devices going back before 2004 were unable to use AES.

    TKIP was always known to be a stopgap measure in the encryption community and this research simply proved that prediction right. My worry is that people have the knee jerk reaction that all encryption, including 3DES or AES, is this weak when it simply isn’t true. The lesson here is that if you used strong encryption to begin with, you wouldn’t have these problems. Now if you’re running TKIP, it’s time you upgraded to AES encryption. WPA certified devices most likely have AES capability while WPA2 certified capability guarantees that capability.

  4. Kostas P.on 07 Nov 2008 at 6:35 am

    According to a post in slashdot (http://it.slashdot.org/it/08/11/07/1312246.shtml) which links to an arstechnica article (http://arstechnica.com/articles/paedia/wpa-cracked.ars), only ARP and generally small packets can be decoded. TKIP is not considered yet cracked as large packets are still safe.

  5. Martinon 07 Nov 2008 at 6:39 am

    I knew I was right to be a bit cynical about this. The bad part is that even if WPA isn’t broken, this is the first crack in it’s armor and an indication that it probably will be broken in the next couple of years anyway. Time to start looking at upgrading all your wireless equipment to use WPA2 and be ahead of the curve.

Trackback URI | Comments RSS

Leave a Reply

%d bloggers like this: