Monday, November 10, 2003

A Weakness Reported in the WPA Security Protocol

Robert Moskowitz, a senior technical director at ICSA Labs has published paper reporting that some implementations of Wi-Fi Protected Access (WPA), can be compromised through a dictionary or brute force attack.

For those of you who don't know what WPA, its a new standard for data encryption on Wi-Fi networks. The WPA specification uses passwords to act as the keys that encrypt the network's communications. The specification allows for two types of key management: pre-shared keys, where everyone uses the same pass phrase; and managed keys, which use a server to assign a different keys to each user.

The new attack only effects the pre-shared key management, and only if the person who implement the key uses an easy to guess password. The cryptography doesn't have known issues like WEP encryption, but like any system that uses passwords it is suitable to dictionary attacks. The way you can prevent this problem is just by choosing a long (20 characters or more) password that is not easy to guess, and doesn't contain words that are in the dictionary. For example: 'H3ll0W0rlD;Th1s1sAT3sT:Buy4Now'

What Moskowitz found is not ground breaking, but it does make a point that we have to be careful about the passwords we choose for anything, because they can be guessed with enough computing power and time.

No comments: