On Thu, 2006-04-27 at 15:54 -0400, Michael H. Warfield wrote:
> On Thu, 2006-04-27 at 21:21 +0200, Jurgen Kramer wrote:
> > I finally moved my wireless connection from WEP128 to WPA-PSK now that
> > NetworkManager supports it out-of-the-box in FC5. Although WPA works, it
> > only does so when a enable SSID broadcasting. Is this normal for WPA?
> > I'd really like to disable SSID broadcasting again.
>
> I can't speak to what NetworkManager does or doesn't do. I don't use
> it and don't care for it. I have noticed with wpa-supplicant, which
> NetworkManager uses, that I have needed to specify the expected SSID in
> advance in the ifcfg-{device} file for some networks. I presumed that's
> because of the SSID broadcast, or lack thereof. If I don't specify the
> SSID in advance, wpa-supplicant will grab whatever network is
> broadcasting an SSID that it knows about. If it can't see that
> broadcast poll, then it won't see the network is there to try and
> configure against it, and there you are. Preconfiguring an SSID in the
> WLAN card setup before firing up wpa-supplicate does seem to get around
> that.
>
> Couple of points...
>
> * WPA-PSK... I hope you configured a REALLY strong WPA-PSK password.
> For even respectable passwords (less than 20 characters) WPA-PSK may be
> easier to break than WEP128. An attacker only has to capture 4 packets
> for WPA-PSK (as opposed to a half a million or so for a reasonable
> WEP128 crack using aircrack or such) and they can then do an off-line
> brute force attack on the PSK.
>
> Robert Moskowitz, Senior Technical Director of ICSA Labs wrote this
> back in late 2003:
>
> http://wifinetnews.com/archives/002452.html
>
> > A passphrase typically has about 2.5 bits of security per character,
> > so the passphrase of n bytes equates to a key with about 2.5n + 12
> > bits of security. Hence, it provides a relatively low level of
> > security, with keys generated from short passwords subject to
> > dictionary attack. Use of the key hash is recommended only where it is
> > impractical to make use of a stronger form of user authentication. A
> > key generated from a passphrase of less than about 20 characters is
> > unlikely to deter attacks.
> >
> > The PTK is used in the 4-Way handshake to produce a hash of the
> > frames. There is a long history of offline dictionary attacks against
> > hashes. Any of these programs can be altered to use the information in
> > the 4-Way Handshake as input to perform the offline attack. Just about
> > any 8-character string a user may select will be in the dictionary. As
> > the standard states, passphrases longer than 20 characters are needed
> > to start deterring attacks. This is considerably longer than most
> > people will be willing to use.
> >
> > This offline attack should be easier to execute than the WEP attacks.
>
>
> Since you can "force" and active connection to an AP to "disassociate",
> you can force the client to reauthenticate so it's really easy to get
> those first 4 packets of the WPA-PSK authentication.
>
>
> * SSID broadcast. Why worry about not broadcasting the SSID? Turning
> off SSID broadcast is of no benefit, security wise. Kismet and other,
> similar, tools readily "decloak" networks which don't broadcast SSID, so
> you're not hiding much (you're not hiding ANYTHING, in fact). I've
> heard the argument that broadcasting the SSID is like having a welcome,
> open to the public, sign out front and not broadcasting is indicating
> that this is not a "public" access point. That argument only goes so
> far, though. The fact that you are encrypted is argument enough that it
> is not a "open" access point, for those who do not have the key.
>
> The other argument (and this goes both ways) is that not broadcasting
> the SSID removes that AP from the network list of "available" networks
> (say in Windows WiFi available networks list). Ok... Then you have to
> explicitly specify the SSID to being with. So, that relates back to
> your original question. Do you want your connections to your AP to
> autoconfigure or not? That's your choice to make.
>
> > This is with my laptop with a Intel IPW2200 and a Netgear DG834G
> > wireless router. I've also seen the same behavior when I tried using WPA
> > with a US Robotics router.
> >
> > Jurgen
Thanks for the insight, I will lengthen my WPA password a bit. WPA2
would probably the better option but it seem it is not supported yet?
Jurgen
> Mike
> --
> fedora-list mailing list
> fedora-list@xxxxxxxxxx
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
