perbj at stanford.edu
Fri Nov 5 17:51:55 UTC 2004
On Fri, 2004-11-05 at 08:30, Dan Williams wrote:
> > Shared Key auth is worse than no authentication/encryption at all.
> > Anyone with a clue will be using Open System. I don't think we should
> > put too much effort into making Shared Key easy to use.
> Why is it so much worse?
Basically, apparently you can crack the encryption just by listening in
on the handshake (as far as I have understood you get the plaintext
challenge going across in one direction and then a the same thing
encrypted send in the other direction - an absolute boon for code
cracking, since WEP apparently is sensitive to known-plaintext attacks)
instead of having to process many GB of data (well, you might not need
that much for the 40/64-bit version, but 128-bit WEP does take a fair
bit of data collecting to crack as far as I hav understood).
> Also, did you read my explanation of how its much much harder with Open
> System to figure out if the WEP key is wrong? That's the big sticking
> point here. If we can't automatically detect whether the WEP key is
> wrong or not (and waiting 30s for a failed DHCP certainly isn't
> "automatic"), then we might as well not even try to improve on the
> current system-config-network.
I totally disagree with you here, I think that getting quick feedback on
whether the WEP key you typed in (once!) is an utterly minor feature
compared to automatic network switching to work once you have plugged in
the right WEP key.
Seriously, don't take everything Apple does in networking as gospel,
there are some things in wireless that Macs get _all wrong_! When
connecting through the access point in my lab, sometimes the DHCP server
is kind of slow (it might take at least several seconds to respond when
traffic is heavy). Occasionally, for no obvious reason, the Macs that
some people have just refuse to pick up IP addresses. They are able to
get onto the network when you force a static IP. I haven't gotten very
far in my troubleshooting since this is so erratic, but my current
suspicion is that in addition to Apple also uses the rather ugly trick
of timing out DHCP requests after pretty much no time at all to get
quick response times. Please, please, please don't go there, I'd rather
wait a few seconds to get an IP address than be completely dead in the
water! (I realize that doing something this stupid probably hasn't even
crossed your mind, please just see it as an example of how the Apple
guys sometimes are a bit too fundamentalist in their quest for user
Per Bjornsson <perbj at stanford.edu>
Ph.D. Candidate, Department of Applied Physics, Stanford University
More information about the test