WiFi security (was wifi access from laptop to starbucks wifi)

JD jd1008 at gmail.com
Wed Jun 23 02:14:41 UTC 2010

On 06/22/2010 07:27 PM, Darr was caught red-handed while writing::
> On Tuesday, 22 June, 2010 @22:00 zulu, JD scribed:
>> WPA2-PSK + AES : I thought it is not possible for inter-customer
>> traffic to figure out the keys because once the connection is
>> established,
>> keys change dynamically per the protocol. Perhaps a an expert on the
>> WPA2-PSK protocl can shed some light on this.
> The unsecure part is, if left to their own devices people tend
> to choose weak passwords. It really is that simple.
> If you choose a password that is a dictionary word or the name
> of one of your kids/friends/pets, or a phone number, or a simple
> sequence on the keyboard like 123456, 1234qwer, qwertyuiop,
> et cetera, then AES can be 'cracked' using the dictionary method.
> If you choose a passphrase like 1a!B2 at Cd3#4$efGH(56) it's
> virtually uncrackable, Especially since there's a 1-minute xmit
> timeout enforced when there have been 2 wrong PW tries in
> 30 seconds. Even if they could make 3 guesses per second it
> should take a couple hundred centuries to crack that passphrase.
Even so, that does not mean you can decrypt another user's traffic,
because you will n ot be able to find out the keys that were exchanged just
before the client transmitted a packet, regardless of how
weak the passphrase is when using AES.
All clients will be using same passphrase anyhow (assuming we
are still talking about using a public wifi hotspot, or
even a workplace shared wifi router/gateway, which is set
to accept only WPA2-PSK and AES encryption - no two
clients will be in lock-step conversation with the gateway
such that they exchange same keys with the gateway.
So, inter-client traffic (which means that someone has
some software on his/her machine, and has set his/her
interface in promiscuous mode and is trapping packets from
some particulat IP address. Good luck trying to decrypt them
The Japanese team of scientists could not do it.

More information about the users mailing list