WiFi security (was wifi access from laptop to starbucks wifi)

Joel Rees joel.rees at gmail.com
Thu Jun 24 00:56:39 UTC 2010

On Jun 24, 2010, at 1:10 AM, JD wrote:

> On 06/23/2010 01:24 AM, Joel Rees was caught red-handed while  
> writing::
>> On Jun 23, 2010, at 11:14 AM, JD wrote:
>>> On 06/22/2010 07:27 PM, Darr was caught red-handed while writing::
>>>> On Tuesday, 22 June, 2010 @22:00 zulu, JD scribed:
>>>>> WPA2-PSK + AES : I thought it is not possible for inter-customer
>>>>> traffic to figure out the keys because once the connection is
>>>>> established,
>>>>> keys change dynamically per the protocol. Perhaps a an expert  
>>>>> on the
>>>>> WPA2-PSK protocl can shed some light on this.
>>>> The unsecure part is, if left to their own devices people tend
>>>> to choose weak passwords. It really is that simple.
>>>> If you choose a password that is a dictionary word or the name
>>>> of one of your kids/friends/pets, or a phone number, or a simple
>>>> sequence on the keyboard like 123456, 1234qwer, qwertyuiop,
>>>> et cetera, then AES can be 'cracked' using the dictionary method.
>>>> If you choose a passphrase like 1a!B2 at Cd3#4$efGH(56) it's
>>>> virtually uncrackable, Especially since there's a 1-minute xmit
>>>> timeout enforced when there have been 2 wrong PW tries in
>>>> 30 seconds. Even if they could make 3 guesses per second it
>>>> should take a couple hundred centuries to crack that passphrase.
>>> Even so, that does not mean you can decrypt another user's traffic,
>>> because you will n ot be able to find out the keys that were
>>> exchanged just
>>> before the client transmitted a packet, regardless of how
>>> weak the passphrase is when using AES.
>>> All clients will be using same passphrase anyhow (assuming we
>>> are still talking about using a public wifi hotspot, or
>>> even a workplace shared wifi router/gateway, which is set
>>> to accept only WPA2-PSK and AES encryption - no two
>>> clients will be in lock-step conversation with the gateway
>>> such that they exchange same keys with the gateway.
>>> So, inter-client traffic (which means that someone has
>>> some software on his/her machine, and has set his/her
>>> interface in promiscuous mode and is trapping packets from
>>> some particulat IP address. Good luck trying to decrypt them
>>> The Japanese team of scientists could not do it.
>> Don't know where you're coming from, guy, but don't get too
>> confident. There are groups where AES and all the current wireless
>> standards are considered broken, not from weak passwords.
>> (Not sure why you're talking about the Japanese scientists, either.)
> You're telling me not to get confident?


Coming in on the end of the conversation, but the last post sounded a  
lot less cynical than earlier posts (now that I go back and read).

But, now that I go back and read, I see that secure tunnels have b

> I have no confidence in anything, least of all
> public cryptographic algorithms.
> However, AES, for public use and practical purposes,
> remains unbroken. What you refer to as broken, even
> from researchers that have found weaknesses, say it
> is not a practical attack you can mount from a laptop.
> It has a level of complexity that prevents laptops
> at a hotspot from mounting any meaningful attack.

Not worried about attacks from laptops. Not worried about part-time  
war-drivers, either.

The game has escalated in the last four years, since I took a hiatus.

> You would need formidable computing power to do it.
> So, for practical purposes, AES, unlike TKIP,
> remains secure.
> See:
> http://www.andrewmccormack.com/index.php? 
> option=com_content&view=article&id=64:aes-broken&catid=35:security
> http://slashdot.org/it/02/09/16/0653224.shtml?tid=93
> And why should I not mention the Japanese scientists that broke  
> TKIP on
> a PC in a minute?

Not intending to say you shouldn't mention that they broke the other  
stuff in public (which we appreciate, since it somewhat forces the  
vendors' hand).

You guys know what you're talking about, but there are a lot of  
people around who would misunderstand. Your last post looked a little  
optimistic to me.

Still, my understanding is that the improvements in AES do move the  
focus of attack.

> http://www.networkworld.com/news/2009/082709-new-attack-cracks- 
> common-wi-fi.html
> What do you have against that?
> So,I strongly urge you to apply your advice to yourself
> before you claim that AES has been broken, as if any laptop
> can break it.

More information about the users mailing list