Mailing List os2-wireless_users@2rosenthals.com Archived Message #310

From:	"Lewis G Rosenthal" <os2-wireless_users@2rosenthals.com>	Full Headers Undecoded message
Subject:	Re: [OS2Wireless] [OS2Wireless]TPad T60 Connect to Linksys BEFW11S4 - Security Settings
Date:	Sun, 15 Feb 2009 17:46:10 -0500
To:	OS/2 Wireless Users Mailing List <os2-wireless_users@2rosenthals.com>

Sorry to be so late joining the party, gentlemen... On 02/15/09 03:29 pm, Chuck McKinnis thus wrote : Frank Vos wrote: Hello Carl, On Sun, 15 Feb 2009 12:04:31 -0500 (EST), Carl Gehr wrote: BUT, I'd still like to get WPA-TKIP to work... Bad News: 1) No matter what I do, I've not been able to get this to work. 2) The WPA Supplicant displays and just keeps looping through the same bunch of [to me] gibberish. I did change the 'Debug Level' to 'verbose' and I captured what appears to be a repeating bunch of lines. But, not knowing what all of the stuff means, I'm a bit hesitant to just post it here in a rather public forum. If there is someone out there who can interpret the stuff [It's only about 22 lines.], I can send it off-list as a text file. Carl, you need to ensure that XWLAN is configured for WPA-PSK and not WPA2-PSK (obviously, as you've surmised). Even then, there is no guaranty that the BEFW11S4 - even with the latest firmware drop - properly handles this. ISTR many instances in the early days of WPA (remember, WPA is a subset of the 802.11i standard, and not a standard unto itself; nor was 802.11i fully ratified until June of 2004). In fact, a quick Google on WPA BEFW11S4 brings up a slew of hits. Here is a brief sample: http://forums.linksys.com/linksys/board/message?board.id=Wireless_Routers&message.id=35153 http://pdaphonehome.com/forums/xda-iii-mda3-pda2k-sx66-qtek9090/55336-wpa-psk-linksys-befw11s4-di-524-a.html I guess I'm curious: Is there no standard 'generate' tool that will create compatible keys? I also find it interesting that xWLAN generates four keys, while the router only has one. I assume other routers have more keys? For WPA(2)-TKIP you only need one key, Indeed, Frank is right. However, using the actual terminology might help make this a bit more clear: WPA uses the concept of a (singluar) passphrase. the passphrase may consist of any alphanumeric/symbol sequence up to 63 characters (the longer, the better, and the less dictionary-like, the better). WEP uses four hex keys. Remember that what we commonly call "64-bit WEP" is really only 40-bit encryption plus a 24-bit IV (Initialization Vector). Likewise, 128-bit WEP is really 104-bits of encryption with the same 24-bit IV. It is the IV which is the weak link, because it cries out to anything sniffing the air, "Here we go! Time to send the keys again!" A single 40-bit WEP key consists, therefor, of ten hex characters. As thre are four keys, you would normally display these in an array of four lines, each with a single key. You then need to tell the router which key is the "first" one, if given the option (otherwise, the assumption is made that it is the first in the list). Thus: 0xBEABCEDFEE 0x1122334455 0xA1B2C3D4E5 0xF6E5D4C3B2 would constitute four 10-bit hex keys (the 0x denoting hex vs ASCII). A single 104-bit WEP key consists, then, of 26 hex characters. Each manufacturer tends to make its own keygen routine. Thus it simply doesn't work to enter the same series of (hopefully random) ASCII characters into a LinkSys router and into a, say, Belkin card utility and expect the same keys to come out the other end (Stan and I proved this at Warpstock one year with a Siemens router and a LinkSys router; the keys generated were entirely different). the four keys in xWLAN are for WEP only. Exactly. I guess those key generaters all have their own way for generating keys. Frustrating, but very true. I get my keys from here: https://www.grc.com/passwords.htm Great link, Frank; thanks! I copy one key (63 random printable ASCII characters) and paste it in the router setup and in the laptop. A key with 63 random characters is impossible to crack, unless they manage to break WPA like they did with WEP. WPA-PSK is indeed crackable in about 15 minutes these days. Add 256-bit AES encryptiion (WPA2), and we're talking about a horse of a different color. The RC4 (designed by Ron Rivest of RSA Security) cipher is the weak link, and a common factor between WEP and WPA. Under WPA, it is used to encrypt at 128-bits. TKIP helps slow down attempts, as the keys roll in time, but still, capture enough packets, and it can be deciphered. AES, OTOH, is a 256-bit cipher, and much harder to break. See: http://arstechnica.com/security/news/2008/11/wpa-cracked.ars http://wifinetnews.com/archives/008500.html and http://dl.aircrack-ng.org/breakingwepandwpa.pdf IMHO, I am more worried about security on the Internet than I am about security between my PC and the router. Absolutely, Chuck, and this is the crux of the matter. People tend to forget that W-Fi encryption only applies between the client and the access point. Once the packet leaves the AP, it's once again in no-man's land, and it's exposed to thousands of times the number of possibly listening ears there than over the air. If you browse to a secure site to place a credit card order, your browser is already encrypting the data at 128-bit SSL. This is completely end-to-end, from your client, over the air to your AP, across your LAN, and over the internet, all the way back to the originating server. In this case, WPA or WEP doesn't make a bit of difference, as the only data anyone would capture over the air would be encrypted gibberish, anyway. If you check email via POP3 or IMAP using SSL (or TLS), these transactions are likewise fully encrypted (though you would have the option of sending your credentials encrypted or not). Assuming your credentials *were* encrypted (and that your provider supports encrypted email - I do; for POP3, IMAP, and SMTP), wireless encryption is superfluous. If you browse to an unsecure site on the net, whether wired or wireless, your traffic is all subject to whoever might be capturing packets along the way, and you'll never know. So, when *does* wireless encryption really make sense? When you work wirelessly and transfer sensitive information over the air to an unsecure link on your private LAN (or outside). For example, as it is now tax season here in the US, I am crunching returns again. If someone were to monitor my wireless traffic while I work on someone's tax return, it might be possible to capture a client's name and Social Security number (my tax prep software runs on my Citrix server, and I don't use any encryption for Citrix connections). I hope this helps!! -- Lewis ------------------------------------------------------------- Lewis G Rosenthal, CNA, CLP, CLE Rosenthal & Rosenthal, LLC www.2rosenthals.com Need a managed Wi-Fi hotspot? www.hautspot.com Treasurer, Warpstock Corporation www.warpstock.org -------------------------------------------------------------

Subscribe: Feed, Digest, Index.
Unsubscribe
Mail to ListMaster