Tilted Forum Project Discussion Community - View Single Post - Is it safe to do online transactions over wifi?

Mephisto2 · 08-04-2004, 12:02 AM

Well, to be more accurate, WPA introduces several new features for WiFi security. Perhaps a little background information is in order.

WPA standards WiFi Protected Access. It is a standard introduced by the WiFi Alliance (owners of the WiFi brand-name) and was in response to the inherent weaknesses in the WEP security scheme.

WEP (Wired Equivalent Privacy) is a cipher stream encryption protocol. The 128bit key is made up of a 40bit IV (initialization vector) and a 64bit RC4 key. The IV is transmitted in clear text which, along with the fundamental weaknesses of RC4, are what make WEP sub-optimal for strong security. Because a hacker can easily capture the clear text IV, and because of the nature of how IVs are generated, a hacker can effectively decode your entire 128bit key if they capture enough packets.

The WiFi Alliance developed WPA to combat these weaknesses. WPA introduces several new security enhancements.

TKIP - Temporal Key Integrity Protocol
TKIP rehashes your WEP key for every single packet. This means that a hacker can no longer decode your WEP key by capturing enough packets.

MIC - Message Integrity Check
Without going into too much detail, MIC can be considered a kind of CRC like mechanism. Any changes to the packet (by so-called Man in the Middle Attacks) are detected by the MIC.

Key Management
WPA provides for two types of Key Management. Standard EAP based solutions, where a backend AAA negotiates new WEP keys on a periodic basis, and WPA-PSK (WPA - Pre Shared Key). WPA-PSK is what is used in most home deployments. In these circumstances, both the Access Point and the client have a pre-shared key (or "pass phrase") that is used to generate brand new WEP keys on an agreed periodic basis.

There are some problems with WPA-PSK. Originally, the standard called for pre-shared keys of at least 20 characters long, but manufacturers thought this was too much hassle for most of their customers and the standard was revised to allow for 8 character pre-shared keys or higher. The problem is that 8 character pre-shared keys are not long enough to guarantee security.

If you are setting up a home network with WPA, in PSK mode, you should make sure the pre-shared key you use is at least 20 characters long. Using anything shorter is not recommended. It might be easier to type in, but it's not 100% secure.

Mr Mephisto

08-04-2004, 12:02 AM	#10 (permalink)
Mephisto2 Junkie	Well, to be more accurate, WPA introduces several new features for WiFi security. Perhaps a little background information is in order. WPA standards WiFi Protected Access. It is a standard introduced by the WiFi Alliance (owners of the WiFi brand-name) and was in response to the inherent weaknesses in the WEP security scheme. WEP (Wired Equivalent Privacy) is a cipher stream encryption protocol. The 128bit key is made up of a 40bit IV (initialization vector) and a 64bit RC4 key. The IV is transmitted in clear text which, along with the fundamental weaknesses of RC4, are what make WEP sub-optimal for strong security. Because a hacker can easily capture the clear text IV, and because of the nature of how IVs are generated, a hacker can effectively decode your entire 128bit key if they capture enough packets. The WiFi Alliance developed WPA to combat these weaknesses. WPA introduces several new security enhancements. TKIP - Temporal Key Integrity Protocol TKIP rehashes your WEP key for every single packet. This means that a hacker can no longer decode your WEP key by capturing enough packets. MIC - Message Integrity Check Without going into too much detail, MIC can be considered a kind of CRC like mechanism. Any changes to the packet (by so-called Man in the Middle Attacks) are detected by the MIC. Key Management WPA provides for two types of Key Management. Standard EAP based solutions, where a backend AAA negotiates new WEP keys on a periodic basis, and WPA-PSK (WPA - Pre Shared Key). WPA-PSK is what is used in most home deployments. In these circumstances, both the Access Point and the client have a pre-shared key (or "pass phrase") that is used to generate brand new WEP keys on an agreed periodic basis. There are some problems with WPA-PSK. Originally, the standard called for pre-shared keys of at least 20 characters long, but manufacturers thought this was too much hassle for most of their customers and the standard was revised to allow for 8 character pre-shared keys or higher. The problem is that 8 character pre-shared keys are not long enough to guarantee security. If you are setting up a home network with WPA, in PSK mode, you should make sure the pre-shared key you use is at least 20 characters long. Using anything shorter is not recommended. It might be easier to type in, but it's not 100% secure. Mr Mephisto Last edited by Mephisto2; 08-05-2004 at 04:02 AM..