Home WiFi Router with pfSense or m0n0wall?
Michael Powell
nightrecon at hotmail.com
Wed Apr 24 20:16:51 UTC 2013
Alejandro Imass wrote:
[snip]
>>> Most consider the answer to use WPA2, which I do use too. Many think
>>> it is 'virtually' unbreakable, but this really is not true; it just
>>> takes longer. I've done WPA2 keys in as little as 2-3 hours before.
>>
>> Are you saying that any WPA2 key can be cracked or or you simply
>> referring to weak keys?
>
> I would also like to specifically if it's for weak keys or are all
> WPA2 personal keys crackable by brute force. Also is WPA2 Enterprise
> as weak also. Could anyone expand on how weak is WPA2 and WPA2
> Enterprise or is this related to weak PSKs only??
>
I'm just a lowly sysadmin and not any kind of crypto expert. The problem is
time and horsepower. While a ridiculously easy key of say 4 characters that
is not salted may be doable on a PC, once you start to get to 8-9 characters
or more the time it takes begins to get huge fast. It's a matter of can you
tie up the resource long enough to wait it out. Throw salting into the mix
and it gets longer again.
What I do at home is concatenate 2 ham radio call signs of friends that I
can remember. Then I sha256 that and select from the end backwards 15
characters. This won't actually defeat the inherent weakness of using a pre-
shared key, but it will take longer for a simple brute force. You should
also throw in additional characters from your character set beyond just
alpha/numerics.
Also, my little tinkertoy i5-3570K overclocked up to 4.5GHz is just that - a
toy. I can use it to generate a trace file, which I then take to work and
replay it using a z196 when they occasionally allow me to play for bit. I
also have rainbow tables and dictionary word-lists pregenerated for
cheating. Another thing people are playing with is stuffing 4 high end video
cards in a box and using them for computation. This enhances the PC platform
beyond just using the CPU. There are also people doing this "in the cloud".
And they will rent you compute time for a fee. :-)
The pre-shared key is the weakest as compared to Enterprise. Enterprise WPA
is stronger because it is a user account based system which authenticates
using 802.1x via a Radius server. You can even assign certificates to user
accounts and if they don't have the cert on the client they are trying to
connect with, it won't. Throw Kerberos re-ticketing into the mix adds
another layer to the onion. I seem to think recalling something about
Kerberos re-ticketing something like every 900 seconds, or something like
that. Switches and other network equipment that supports 802.1x can also
filter out traffic that is not authorized.
Bottom line is Enterprise is better than a simple pre-shared key. But it
involves radius, dns/dhcp, windows domain controllers, active directory, a
PKI infrastrucure and access points that are designed for use in this
environment (and they cost more). So while it may be more secure than a
simple pre-shared key, it is simply not practical for the home user as they
won't have all the 'other' resources required to utilize it.
-Mike
More information about the freebsd-questions
mailing list