Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 24 Apr 2013 16:16:32 -0400
From:      Michael Powell <nightrecon@hotmail.com>
To:        freebsd-questions@freebsd.org
Subject:   Re: Home WiFi Router with pfSense or m0n0wall?
Message-ID:  <kl9ej0$f2b$1@ger.gmane.org>
References:  <CAHieY7S9b9F1jndpkR2Drw=GCoBxmEWRs6Ot8MRjjQFH=xmHQQ@mail.gmail.com> <kl0qu9$ovo$1@ger.gmane.org> <CAHieY7SSbO%2Bwt68PeFLYDzAtqMnR0kJ3UakOjvLkSMzVA31LbA@mail.gmail.com> <kl3vao$hbt$1@ger.gmane.org> <20130423010407.25a73c92@gumby.homeunix.com> <CAHieY7SSzuJBt6frT7QoU=EzZDA=9Fc=H-xDHYtH3PejTi5QzQ@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Alejandro Imass wrote:

[snip]
>>> Most consider the answer to use WPA2, which I do use too. Many think
>>> it is 'virtually' unbreakable, but this really is not true; it just
>>> takes longer. I've done WPA2 keys in as little as 2-3 hours before.
>>
>> Are you saying that any WPA2 key can be cracked or or you simply
>> referring to weak keys?
> 
> I would also like to specifically if it's for weak keys or are all
> WPA2 personal keys crackable by brute force. Also is WPA2 Enterprise
> as weak also. Could anyone expand on how weak is WPA2 and WPA2
> Enterprise or is this related to weak PSKs only??
> 

I'm just a lowly sysadmin and not any kind of crypto expert.  The problem is 
time and horsepower. While a ridiculously easy key of say 4 characters that 
is not salted may be doable on a PC, once you start to get to 8-9 characters 
or more the time it takes begins to get huge fast. It's a matter of can you 
tie up the resource long enough to wait it out. Throw salting into the mix 
and it gets longer again. 

What I do at home is concatenate 2 ham radio call signs of friends that I 
can remember. Then I sha256 that and select from the end backwards 15 
characters. This won't actually defeat the inherent weakness of using a pre-
shared key, but it will take longer for a simple brute force. You should 
also throw in additional characters from your character set beyond just 
alpha/numerics.

Also, my little tinkertoy i5-3570K overclocked up to 4.5GHz is just that - a 
toy. I can use it to generate a trace file, which I then take to work and 
replay it using a z196 when they occasionally allow me to play for bit.  I 
also have rainbow tables and dictionary word-lists pregenerated for 
cheating. Another thing people are playing with is stuffing 4 high end video 
cards in a box and using them for computation. This enhances the PC platform 
beyond just using the CPU. There are also people doing this "in the cloud". 
And they will rent you compute time for a fee.  :-)

The pre-shared key is the weakest as compared to Enterprise. Enterprise WPA 
is stronger because it is a user account based system which authenticates 
using 802.1x via a Radius server. You can even assign certificates to user 
accounts and if they don't have the cert on the client they are trying to 
connect with, it won't. Throw Kerberos re-ticketing into the mix adds 
another layer to the onion. I seem to think recalling something about 
Kerberos re-ticketing something like every 900 seconds, or something like 
that. Switches and other network equipment that supports 802.1x can also 
filter out traffic that is not authorized.

Bottom line is Enterprise is better than a simple pre-shared key. But it 
involves radius, dns/dhcp, windows domain controllers, active directory, a 
PKI infrastrucure and access points that are designed for use in this 
environment (and they cost more). So while it may be more secure than a 
simple pre-shared key, it is simply not practical for the home user as they 
won't have all the 'other' resources required to utilize it.

-Mike





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?kl9ej0$f2b$1>