[nycbug-talk] wpa cracked

Miles Nordin carton at Ivy.NET
Sat Nov 8 21:02:17 EST 2008


>>>>> "gr" == George Rosamond <george at ceetonetechnology.com> writes:

    gr> "hey, ma, unclick TKIP and use AES instead on the router"

It's worse x2.

 1. AIUI, wireless chips include AES accelerators for WPA2 which are
    working at the ~20 - 50Mbit/s rates the chips push, drawing <5W,
    and extremely cheap, and fit into the network stack in a way that
    can handle high pps.

    IPsec accelerators for Cisco with ~20 - 50Mbit/s performance are
    more expensive, and accelerators built into Ethernet MAC chips do
    not exist.  Accelerators that fit into the stack similarly
    smoothly close to the line card are only available in really high
    end stuff like 6500.

 2. there are confusing L2/L3 DoS problems that L2 security may help
    with a little bit (though maybe not help very far with wireless)

I've never implemented WPA2 but what I worry about is MITM by
impersonating the AP.  Is that prevented somehow?  can you even do
CHAP with RADIUS?  do people actually sign their AP certificates and
load the CA certificate onto the clients?  With IPsec that I've seen
(Cisco), the former is not possible, and the latter is
routine/best-practice---you either use XAuth with Mutual Group
Authentication, or else if you refuse to use Aggressive Mode then you
use XAuth with certificate authentication, but just load the same
certificate on all the clients and let them use different XAuth
passwords.  not sure if that made sense---I can ramble longer if
needed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://lists.nycbug.org:8443/pipermail/talk/attachments/20081108/acd0aad5/attachment.bin>


More information about the talk mailing list