[ale] POE?

Tue Sep 20 18:02:48 EDT 2005

On Tue, 2005-09-20 at 13:57 -0400, Scott Castaline wrote:
> Robert L. Harris wrote:
> 
> >Anyone messing with these yet:
> >http://www.compusa.com/products/product_info.asp?product_code=315808&ref=cj&pfp=cj
> >
> >Looks to be a point to point so I couldn't just set up 3 in my house but
> >could be nice for going upstairs to downstairs.
> >
> >Thoughts?
> >
> >
> >
> >:wq!
> >---------------------------------------------------------------------------
> >Robert L. Harris                     | GPG Key ID: E344DA3B

	:

> Hmmmmm!!!!!

> I get the impression that your house wiring would now be a passive hub 
> for networking multiple systems.

> WEP has been craked in less than 8 hours, I don't recall offhand how 
> many bits of encrytption is in WEP.

	WEP came in two basic flavors (with different nominclature).  There had
been what was called a "40 bit" version (really 56 bit DES used with a
40 bit key and a 16 bit initialization vector) and then there was a 128
bit version (really 128 bit RC4 with 104 bit key and 24 bit
initialization vector).  The problems with WEP had nothing to do with
the number of bits.  128 bit RC4 is quite strong if what it's designed
into is strong enough.  Someone forgot to invite the cryptographers to
the design meetings and WEP included several serious design flaw that
left it vulnerable to known plaintext codebook attacks, code stream XOR
attacks, weak initialization vector scheduler attacks, and, later, some
bit twiddle attacks.

	The time it takes to crack WEP depends on the amount of data you
collect and the nature of the initialization vectors that you encounter.

	One big problem is that initialization vector (IV).  For a given shared
WEP key and a given IV, you get a deterministicly constant "keystream",
independent from which node transmits it, which is XORed against the
data to generated the encrypted data.  So, if you can recover any known
plaintext (maybe by pinging a system or watching known exchanges like
dhcp or netbios), you can XOR out the plaintext and then you know the
keystream.  Next time you see that same IV, you can XOR that associated
keystream against the packet and recover the new plaintext for that
packet.  Worst case, that required about 2 Gig of plaintext data to
recover the entire keystream space.  You never needed to "break the key"
to make this attack work at all.  But you need access to 2 Gig of
plaintext (possibly more as IV's are reused) to get all the IV's.  But
you might not need all the IV's.  Some AP's were REALLY poor and used
simple incrementing IV generation (so you got a lot of low numbers) and
some pieces of junk didn't vary the IV at all (game over).  Still, a lot
of work.  But that's worst case...

	Another attack was against "weak" IVs.  Using certain values for an
initialization vectored allowed one to determine certain bits of the
key.  This eventually lead to a key compromise.  This is the classical
"fast" attack.  Capture a couple thousand packets with weak IV's and it
was game over once again.

	But modern access points now use better scheduling algorithms which
avoid weak IV's and spread the IV generation.  So, back to 2 Gig of
plain text...

	But, then, someone recently came up with a couple of new attack
methods.  One is an optimized passive attack.  If you can capture
approximately 500 K packets you should be able to break the key
relatively quickly (a few minutes or less).  In practice (I've done
this) it can take several hours to capture the data you need and you may
have to capture several million packets to get enough unique IVs to run
through the algorithms.  Capture time is the bugger here.  But...  WEP
is dead (again) Fred.

	The other new attack is an active attack called "chop chop".  You take
a valid packet and then "replay" it back to the access point slightly
modified.  You keep chopping on the modified packet until the AP
responds once again (indicating a valid decrypted).  You can then
proceed with this down a bit by bit recovery of the 128 bit key.  But
that attack is "active" (you're transmitting as well as receiving) and
relatively noisy (generates thousands of invalid decrypts).

	If you think WPA is better, you better be careful.  WPA PSK (PreShared
Key) is vulnerable to off-line brute force.  If you capture only the
first four packets of the exchange, you can brute force guess the
password and test it against those packets.  You need a password of 17
or more (some say 20 or more) characters of GOOD complexity to defeat
this attack.  An you only need to capture those first four packets.
Didn't catch them?  Fire off a "disassociate" packet (ala Omerta) at the
AP and force the stations to disassociate from each other and
re-authenticate.  Game over.

	In both WEP and WPA-PSK, the crypto at it's heart was fundamentally
strong.  But the implementation and integration was fundamentally
flawed.  You can't always judge a crypto by its bits.  Unless it's weak
crypto (weak bits)...

> Your next door neighbor could be eavsdropping on your traffic, how would 
> you put in a fire wall?

	Somehow, I don't think it radiates very far.

	But...  This worries me...

	"Ensures privacy and security over the Powerline network with 56-Bit
Data Encryption Standard (DES)."

	Rrriiiggghhhttt...

	Anyone who claims that 56-Bit DES "Ensures privacy and security" in
this day and age is on drugs.  You CAN judge this crypto by it's bits
and the news is bad.

> Scott Castaline
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com  
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part