Slashdot Log In
Elcomsoft Claims WPA/WPA2 Cracking Breakthrough
Posted by
timothy
on Sun Oct 12, 2008 01:12 PM
from the it-budget-excuse-par-excellence dept.
from the it-budget-excuse-par-excellence dept.
secmartin writes "Russian security firm Elcomsoft has released software that uses Nvidia GPUs to speed up the cracking of WPA and WPA2 keys by a factor of 100. Since the software allows them to network thousands of PCs, this anouncement effectively signals the death of wireless networking in business networks; any network handling sensitive data should start using VPN encryption on machines connecting over Wi-Fi networks, or stop using these networks altogether."
Related Stories
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Looks Like I'm Safe (Score:5, Interesting)
Re: (Score:3, Informative)
True, buy most people will use a alphanum pass with 10 characters or less.
(26*2+1)^10 = 839299365868340224
Which is a lot more crackable.
You can get hard passwords (Score:4, Interesting)
Steve Gibson has a site that generates random passwords on the fly (unique for you): https://www.grc.com/passwords.htm [grc.com]
These are especially good for wireless routers since you normally don't need to type them yourself and they don't get changed that often. (Of course, you should still change them once in a while.)
Parent
Re:You can get hard passwords (Score:5, Informative)
I personally recommend KeePass for password generation. It can generate 63 char passwords for WPA/WPA2 keys with cryptographically random unpredictability as it uses keyboard/mouse movements as part of seeding. Because its done on the local machine, there is no chance of the password being leaked as compared over the web. With a 63 character password, that is far more entropy than the 128 or 256 bits keys used for AES, so for someone to guess a password of that length, they either have to be able to brute force AES at full strength, or find a weakness in the algorithm's implementation.
I generate a KeePass password, save it to a USB flash drive, then paste it into my router's config. I then take the USB flash drive to the physical machines and do a copy and paste of the 63 char key into their network preferences. This is a lot easier than typing it. Should I lose the key... not hard to fix -- generate another one and rekey the 3-4 machines on my network. Because the WPA/WPA2 key is easily resettable with physical access to the machines, there is no reason to go less than the maximum character length, and it doesn't matter if the password gets forgotten, as long as you remember your router and machine's access passwords. (This for a home network. Businesses should use a RADIUS server where all the machines are not reliant on a single shared encryption key.)
If you have to use fewer characters, I'd say never use fewer than 20 characters, but even that is cutting it thin, factoring in Moor's law, botnets, and usage of GPUs for additional number crunching.
Parent
Re: (Score:3, Informative)
Re:You can get hard passwords (Score:5, Funny)
Parent
Re:You can get hard passwords (Score:5, Informative)
Parent
Re:You can get hard passwords (Score:4, Informative)
Firstly, get rid of this idea of a "standard password". Get PasswordHasher [mozilla.org] and use your NEW standard password to access some highly complex passwords at no extra brain power.
Next, your next door neighbour can't plug into your router from their sofa if you use a cable and see you moving home pr0n between your laptop and your desktop.
If you're using WiFi then all that lovely data could be shared with them, if they have a sniffer program running and your network key.
Other things that go over your network in plain text that could be sniffed by your neighbour: Notice the httpS:// on Slashdot.org? Me neither. Your password would have been in a packet that they sniffed. Same for any site you visit. URLs to your bank, your fave pr0n sites, the software you're using and which versions. If they are as good as me (and I'm not even that good at this crap), they could wait for your browser to look for an update, have an already altered version of the last update with a backdoor in it, hijack the DNS request and punt you a file that rootkits your box. If your post wasn't a troll, you might need this: Rootkit [wikipedia.org].
Seriously, why do you think everyone talks about wireless security as if it was important? Are you the only one that is "in the know" and they are all wrong?
Exceptions do apply. NX, VPNs, SSH, and other encryption can be sent over totally open WiFi because the encryption is done before stuff hits the network card.
Parent
Re:You can get hard passwords (Score:4, Informative)
Your example password is not random. Look at the letters of it, one by one, and you will notice that each next letter is either in direct physical proximity (QWERTY-wise) to its predecessor, or in a similar proximity for the other hand. This is a serious weakness because password crackers will exploit it in an instant.
Parent
Re: (Score:3, Interesting)
What's amusing, is that devices like mobile phones encourage people to use weaker passwords, as typing a long complicated password into a cellphone is quite a hassle.
Re: (Score:3, Informative)
Re:Looks Like I'm Safe (Score:5, Informative)
Parent
Re: (Score:3, Interesting)
Re:Looks Like I'm Safe (Score:5, Funny)
"Brute Force Attack will take up to 128299838271 years"
Look, I understand that's enough security for your mortals, but I plan to live forever. I don't want someone getting my data just after my 128,299,838,295th birthday!
Parent
Re:Looks Like I'm Safe (Score:5, Funny)
I don't want someone getting my data just after my 128,299,838,295th birthday!
Tell us if they release Duke Nukem Forever by your 128 billionth birthday.
Parent
Re:Looks Like I'm Safe (Score:5, Funny)
I recently moved up 23 chars, but it won't calculate that for me.
Do not worry, the keylogger inside of your keyboard has plenty of memory.
Parent
Re:Looks Like I'm Safe (Score:4, Interesting)
So, computing speed doubles roughly every 18 months. At this rate, it will be down to one year in 55 years (assuming computers keep getting faster at the same rate - 55 years is about as long as we've had commercial computers).
Of course, if you add another alphanumeric to the password, you multiply the complexity by 56, which adds another 10 years to the time before computers will be fast enough to crack it in a year. Another alphanumeric takes it up to 73 years, another up to 81, and so on.
There are some physical limits [wikipedia.org] to the maximum speed of computation. All of the ones we've come close to so far have been practical engineering problems, rather than theoretical ones. 21 more doublings in transistor density and IC features are smaller than the nucleus of an atom (9 more and they're smaller than a helium atom including its electron cloud) - only possible if you're building your CPU out of neutronium, so it seems unlikely that we'll get to 54 without some brand new physics. Increasing transistor density isn't the only way of increasing computational power, but so far it's been the easiest (although each doubling does require an R&D budget measured in billions of dollars).
Parent
Does this surprise anyone? (Score:5, Insightful)
This doesn't surprise me. Anyone who wasn't already assuming that anything you sent via wireless was already in the hands of your enemies (unencrypted) is a bit naive.
Re:Does this surprise anyone? (Score:5, Insightful)
I don't care how you're accessing the net, if it's important encrypt it.
Parent
Re:Does this surprise anyone? (Score:4, Insightful)
That was my reaction, the standard advice going back a long ways was use WEP, but for the love of god also use VPN between the devices. I can't imagine why WPA or WPA2 would make people think that you should be ditching the VPN.
Admittedly I've been guilty of not doing it, but it was more a matter of inferior Windows facilities than anything else.
Parent
Re: (Score:3, Insightful)
Re:Does this surprise anyone? (Score:4, Informative)
Parent
Re:Does this surprise anyone? (Score:5, Interesting)
Nope. It only requires that someone is recording that data, just as GP said.
So, suppose you're pushing a new key every hour. It takes me 12 hours to crack your key.
If you're not thinking too clearly, it looks like you're safe.
But with modern wireless technologies, how much data can you really push in 12 hours? Let's say you're on a -g network -- 54 mbits -- you'll probably send at most 5 megabytes per second. Suppose you're saturating that constantly -- that means roughly 18 gigs an hour.
So, it takes me 12 hours to crack that -- which means I have to record at most 216 gigs worth of (encrypted) data.
At the end of 12 hours, I've cracked the key from hour 1. I can then go back and decrypt all traffic you sent during that time, including the key you set for hour 2. Then I can decrypt all the data from hour 2, and so on. This will probably take less than an hour.
At that point, I'm caught up, and you're kindly pushing updated keys to me.
So, in other words, your rotating key scheme only works against people who either aren't recording your data, or aren't interested in cracking it at all (for instance, it'd be great if you give a houseguest access for an hour, then the next hour, the key changes from under them)...
Parent
Re:Does this surprise anyone? (Score:4, Interesting)
[This is where someone else who knows something about crypto chimes in... I just know this because I'd seen someone else getting called out on this misconception.]
W007! I actually do know something about crypto (as well as number theory, which is useful and fun).
You are right about the fact that, if SALT were transmitted through plaintext every time, it would only be a matter of time before SECRET would be able to be deduced (assuming that the method of breaking the overall WPA encryption allows you to figure out the encryption key being used [I don't know too much about WPA in particular, so I'm not sure if it is public key or not]).
I should have been clearer. Every XX minutes, a different SALT is transmitted via ciphertext.
This increases the complexity of the problem significantly:
You must break the first encryption key and gain the full key. The key looks something like:
a8fbcd1db5a6bf013763fd45a32f2b319bfba413
You must break the second encryption key. Again, the key looks something like:
216cd69e6e4112b6adffec1853ae415b0fa45fcf
[Wash, rinse, repeat]
You eventually have enough keys lined up to figure out that they use the sha1sum and all start with "this is insanity ", therefore SECRET="this is insanity ".
The problem is that you have to break the encryption scheme enough times to gain enough keys to establish what SECRET is. Then you have to break the hash. If it is a particularly good hash (i.e. NOT MD5 OR SHA1!) and the key that you are hashing has sufficient entropy (i.e. consists of random data) then you shouldn't be able to break the hash using a rainbow table, and brute force might be necessary.
Now, you can always try to mathematically find a flaw in the hash or encryption scheme, but that is a different problem. Personally, I wouldn't trust an encryption scheme designed by someone else unless I had the mathematical background to prove it, which, in the case of RSA, I do. Therefore, I would use RSA with as large a key and block size as is feasible. I'd probably also write my own implementation [activestate.com].
(I must confess, though, that the implementation I wrote to which I have linked is not by any means secure as it stands. It is also probably buggy, as I spent maybe half an hour on it at most. Someone commented on another recipe that writing RSA should be simple, and so I took the opportunity to write it.)
Parent
Rotate your keys (Score:5, Insightful)
With good keys, even a 100x increase in cracking speed is still not fast
Don't use a little 8-character passphrase. Use long keys, and don't just leave them in place forever. Change them periodically.
..since as we know, ... (Score:5, Funny)
Parent
Re: (Score:3, Insightful)
Rotating keys is not a smart way to try to extend the keyspace, if he can brute force one password he can quite probably do it again. Rotating passwords is a good idea if unwanted people may have had access to the password or a device it was on like say in a corporate network, guest network or whatever. For the traditional home network where the overwhelmingly likely scenario is that he's got no inside knowledge, just set one password at maximum length with some special characters so you're using the full k
Newsflash: Most "Business Networks" Aren't Secure (Score:5, Insightful)
That said, the biggest risk is still always going to be insiders and former insiders who won't need to crack into the wireless network: they will already know how to get access.
Thats not really news... (Score:5, Interesting)
There is no special flaw or exploit in use. They just throw more transitors at a special problem.
Everybody who really want to crack into some network (think NSA or industrial espionage) could have used FPGAs for even bigger gains.
And for joe sixpack, weeks on a small cluster is still not a viable way for free internet...
Also (Score:4, Informative)
A "100x" increase in the speed of cracking an encryption system is not necessarily impressive, or indeed meaningful.
It sounds like a lot, and would be if it were a situation of "It used to take 100 years to crack a password, now it takes 1." Ok well that just moved the problem from something impossible or at least totally worthless (the technology will be outdated by the time you get the answer) to something potentially useful for a determined attacker.
However, that isn't the sort of timescale we are talking about for modern encryption. We are instead talking about amounts of years that are generally expressed with exponents. Ahh, well now that changes things. If an encryption system currently takes 10^14 years to crack and you've sped up cracking 100 times so it now only takes 10^12... Well that still doesn't get you anything. You are talking many times longer than the universe has been around. Even an increase of 1,000,000 times doesn't get you anywhere near anything useful.
So while announcements like this are cool in an academic sense, they have no real application or threat.
Parent
Why does wireless security suck so bad? (Score:5, Insightful)
Seriously. We've had a number of standards with names like "Wired Equivalency Protocol" and "Wifi Protected Access" and yet they seem to be falling, one-by-one, to relatively trivial attacks. I'm not saying that WPA is as bad as WEP, but how come they can't copy/paste something as good as good old-fashioned SSL?
SSL has withstood the tests of time, over, and over, and over, and over again. SSL is the gold standard for encryption. It's used on every HTTPS website, it's used for SSH, it's used as part of kerberos, IMAPS, POPS, TLS, and just about every other good-quality security tool.
So why are wireless chipset manufacturers trying to re-invent the wheel, when it's widely known that these kinds of wheels are FRIGGEN HARD to re-invent well?
Start with normal, unencrypted wireless. Getting that to work was solved long ago. Embed an SSL engine into your wireless device, with a randomly generated private key. Provide a means to access the public key, and copy/paste that key into your high security wireless driver. If you want to be paranoid, your local driver generates a private/public key pair as well, and that can be copy/pasted to your wireless device.
Done! Now you *KNOW* that if you are accessing the Internet through the driver, you are doing so through the correct wireless hotspot. Who cares about wireless MITM attacks at that point? The SSL protocol *ASSUMES* that there are MITM attempts, and foils them quite effectively, over the equally open and unsecured Internet.
Seriously, folks. This is a problem that was solved over a decade ago. Why are we doing this again?
Re:Why does wireless security suck so bad? (Score:5, Informative)
Seriously. We've had a number of standards with names like "Wired Equivalency Protocol" and "Wifi Protected Access" and yet they seem to be falling, one-by-one, to relatively trivial attacks.
"Seem" is the key word in this paragraph.
The claimed attack is nothing more than a brute force search on WPA/WPA2 pre-shared keys, a search that will fail if the keys are well-chosen. It has no effect whatsoever on WPA or WPA2 when used with any of the EAP authentication modes. But PSK requires the network admin to choose a key, and the key is typically chosen by typing in a passphrase. If that passphrase is weak, then given enough computation power an attacker can guess it. Big surprise.
WPA and WPA2 ARE just as solid as SSL. The only difference is that everyone knows that if you're doing SSL you should use a good random number generator to help generate your key pair and to generate the session keys.
Parent
Re:Why does wireless security suck so bad? (Score:5, Interesting)
So what you're saying is, since I'm using the longest freagin key that my router allows, and I used a cryptosecure generator to create it (its totally random), I'm more or less safe?
Parent
Re:Why does wireless security suck so bad? (Score:5, Informative)
Yes.
Parent
Re:Why does wireless security suck so bad? (Score:5, Informative)
Better yet, use 802.1x (WPA + RADIUS) which completely avoids all the key-exchange weaknesses of WEP and WPA.
Parent
Re: (Score:3, Interesting)
I used this. Not so for the security (I think a 63 character really random password would be enough), but for convenience - it was easier to copy two files (user certificate and CA certificate) to my cell phone than type ten 63 char password (which for some reason was reset after each phone reboot)...
Now I do not use wifi for my local network. For some reason the AP usually failed to authenticate users, so I scrapped the idea and now use the same AP as a client to my ISPs wifi network. It works now...
Re:Why does wireless security suck so bad? (Score:5, Funny)
Almost, but your key may not be as truly random as you might think. Post your key here so we can verify it's really secure.
Parent
Re:Why does wireless security suck so bad? (Score:4, Interesting)
What you're describing is EAP-TLS [wikipedia.org], and its definitely the way to go if you're running wireless for a larger business.
Parent
SSL keys aren't entered by hand (Score:3, Interesting)
....that's the difference.
So long as people use convenient passphrases for their security then no amount of fancy algorithms will save them.
This realization is why the US Government eventually dropped all the regulations they used to have on exports of strong encryption.
F@H (Score:5, Interesting)
Re:F@H (Score:5, Funny)
I wonder how long it would take for the entire Folding@Home grid would take to crack a single WAP/WAP2 key. Can anyone do the math?
So that would be Cracking@home?
Parent
Oh, pull the other leg... (Score:5, Interesting)
This is seriously overhyped. #1:
This anouncement effectively signals the death of wireless networking in business networks;
Bullshit. The underlying encryption is based on AES*. AES is not a toy algorithm, and is designed to defend against specialized cracking hardware, and all other known attacks. It is *plenty* strong enough to hold up to a 100X increase in cracking speed, as long as you use good keys, which hopefully you are in a business environment.
I'm willing to believe that a key handling vulnerability might exist in WPA, or a flaw in AES, but the notion that brute force has brought about the death of WPA in business networks is just absurd. At best, this is a reminder to use good keys.
any network handling sensitive data should start using VPN encryption on machines connecting over Wi-Fi networks, or stop using these networks altogether.
Do you think your VPN software has a better underlying algorithm than AES?
* Unless you're using TKIP, which is a toy algorithm, which exists for backwards hardware compatibility, and in my experience isn't used by anyone who cares about security... But even there, the potential attack vectors are through algorithm weaknesses, not brute forcing the keys.
3DES (Score:5, Interesting)
The article says that 3DES has been broken. I think they are mistaken. DES was cracked by a brute force attack but 3DES is still considered secure.
How is their distributed processor system going to crack a 128-bit key that has 128 bits of entropy? Maybe the solution is to update the wi-fi software to make it easier to generate, transport, and install, truly random keys.
Re:3DES (Score:4, Interesting)
Parent
Summary is quite silly! (Score:5, Informative)
Businesses that are serious about their security use one of the many types of WPA-Enterprise. The method described in this article only applies to WPA-Personal which is targeted at home users.
Those businesses that do use WPA-Personal can simply institute a policy that requires better passwords to secure them against this exploit.
Some businesses will continue to use WPA-Personal with poor passwords, and that's fine, but those businesses are probably not too worried about security and have many other bigger vulnerabilities.
So, the claim that "this anouncement effectively signals the death of wireless networking in business networks" is ridiculous.
We're okay (Score:5, Funny)
Hah! My company is okay- we're only using MAC filtering for our security, none of this insecure WEP/WPA crap.
Already GPL'ed ... (Score:4, Informative)
All of this is already available as a GPL'ed tool that has been out for about a month. See http://pyrit.googlecode.com
Bullshit, FUD and the worst summary I've ever read (Score:5, Insightful)
Using GPUs to crack is not "new", it's a well known tachnique. Furthermore, an increase of a factor a 100 is insignificant relative to the number of years it would take to crack a key, hence the crypto is not weakened, dispelling their whole "death of wireless networking" doommonger bullshit. The only thing this actually does is speed up already feasible attacks against bad passphrases, nothing new, and certainly not a "breakthrough".
yeah right (Score:5, Interesting)
wpa2 with a shared key is only crackable with a brute force attack. Assuming that an alphanumeric character is used for each character of the attack, then for a key of length 8 (the minimum) the attack takes 26+26+10+10=72^8 (lowercase+uppercase+numbers+shifted num keys) time which is 7x10^14. A factor of 100 isn't a big deal - it reduces it to 7x10^12.
Even worse, if the key is longer than the minimum, say 14 digits, then the number of brute force keys are 1x10^26 and improving that to 1x10^24 isn't going to make much of a difference at all.
Where I work, we call this FUD (Score:4, Insightful)
The WIFI at my workplace is available, there is little if any security and the traffic isn't encrypted; why? well it has always been associated with being insecure, so when WIFI was rolled out it was placed on the Big I instead of the little i and to get anywhere internal you must bring up a VPN tunnel to work, add some poisoned routing information on both sides to account for the networks being used (internal versus internal) and you have some hope of preventing someone from bridging i to I.
You shouldn't use WIFI for anything that you wouldn't want to share openly and even if you believe that what you are doing is secure you should know that someone could still be capturing your session and working on it offline; the vendors haven't helped either, most wireless routers will 'work' right out of the box, purchase at worst-buy, plug it into your cable modem and in 60 seconds your on, I can't tell you how many networks I've found this way, most still have the default admin account set (just google the model number being advertised by the network)
and your in....