Elcomsoft Claims WPA/WPA2 Cracking Breakthrough 349
secmartin writes "Russian security firm Elcomsoft has released software that uses Nvidia GPUs to speed up the cracking of WPA and WPA2 keys by a factor of 100. Since the software allows them to network thousands of PCs, this anouncement effectively signals the death of wireless networking in business networks; any network handling sensitive data should start using VPN encryption on machines connecting over Wi-Fi networks, or stop using these networks altogether."
Looks Like I'm Safe (Score:5, Interesting)
Thats not really news... (Score:5, Interesting)
There is no special flaw or exploit in use. They just throw more transitors at a special problem.
Everybody who really want to crack into some network (think NSA or industrial espionage) could have used FPGAs for even bigger gains.
And for joe sixpack, weeks on a small cluster is still not a viable way for free internet...
F@H (Score:5, Interesting)
Oh, pull the other leg... (Score:5, Interesting)
This is seriously overhyped. #1:
This anouncement effectively signals the death of wireless networking in business networks;
Bullshit. The underlying encryption is based on AES*. AES is not a toy algorithm, and is designed to defend against specialized cracking hardware, and all other known attacks. It is *plenty* strong enough to hold up to a 100X increase in cracking speed, as long as you use good keys, which hopefully you are in a business environment.
I'm willing to believe that a key handling vulnerability might exist in WPA, or a flaw in AES, but the notion that brute force has brought about the death of WPA in business networks is just absurd. At best, this is a reminder to use good keys.
any network handling sensitive data should start using VPN encryption on machines connecting over Wi-Fi networks, or stop using these networks altogether.
Do you think your VPN software has a better underlying algorithm than AES?
* Unless you're using TKIP, which is a toy algorithm, which exists for backwards hardware compatibility, and in my experience isn't used by anyone who cares about security... But even there, the potential attack vectors are through algorithm weaknesses, not brute forcing the keys.
3DES (Score:5, Interesting)
The article says that 3DES has been broken. I think they are mistaken. DES was cracked by a brute force attack but 3DES is still considered secure.
How is their distributed processor system going to crack a 128-bit key that has 128 bits of entropy? Maybe the solution is to update the wi-fi software to make it easier to generate, transport, and install, truly random keys.
Re:Why does wireless security suck so bad? (Score:5, Interesting)
So what you're saying is, since I'm using the longest freagin key that my router allows, and I used a cryptosecure generator to create it (its totally random), I'm more or less safe?
You can get hard passwords (Score:4, Interesting)
Steve Gibson has a site that generates random passwords on the fly (unique for you): https://www.grc.com/passwords.htm [grc.com]
These are especially good for wireless routers since you normally don't need to type them yourself and they don't get changed that often. (Of course, you should still change them once in a while.)
Hype-Sicle (Score:2, Interesting)
Weird that this article seems to call down doom for WPA in general and particularly in the enterprise.
a) 100x increase, even using 10,000 machines seems insignificant if you are using the maximum WPA key length employing uppercase, lowercase and punctuation? Even a 30 char password seems to last far longer than most of us will be alive. So at worst all this changes is the minimum key length that can usefully be employed on WPA.
b) In the enterprise in my experience you either use no encrypting and rely on protection at other layers (VPN, SSL, etc) or you use a RADIUS based system that hands out a new key for each session. This seems even less likely to be affected by this. Unless...and I admit I've never checked this...they keys being used have some weakness (short, not very complex, etc...) which, again at worst seems to be a wake-up call for hardware vendors if nothing else.
So wrt wireless this is interesting but hardly industry changing.
Re:Why does wireless security suck so bad? (Score:4, Interesting)
What you're describing is EAP-TLS [wikipedia.org], and its definitely the way to go if you're running wireless for a larger business.
Re:Looks Like I'm Safe (Score:3, Interesting)
Re:3DES (Score:4, Interesting)
Re:You can get hard passwords (Score:3, Interesting)
What's amusing, is that devices like mobile phones encourage people to use weaker passwords, as typing a long complicated password into a cellphone is quite a hassle.
SSL keys aren't entered by hand (Score:3, Interesting)
....that's the difference.
So long as people use convenient passphrases for their security then no amount of fancy algorithms will save them.
This realization is why the US Government eventually dropped all the regulations they used to have on exports of strong encryption.
Re:Why does wireless security suck so bad? (Score:3, Interesting)
I used this. Not so for the security (I think a 63 character really random password would be enough), but for convenience - it was easier to copy two files (user certificate and CA certificate) to my cell phone than type ten 63 char password (which for some reason was reset after each phone reboot)...
Now I do not use wifi for my local network. For some reason the AP usually failed to authenticate users, so I scrapped the idea and now use the same AP as a client to my ISPs wifi network. It works now...
yeah right (Score:5, Interesting)
wpa2 with a shared key is only crackable with a brute force attack. Assuming that an alphanumeric character is used for each character of the attack, then for a key of length 8 (the minimum) the attack takes 26+26+10+10=72^8 (lowercase+uppercase+numbers+shifted num keys) time which is 7x10^14. A factor of 100 isn't a big deal - it reduces it to 7x10^12.
Even worse, if the key is longer than the minimum, say 14 digits, then the number of brute force keys are 1x10^26 and improving that to 1x10^24 isn't going to make much of a difference at all.
Re:Does this surprise anyone? (Score:5, Interesting)
Nope. It only requires that someone is recording that data, just as GP said.
So, suppose you're pushing a new key every hour. It takes me 12 hours to crack your key.
If you're not thinking too clearly, it looks like you're safe.
But with modern wireless technologies, how much data can you really push in 12 hours? Let's say you're on a -g network -- 54 mbits -- you'll probably send at most 5 megabytes per second. Suppose you're saturating that constantly -- that means roughly 18 gigs an hour.
So, it takes me 12 hours to crack that -- which means I have to record at most 216 gigs worth of (encrypted) data.
At the end of 12 hours, I've cracked the key from hour 1. I can then go back and decrypt all traffic you sent during that time, including the key you set for hour 2. Then I can decrypt all the data from hour 2, and so on. This will probably take less than an hour.
At that point, I'm caught up, and you're kindly pushing updated keys to me.
So, in other words, your rotating key scheme only works against people who either aren't recording your data, or aren't interested in cracking it at all (for instance, it'd be great if you give a houseguest access for an hour, then the next hour, the key changes from under them)...
Re:Why does wireless security suck so bad? (Score:3, Interesting)
Problems...
1) SSL as it stands for HTTPS and what not typically uses key lengths anywhere from 128-bit all the way up to 4096-bit.
2) WEP/WPA requires the router to decrypt all packets over the wireless network so it can route them.
3) Longer keys = More Processing power required.
4) Encrypting and Decrypting everything may involve a performance hit without more processing power.
End Result: You want it more secure, the router is gonna need more RAM and CPU power to pull it off which means instead of picking up a wireless router for $40-60 for consumer grade stuff it'll probably end up more like $80-120.
Re:Does this surprise anyone? (Score:3, Interesting)
I think that the way I would do it would be as follows:
Have a secret key SECRET. SECRET is never directly used.
When you first initiate the connection, you ask the wireless network for the current salt, SALT in plaintext.
You then use a very secure hash (I think that the one that I wrote a while ago is probably secure enough, though this is an unwarranted assumption, as I haven't shown it to any security experts) and take the hash of SECRET salted with SALT. You use the hash value as the key.
Every XX minutes, SALT changes. Therefore the key changes. However, someone cannot get the new key even if they have broken the old key because they need the SECRET as well as the current salt.
The way to break this would be to break the hash, but with a sufficiently strong hash, that should be difficult to do in a reasonable amount of time, especially if SECRET and SALT are very long.
Re:Does this surprise anyone? (Score:3, Interesting)
That was my reaction, the standard advice going back a long ways was use WEP, but for the love of god also use VPN between the devices. I can't imagine why WPA or WPA2 would make people think that you should be ditching the VPN.
Since WPA2 uses the same encryption that you'd find in a VPN, I wonder why you think it would be less secure?
Re:Looks Like I'm Safe (Score:4, Interesting)
So, computing speed doubles roughly every 18 months. At this rate, it will be down to one year in 55 years (assuming computers keep getting faster at the same rate - 55 years is about as long as we've had commercial computers).
Of course, if you add another alphanumeric to the password, you multiply the complexity by 56, which adds another 10 years to the time before computers will be fast enough to crack it in a year. Another alphanumeric takes it up to 73 years, another up to 81, and so on.
There are some physical limits [wikipedia.org] to the maximum speed of computation. All of the ones we've come close to so far have been practical engineering problems, rather than theoretical ones. 21 more doublings in transistor density and IC features are smaller than the nucleus of an atom (9 more and they're smaller than a helium atom including its electron cloud) - only possible if you're building your CPU out of neutronium, so it seems unlikely that we'll get to 54 without some brand new physics. Increasing transistor density isn't the only way of increasing computational power, but so far it's been the easiest (although each doubling does require an R&D budget measured in billions of dollars).
Re:You can get hard passwords (Score:3, Interesting)
Randomly banging on the keyboard clearly produces less than ideal entropy. Case in point, your password contains "asedf", which I'm willing to bet was the result of you drumming the fingers of your left hand. Now, whether it matters for such a long password is another matter, but if you're paranoid enough to use a password like that, you may as well go the extra mile.
Re:Rotate your keys (Score:2, Interesting)
Actually changing keys weakens your security.
Assuming your not using one of the 1000 most popular wifi names, an attacker will first have to generate possible keys for your system (slow as hell) then he will have to compare them to the captured packets (really quick)
If an attacker can tell youve changed your password (or if he gets lucky and thinks you have) then he has a better chance of guessing your one of your keys.
chance of correct guess = (number of keys)/96^(length of key)
I mean the important factor is still the key length (96 times more important to be exact) but bad advice is still bad advice
with 1 key i the attacker checks 1/2 the key space he has 50% chance off success
with 2 keys he has a 75% chance of success
with 4 keys he has a 93% chance of success
Re:Does this surprise anyone? (Score:4, Interesting)
[This is where someone else who knows something about crypto chimes in... I just know this because I'd seen someone else getting called out on this misconception.]
W007! I actually do know something about crypto (as well as number theory, which is useful and fun).
You are right about the fact that, if SALT were transmitted through plaintext every time, it would only be a matter of time before SECRET would be able to be deduced (assuming that the method of breaking the overall WPA encryption allows you to figure out the encryption key being used [I don't know too much about WPA in particular, so I'm not sure if it is public key or not]).
I should have been clearer. Every XX minutes, a different SALT is transmitted via ciphertext.
This increases the complexity of the problem significantly:
You must break the first encryption key and gain the full key. The key looks something like:
a8fbcd1db5a6bf013763fd45a32f2b319bfba413
You must break the second encryption key. Again, the key looks something like:
216cd69e6e4112b6adffec1853ae415b0fa45fcf
[Wash, rinse, repeat]
You eventually have enough keys lined up to figure out that they use the sha1sum and all start with "this is insanity ", therefore SECRET="this is insanity ".
The problem is that you have to break the encryption scheme enough times to gain enough keys to establish what SECRET is. Then you have to break the hash. If it is a particularly good hash (i.e. NOT MD5 OR SHA1!) and the key that you are hashing has sufficient entropy (i.e. consists of random data) then you shouldn't be able to break the hash using a rainbow table, and brute force might be necessary.
Now, you can always try to mathematically find a flaw in the hash or encryption scheme, but that is a different problem. Personally, I wouldn't trust an encryption scheme designed by someone else unless I had the mathematical background to prove it, which, in the case of RSA, I do. Therefore, I would use RSA with as large a key and block size as is feasible. I'd probably also write my own implementation [activestate.com].
(I must confess, though, that the implementation I wrote to which I have linked is not by any means secure as it stands. It is also probably buggy, as I spent maybe half an hour on it at most. Someone commented on another recipe that writing RSA should be simple, and so I took the opportunity to write it.)
Company where I work had WiFi encrypted for years. (Score:3, Interesting)
Cracking WEP/WPA will hardly be the end of business WiFi.
For instance: The company where I'm working has operated for years on the assumption that WiFi's own encryption is just a warning sign and trivially broken.
They have the WiFi on its own subnet with its own firewall. Get on (with the WEP key) and you can only reach the nameserver, VPN server, and SSH server. Use an encrypted tunnel or you might as well be standalone.