Security Basics mailing list archives
RE: Dumb question abt. Wireless WEP security 2 - ssl
From: "Prasad S. Athawale" <athawale () buffalo edu>
Date: Sun, 25 Jan 2004 16:36:16 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! >.wireless communicatins is done with 40bit rc4 cipher... NOT ssl ... Agreed. It uses a 64 bit key (14 bit is plain text - hence 40 bit). Some of them also use 128 bit (effective 114 bit). >rc4 has been broken back in feb 2001 by simple brute force, and/or >by people using dictionary or trivial passwords Yes encryption has been broken - to reveal the underlying data - in case the data was encrypted before being transmitted via WEP all you get (after brute forcing WEP) is the data in encrypted form of the earlier encryption. >even if you use wireless w/ ssh or ssl ... your encrypted ssh/ssl >data is ( wirelessly ) sniffed and decryptable since your initial >passwd/pass phrase was also sniffed As regards SSL 'password' or rather 'passphrase' this gets decided using conventional public key encryption schema viz . Diffie Helman/ RSA etc. This has nothing to do with WEP - and this encryption would happen before the WEP is done - which would be at transmission time. Hope my point is understood. Any thought anyone ? - ------------------------------------------------------------- Prasad S. Athawale Graduate Student University at Buffalo - ------------------------------------------------------------- ' there are 10 kinds of people in this world - those who understand binary and those who don't' - -----Original Message----- From: Alvin Oga [mailto:alvin.sec () Virtual Linux-Consulting com] Sent: Sunday, January 25, 2004 4:25 PM To: athawale () buffalo edu Cc: security-basics () securityfocus com Subject: Re: Dumb question abt. Wireless WEP security 2 - ssl hi ya hth
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! As per my understanding, the SSL channel - will not be compromised in case the password is discovered. Of course - in such a case you don't need to do any kind of sniffing etc, u can directly log in! but technically - the 48 byte passphrase used to encrypt the SSL connection (which uses a pre-determined encryption algo (RSA,DES etc)) is exchanged between the the server and the client before the https connection can be setup.
wireless communicatins is done with 40bit rc4 cipher... NOT ssl ... rc4 has been broken back in feb 2001 by simple brute force, and/or by people using dictionary or trivial passwords even if you use wireless w/ ssh or ssl ... your encrypted ssh/ssl data is ( wirelessly ) sniffed and decryptable since your initial passwd/pass phrase was also sniffed c ya alvin
ssh/ssl encryption doesnt help if you use insecure passphrases or an exploitable ssh daemon/clients (wireless stuff) wep is cracked ... more wireless fun http://www.Linux-Sec.net/Wireless/
-----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBQBQ20IKN2ncVpx7SEQIMSACgzYSe+Db00EdWSQgC++W3SRJdAfcAoMWV x+mr3C9upJzzGs1GRNaL3AjG =oyK8 -----END PGP SIGNATURE----- --------------------------------------------------------------------------- Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! ----------------------------------------------------------------------------
Current thread:
- Dumb question abt. Wireless WEP security 2 D.E. Chadbourne (Jan 21)
- Re: Dumb question abt. Wireless WEP security 2 Paul Kurczaba (Jan 21)
- Re: Dumb question abt. Wireless WEP security 2 Alvin Oga (Jan 22)
- RE: Dumb question abt. Wireless WEP security 2 Prasad S. Athawale (Jan 26)
- Re: Dumb question abt. Wireless WEP security 2 - ssl Alvin Oga (Jan 26)
- RE: Dumb question abt. Wireless WEP security 2 - ssl Prasad S. Athawale (Jan 26)
- RE: Dumb question abt. Wireless WEP security 2 - ssl Random Task (Jan 27)
- Re: Dumb question abt. Wireless WEP security 2 Alvin Oga (Jan 22)
- Re: Dumb question abt. Wireless WEP security 2 Paul Kurczaba (Jan 21)