Security Basics mailing list archives
Re: Is Dynamic WEP Secure Enough?
From: John Pettitt <jpp () cloudview com>
Date: Wed, 23 Mar 2005 11:15:34 -0800
shankarnarayan.d () netsol co in wrote:
[snip] To an external user (sitting in the parking lot) this poses 5 levels of randomness - 1. different users have different keys 2. different users changing their keys at different points in time 3. different users traversing across Access Points and hence changing their keys 4. The physical security that is existing on the ground that can contribute (if not greatly - at least to a reasonable extent) and hence the probability of finding out a parking lot hacker 5. Add again the probability of this guy getting sufficient numbers of weak IV's
The point is that even with lots of different keys an active attack can generate enough traffic to exploit.
SHOULD WE STILL BE AS PARANOID AS THESE MAILS SOUND OR CAN WE RELAX A BIT.
There are two issues here. One is understanding the threat. Given that the organization in the original post feels strongly enough about security to have guards roaming the parking lots one can assume a high enough value target to be worth attacking. A motivated attacker will have the latest tools and enough computing power to exploit a weak system. Second - once you understand the threat the question becomes how to respond. WEP is not a good response for several reasons. Chief amongst them is that it's basically flawed (bad design) so anything you do on top of it is effectivly re-arranging the deck furniture on the Titanic. While dynamically changing the WEP key makes it harder to attack it doesn't make it infeasible to attack. The point of cryptographic security is to make attacks prohibitively expensive in terms of computing power and time - WEP doesn't meet this test. So when considering a new infrastructure upgrade do you a) use a system that's known to be broken and hope it holds together or b) do it right and switch to a VPN system designed from the ground up for use in hostile environments? Remember "Just because I'm paranoid it doesn't mean they are not out to get me:" John
Current thread:
- Is Dynamic WEP Secure Enough? Jon Smith (Mar 21)
- Re: Is Dynamic WEP Secure Enough? John Pettitt (Mar 21)
- Re: Is Dynamic WEP Secure Enough? Vladamir (Mar 21)
- Re: Is Dynamic WEP Secure Enough? Kelly Martin (Mar 21)
- Re: Is Dynamic WEP Secure Enough? Vladamir (Mar 22)
- RE: Is Dynamic WEP Secure Enough? David Gillett (Mar 22)
- Re: Is Dynamic WEP Secure Enough? Steve (Mar 22)
- <Possible follow-ups>
- Re: Is Dynamic WEP Secure Enough? Jon Smith (Mar 22)
- Re: Is Dynamic WEP Secure Enough? shankarnarayan.d (Mar 23)
- Re: Is Dynamic WEP Secure Enough? John Pettitt (Mar 23)
- Re: Is Dynamic WEP Secure Enough? Vladamir (Mar 23)
- Re: Is Dynamic WEP Secure Enough? Kinnell (Mar 28)