Educause Security Discussion mailing list archives
Re: Wireless WPA2 MSCHAPv2
From: Caroline Couture <caroline () POBOX UPENN EDU>
Date: Tue, 31 Jul 2012 15:46:12 +0000
Hi Frank, I have a training meeting at 1:30 that I'm afraid might run late. How about we do next week. Just email me when you know you will be back. Are you trying to do this on your office computer or your Mac? I can try some testing before hand. Caroline "Vulnerability is not weakness. I define vulnerability as emotional risk, exposure, uncertainty. It fuels our daily lives. And I've come to the belief -- this is my 12th year doing this research -- that vulnerability is our most accurate measurement of courage -- to be vulnerable, to let ourselves be seen, to be honest." - Brene Brown ________________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Steve Bohrer [skbohrer () SIMONS-ROCK EDU] Sent: Tuesday, July 31, 2012 11:36 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Wireless WPA2 MSCHAPv2 On Jul 31, 2012, at 8:58 AM, Parker, Ben C wrote:
Reading through the news, I saw that at Defcon MSCHAPv2 has been effectively compromised. https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/This includes the use of it in WPA2 connections to radius servers for authentication. Per the article, the current recommendation for enterprise wireless deployments is to move to using client certificates for authentication.
I'm over my head on crypto stuff, but in discussion about this crack on slashdot ( http://science.slashdot.org/story/12/07/30/167210/new-moxie-marlinspike-tool-cracks-crypto-passwords ) a couple of commenters suggest that the PEAP layer of PEAP- MSCHAPv2 802.1x wireless auth protects the MSCHAPv2 from the sort of sniffing that this crack exploits. Here's quotes from two comments: From http://science.slashdot.org/comments.pl?sid=3014645&cid=40821639 : "For WPA2-Enterprise the MSCHAPv2 session is usually wrapped in a PEAP (SSL) session. This should be safe as long as your client is configured to validate the server-side certificate only against CAs that are not likely to be compromised (i.e. a rougue cert generated). Preferably, one should also validate the certificate's subject (usually the name of the RADIUS server)." From http://science.slashdot.org/comments.pl?sid=3014645&cid=40822837 : "Those eduroam sites that use MSCHAPv2 use PEAP-MSCHAPv2. You have to crack the PEAP before you can crack the MSCHAPv2." Any of the experts here wish to confirm or deny if PEAP-MSCHAPv2 is still okay in the face of this new tool? Thanks, Steve Bohrer Network Admin Bard College at Simon's Rock 413-528-7645
Current thread:
- Wireless WPA2 MSCHAPv2 Parker, Ben C (Jul 31)
- Re: Wireless WPA2 MSCHAPv2 Steve Bohrer (Jul 31)
- Re: Wireless WPA2 MSCHAPv2 Caroline Couture (Jul 31)
- Re: Wireless WPA2 MSCHAPv2 Caroline Couture (Jul 31)
- Re: Wireless WPA2 MSCHAPv2 Justin Azoff (Jul 31)
- Re: Wireless WPA2 MSCHAPv2 Steve Bohrer (Jul 31)
- Re: Wireless WPA2 MSCHAPv2 Justin Azoff (Jul 31)
- Re: Wireless WPA2 MSCHAPv2 Harry Hoffman (Jul 31)
- Re: Wireless WPA2 MSCHAPv2 Steve Bohrer (Jul 31)
- Re: Wireless WPA2 MSCHAPv2 Joseph N Kurtin (Aug 02)
- Re: Wireless WPA2 MSCHAPv2 Shamblin, Quinn (Jul 31)