Exposing WPA2 Paper - SANS Internet Storm Center

Exposing WPA2 Paper
A new paper(1) discussing vulnerabilities on WPA2-PSK was released recently and many people have been interested in it, but have not gained access. By using a library, yes they still exist and are still useful, I was able to get access to the paper. WPA2-PSK has a key length between 8 to 63 ASCII characters. They collected WPA2 handshakes using Aireplay deauthentication attack. Their method uses pre generated dictionary of 666,696 entries and Aircrack to bruteforce the password in their test. They wrote a program that would generate a dictionary of all possible 95 ASCII characters for the entire PSK key space. They also discuss ways to prevent this type of attack. While the methodology is sound and I applaud anyone that publishes papers, but didn�??t uncover a new flaw. WPA2 Rainbow tables(2) have been around for a while and you gain a huge speed advantages in this case. Pure brute forcing the entire ASCII passwords can be done without a pre generated dictionary and they didn�??t discuss any speed trade-off by doing this. I would love to see a follow-up with comparisons. Check with your library and see if they have it, or if they can do a interlibrary loan. What do you think of the paper? 1. Tsitroulis, Achilleas, Dimitris Lampoudis, and Emmanuel Tsekleves. "Exposing WPA2 security protocol vulnerabilities." International Journal of Information and Computer Security 6.1 (2014): 93-107. 2. "The Renderlab: Church of Wifi WPA-PSK Lookup Tables." 2006. 2 May. 2014 <hxxp://www.renderlab.net/projects/WPA-tables/> -- Tom Webb	Tom 48 Posts ISC Handler
Reply Subscribe	May 2nd 2014 4 years ago
yet another inane argument that passwords are broken Let's see, you generate a random 63 character string to use for the WPA2 share secret. That's 95^63 possible combinations or 10^124 possibilities. Would take the NSA a few centuries to crack. So what? If you pick a stupid password you get hacked. So what? You deserve it.	Starlight 34 Posts
Reply Quote	May 3rd 2014 4 years ago
We all know that almost every encryption can be bruteforced. That is not the problem here afaik: "Although the time taken to break into a system rises with longer and longer passwords. However, it is the de-authentication step in the wireless setup that represents a much more accessible entry point for an intruder with the appropriate hacking tools. As part of their purported security protocols routers using WPA2 must reconnect and re-authenticate devices periodically and share a new key each time. The team points out that the de-authentication step essentially leaves a backdoor unlocked albeit temporarily. Temporarily is long enough for a fast-wireless scanner and a determined intruder."	Starlight 1 Posts
Reply Quote	May 3rd 2014 4 years ago

A new paper(1) discussing vulnerabilities on WPA2-PSK was released recently and many people have been interested in it, but have not gained access. By using a library, yes they still exist and are still useful, I was able to get access to the paper.

WPA2-PSK has a key length between 8 to 63 ASCII characters. They collected WPA2 handshakes using Aireplay deauthentication attack. Their method uses pre generated dictionary of 666,696 entries and Aircrack to bruteforce the password in their test. They wrote a program that would generate a dictionary of all possible 95 ASCII characters for the entire PSK key space. They also discuss ways to prevent this type of attack.

While the methodology is sound and I applaud anyone that publishes papers, but didn�??t uncover a new flaw. WPA2 Rainbow tables(2) have been around for a while and you gain a huge speed advantages in this case. Pure brute forcing the entire ASCII passwords can be done without a pre generated dictionary and they didn�??t discuss any speed trade-off by doing this. I would love to see a follow-up with comparisons.

Check with your library and see if they have it, or if they can do a interlibrary loan. What do you think of the paper?

1. Tsitroulis, Achilleas, Dimitris Lampoudis, and Emmanuel Tsekleves. "Exposing WPA2 security protocol vulnerabilities." International Journal of Information and Computer Security 6.1 (2014): 93-107.

2. "The Renderlab: Church of Wifi WPA-PSK Lookup Tables." 2006. 2 May. 2014 <hxxp://www.renderlab.net/projects/WPA-tables/>

--

Tom Webb

Tom

48 Posts
ISC Handler

yet another inane argument that passwords are broken

Let's see, you generate a random 63
character string to use for the
WPA2 share secret. That's 95^63
possible combinations or 10^124
possibilities. Would take the
NSA a few centuries to crack.

So what?

If you pick a stupid password you
get hacked. So what? You deserve
it.

Starlight

34 Posts

We all know that almost every encryption can be bruteforced. That is not the problem here afaik:
"Although the time taken to break into a system rises with longer and longer passwords. However, it is the de-authentication step in the wireless setup that represents a much more accessible entry point for an intruder with the appropriate hacking tools. As part of their purported security protocols routers using WPA2 must reconnect and re-authenticate devices periodically and share a new key each time. The team points out that the de-authentication step essentially leaves a backdoor unlocked albeit temporarily. Temporarily is long enough for a fast-wireless scanner and a determined intruder."

Starlight
1 Posts