1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Question regarding wireless security

Discussion in 'Tomato Firmware' started by QSxx, Nov 17, 2009.

  1. QSxx

    QSxx LI Guru Member

    My WRT is currently running on WPA / WPA2 Personal + TKIP / AES, and I used that convenient little button that Tomato has generating LOTS of random characters. That mumbojumbo is used as passphrase.

    I wonder now:
    1. Is it harder for router to cope with longer passphrases (encrypting stuff) or is it same as it would be if i used only, let's say, 4 chars instead of 50+
    2. I'm not that freaked out about wlan security ... I'm checking router often enough to notice someone poking around - on the other hand i wouldn't want anyone getting my passwords because of crappy encryption. (Banking and such stuff is done thru wired connection)

    Situation is following:


    Household WRT54G with 3 wired & 4 wireless clients - only 2 wired clients are in serious stuff, one is NAS holding media files - nothing sensitive, wireless clients are more into stuff like facefook, youtube, yadda yadda...

    Suggestions?
     
  2. jan.n

    jan.n Addicted to LI Member

    Re: WLAN security

    I don't think a longer passphrase will generate more system load.

    Regarding security:
    I really care about security, some would say I'm almost paranoid about it. But nevertheless I use WPA2 / AES and do banking over my WLAN connection.

    As fas as I remember, WPA/TKIP has a flaw and using dictionary and / or brute-force attacks it seems it's easy to break, there are even programs that use the number-crunching GPUs for that. So in your case, the length of the password and its complexity really *does* matter. Use a long and random one, and for the moment, you should be safe.

    Remember: Security is not about systems, it's about evaluating risks.
    Should you do sensitive stuff over WLAN? Consider these points and others:
    - How secure is the client you use? Viruses, Trojans and other users my spy on you
    - How secure is the WLAN you use
    - Are you sitting near a window? People can watch you enter your password
    - How secure is the SSL-Connection (http://news.softpedia.com/news/Major-SSL-Flaw-Was-Being-Patched-in-Secret-126241.shtml)
    - Are the required passwords on post-it notes stuck to the monitor? People that visit you may peek and take notes
    - ...

    Now evaluate the risks and judge if you can take it.
    For example, I sometimes sit next to the window while banking. I consider the risk of someone secretly watching me typing my password quite low, as I live in a small village where I quite surely would note if there was someone outside watching me.
     
  3. QSxx

    QSxx LI Guru Member

    So basically what you are saying is:

    1. long password is same as short (reasonably) as long as short one has enough randomness
    2. i should stick to WPA2/AES? with 16ish random generated passphrase

    3. should i consider WEP since it's way LESS cpu intensive? i heard WEP can be cracked in a matter of seconds?

    My doubt is deciding between uber-protection and hogging cpu and literally going without security because as i allready said - my wireless clients arent really important security-wise

    Anyone here benchmarked wireless performance of WRT54Gs using different encryption methods?
     
  4. Planiwa

    Planiwa LI Guru Member

  5. TexasFlood

    TexasFlood Network Guru Member

    My understanding is that AES is the key, whether it's WPA or WPA2 that's used, so I use WPA PSK AES. As far as pass-phrase, the guidance I've read is to use a minimum of 20 characters with some randomness to throw off dictionary attacks. Maybe less is OK but I don't really find it that stressful to come up with a 20-something character phrase with some Os replace by 0S, Is replace by 1s, or spaces replaced by periods, stuff like that. And yes I've heard WEP can be easily cracked with the right tools, whether it's seconds or minutes I'm not sure, but it doesn't take long.
     
  6. Azuse

    Azuse LI Guru Member

    WPA2 + AES with the full 64 character key (use the random button if you're lazy).

    What will checking the router do for your security? No router can tell you if someone's watching your wireless traffic.
     
  7. QSxx

    QSxx LI Guru Member

    Nothing - i was reffering to DHCP lease or device log ... even that aint perfect but sure gives some idea ...

    For the moment i'm on WPA PSK AES with 32 char key randomness - ?=)(/?$ stuff included too...

    Benchmarking in progress...
     
  8. SL83

    SL83 Addicted to LI Member

    For the record,

    WPA 1 with AES and WPA2 with AES offers the same level of security.

    Both are using AES-128 bit encryption. The only thing that has changed between WPA1 and WPA2 are authentication speeds and better support for roaming among WAPS.
     
  9. jan.n

    jan.n Addicted to LI Member

    Nooooooo! Not at all. You asked if a longer password generated more system load than a shorter one. My answer: I don't think a longer passphrase will generate more system load. You should always use passwords as long as you can. The more characters you use, the harder it is to successfully brute-force.

    Yes, because WPA2 uses CCMP, which is not vulnerable to the attach used on TKIP.[1]

    Nooooo, oh my god I never thought you could possibly get me so wrong.

    Waah, now it's getting absurd. Where the hell did I write that? I'd *never ever in my life* give the advice to use WEP.

    I don't understand your problems with cpu hogging. Do you have issues with your router? Is it slow? Did you ssh into it and the load was >1?

    Look at it this way:
    Wireless security is one if not the most important task of your WLAN router and although I did not benchmark it I *really* am sure that changing from WEP to AES does NOT affect the cpu load. I totally agree with Azuse here, use WPA2 + AES with the full 64 character key. Why do you care about some cpu cycles more or less? It doesn't cost you anything!

    No, you won't find anything in the logs if someone just captures your traffic and then decrypts the capture offline. It enough for the bad boys to just *listen*:

    Imagine you're doing banking by phone. You call your banking-agent, tell your name and a password, then you transfer money. It is totally sufficient for a crook to just *listen* to your conversation, then call your bank, say your name and password and the bank guy on the other end will happily transfer your money. See? All the bad boys need to do is just *listen* (BTW: This example is just about authentication, encryption is not used).

    [1] WPA with TKIP "was developed as kind of an interim encryption method as Wi-Fi security was evolving several years ago," said Kelly Davis-Felner, marketing director with the Wi-Fi Alliance, the industry group that certifies Wi-Fi devices. People should now use WPA 2, she said.

    Wi-Fi-certified products have had to support WPA 2 since March 2006. "There's certainly a decent amount of WPA with TKIP out in the installed base today, but a better alternative has been out for a long time," Davis-Felner said.
    [source: http://www.networkworld.com/news/2009/082709-new-attack-cracks-common-wi-fi.html]
     
  10. jan.n

    jan.n Addicted to LI Member

    AFAIK not exactly: WPA uses TKIP which is vulnerable, WPA2 uses CCMP which isn't.
     
  11. TexasFlood

    TexasFlood Network Guru Member

    CCMP (AES) is supported by WPA although not mandatory & I've been using it for years.
     
  12. jan.n

    jan.n Addicted to LI Member

    Oh, I see. Thanks for the clarification.
    But in general, do you agree that WPA/TKIP is less secure (= higer risk) than (WPA|WPA2)/CCMP because of the Ohigashi-Morii attack?
     
  13. TexasFlood

    TexasFlood Network Guru Member

    I agree that TKIP is less secure and I would no longer use it. It has also been significantly less stable on my equipment than CCMP (AES).
     
  14. Planiwa

    Planiwa LI Guru Member

    Does this make sense?:

    Code:
                     Authentication-Method  Encryption-Method      Cipher-Method
                                            Mandatory  Optional    Man.  Opt.
    WPA  Personal    PSK                    TKIP       CCMP        RC4   AES
    WPA  Enterprise      EAP                TKIP       CCMP        RC4   AES
    WPA2 Personal    PSK                    CCMP       TKIP        AES   RC4
    WPA2 Enterprise      EAP                CCMP       TKIP        AES   RC4
    
     
  15. TVTV

    TVTV LI Guru Member

    WPA can also use AES. At least on my router...
     
  16. QSxx

    QSxx LI Guru Member

    So the best thing, hardest to crack and listen is actually this:

    WPA2 Personal (PSK) + AES with 63 (yes, i doublechecked) alphanumeric mumbojumbo...

    Right?
     
  17. jan.n

    jan.n Addicted to LI Member

    OK OK, I got it :biggrin:

    IMHO: Yes
     
  18. TVTV

    TVTV LI Guru Member

    IMHO - it's impossible to crack without physical access to the router. :p And a brute-force attack would take... well... years? :D
     
  19. ringer004

    ringer004 LI Guru Member

    Try this

    A similar topic came up some time ago:

    http://www.linksysinfo.org/forums/showthread.php?t=62151

    I provided some math that showed you really only need a password about 12 characters in length, using uppercase letters, lowercase letters, and digits.

    This all assumes there is not some inherent flaw in the WPA/AES design. This also assumes the password is completely random (no address where you live, birthdays, pet's name, etc).
     

Share This Page