Question about encryption

[iamgenius]

I'm not into cryptography but this question struck my mind. We know that WPA2 is the strongest encryption for protecting wifi signals. WEP and WPA are weaker and were broken into. Now my question is that how does it really differ???

Now, if we take brute force as the method of attack for example, and by using WEP it will take X time to crack the key. Now if I use the same key and use WPA2 instead, brute force should still be able to crack it in the same X time. That's because it is the same identical key, so how did WPA2 helped here??

I know that it has to do with the algorithm used for the encryption, or am I wrong?

 

[seepy83]

The short answer is that the exploits against WEP and WPA networks aren't just a matter of hammering away at the AP trying key after key until you get it.
In fact, the WPA TKIP attack doesn't even accomplish key recovery, but it does allow you to decrypt a small amount of traffic from the AP to the client, and then inject some packets back into the network without authenticating.

The aircrack-ng page has lots of good reading material on 802.11 attacks (some of it gets very technical) http://www.aircrack-ng.org/doku.php?id=links. Also, Josh Wright's page (willhackforsushi.com) should have good info on wireless attacks. I can remember watching a webcast he did back when the TKIP vuln was discovered.

 

[John Connor]

I used to use WPA2 TKIP+AES, but found out TKIP has a vulnerability so I switched to just WPA2 AES. The difference between WEP and WPA2 to my knowledge is that with WEP you can collect interesting IV's to crack the key and you can inject traffic into the target AP to gather said IV's. With WPA2 you're stuck with brute forcing and you have to have a whole hell of a lot of IV's.

I have tried cracking networks back in the day when WEP was more prevalent using aircrack-ng, but I wasn't able to collect enough good IV's and my WIFI card wasn't capable of injection. Now damn near all my neighbors use WPA2. Ther's one that I can see that uses WEP.

 

[Chiefcrowe]

What do you mean by collecting IVs? I'm not familiar with that...

 

[seepy83]

When we're talking about WEP, IV = Initialization Vector. The IV is the big weakness of 802.11 running WEP. http://www.dummies.com/how-to/content/understanding-wep-weaknesses.html

(sorry for the "for dummies" book link...not the greatest source, but it was the first thing I could find that gave some basic info on IVs)

 

[PrincessFrosty]

I'm not into cryptography but this question struck my mind. We know that WPA2 is the strongest encryption for protecting wifi signals. WEP and WPA are weaker and were broken into. Now my question is that how does it really differ???

Now, if we take brute force as the method of attack for example, and by using WEP it will take X time to crack the key. Now if I use the same key and use WPA2 instead, brute force should still be able to crack it in the same X time. That's because it is the same identical key, so how did WPA2 helped here??

I know that it has to do with the algorithm used for the encryption, or am I wrong?

WEP is completely broken, there's a weakness in the crypto which allows you to recover the key, it requires collecting data off the network first and looking for so called "weak" IVs, these are just bits of data where the crypto is easy to crack, collect enough data and eventually you'll get a weak IV and boom, you have the crypto key (note, it doesn't reveal the password)

WPA and WPA2 are actually functionally the same when it comes to attacks, what you do is monitor an access point until a client with the correct password connects, the client and the access point do what's called a 4 way handshake, if you capture that to a file you can then use that handshake run the password through a dictionary attack.

WPA and WPA2 are hardened against brute force, they actually loop each password through 4096 iterations of SHA1 encryption, which means to test a password matches is very slow, cracking accelerated by GPUs might reach a few hundred thousand attempts per sec, my SLI GTX580s get a total of about 75,000 per sec.

Not nearly enough to brute force the password in a short time frame, but enough to run the password through a large dictionary attack of a few billion common passowords/phrases.

Lastly routers may be using WPS which is a feature enabled on most modern routers by default and is open to a brute force attack.

 

[Knowing]

Lastly routers may be using WPS which is a feature enabled on most modern routers by default and is open to a brute force attack.

I think this is the greatest vulnerability of the consumer grade routers. It's a waste of time to let a gpu array crunch away at crypto when any cpu can throw 7 digit numeric codes at a router until it gives up the goods. Whats worse is that some routers don't turn off the service when the user selects "off" on the router configuration page.

 

[PrincessFrosty]

I think this is the greatest vulnerability of the consumer grade routers. It's a waste of time to let a gpu array crunch away at crypto when any cpu can throw 7 digit numeric codes at a router until it gives up the goods. Whats worse is that some routers don't turn off the service when the user selects "off" on the router configuration page.

It's a pretty big vulnerability, in practice it seems like a lot of modern routers have extremely aggressive throttling on WPS attempts which means after a few in a row they'll block requests.

It can turn an attack a few hours long into one that literally takes weeks or months depending on how much it throttles use, but eventually given enough time you'll get the WPS pin and the great thing about that is even if the router pw changes you can use the same PIN to request the new pw, also if you have physical access to the router often the default WPS pin is printed on it. GPU cracking the WPA1/2 passwords is actually faster if they have a weak password, with a fast GPU setup you can blow through a billion long dictionary in a few hours despite the hardening of SHA1.

It's worth testing yourself with available tools to see if WPS was really disabled on your router when you selected to disable it in the web interface, as Knowing pointed out, not all routers actually disable WPS correctly.