Wi-Fi Protected Access (WPA) has a weakness: poorly chosen short human-readable passphrases can be cracked with a robust dictionary attack offline and without access to the network: Robert Moskowitz, the senior techncial director of TruSecure Corp.'s ICSA Labs, has given me permission to post this paper he has written that describes a weakness in the interface design for WPA-equipped access points and adapters.
Robert's paper is rather technical and specific, but I can summarize:
Short, text-based WPA keys can be broken through no fault in the WPA protocol.
The longer summary: If you use the standard interface for WPA key entry and provide a text passphrase that uses words found in dictionaries of fewer than 20 characters, a cracker passively intercepting initial key exchange messages can employ an offline dictionary attack and extract the encryption key, gaining access to the network. Key exchange messages occur at the beginning of a connection between an adapter (station) and an access point; that exchange can be forced to repeat by a cracker sending a disassociate message which forces a new exchange within about 30 seconds. So a cracker can be on and off the network in a couple of minutes with the information they need. This is actually much worse than WEP, but easily solved.
Robert points out that dictionary-based cracking programs abound, and that little modification would be needed to turn one of those into a weak-WPA-key attack.
The fundamentals of WPA remain intact; this is technically an interface problem given that manufacturers know -- as he points out in his paper -- that users won't enter long keys. Microsoft solved this problem with their 128-bit WEP solution for their broadband gateway by writing the key to a floppy disk after it was generated, allowing users to walk the key from machine to machine.
It should be made clear that WEP's flaw were deep within: WEP can be cracked regardless of how good your key selection is or how long the key. With WPA, the length of the passphrase and its quality has a direct relationship to its integrity.
The problem Robert describes isn't unknown; he's just isolated and expanded on it. The solution is also quite simple: choose a key of at least 96 bits or a passphrase that includes gibberish that's more than 20 characters long. So far, of all the WPA interfaces that I've seen, only Apple's allows you to enter raw hexadecimal and they require 64 hex characters (32 bytes or a full 256 bits).
Robert suggests generating a small random value, turning it into its hex equivalent, and then entering those hex digits as a text passphrase to have sufficient randomness. For more information on passphrase weaknesses and strategies for choosing them, Robert refers you to this FAQ.
This shouldn't be the shot heard round the world, but I hope those of you that read this site will take this concern to the manufacturers of Wi-Fi equipment. It's not too late for them to fix this problem by building in the ability to generate random keys that can be copied and pasted simply across systems, and by restricting the ability to enter weak keys by either requiring more characters or running a crack program against your passphrase choice as Unix password programs often do these days.