WPA isn't as broken as reported: If you read the coverage early this week on two German researchers' paper on a vulnerability in Temporal Key Integrity Protocol (TKIP), the weaker of two encryption and integrity algorithms in the Wi-Fi Protected Access (WPA) certified standard (and part of the underlying 802.11i protocol), you'd think that TKIP was broken. It's not.
As I wrote Friday, don't panic, but do pay attention. I'm posting about this again just to be clear.
The flaw that was discovered does not allow a WPA-protected network's key to be recovered. It does allow short packets (network data quanta) used typically for network identification purposes to have their encryption keystream recovered: that's the overlay of per-packet encryption derived from a key that two Wi-Fi components use to protect information sent to one another.
With a recovered keystream, a single packet of the same length can be sent back into the network (using another flaw) to fool a client (but not an access point).
That's not to say that WPA keys (both the weaker TKIP and strong AES-CCMP) cannot be recovered. That's just not part of this weakness.
As was theorized back in 2003, in an article Robert Moskowitz allow me to post on my site, choosing a weak passphrase could lead to a key that can be cracked through brute force. Moskowitz was part of the IEEE 802.11i security task group, and he knew of what he spoke.
His advice? For effective security, choose a passphrase that's at least 20 characters long and contains no words found in dictionaries of any language.
Substituting 3 for e and 0 for o isn't a good choice, by the way: Brute-force attackers build dictionaries with common substitutions. Changing "camel back liposuction" to "!cmale bc@@k lippppo___!!sction" would make much more sense. Anyway, which among us manually enters a passphrase more than once per client?
Within a couple of years, effective brute-force methods appeared that could crack shorts keys that used only words found in dictionaries. There are pre-computed dictionaries that combine the SSID (network name) and billions of short key combinations. (The network name is used as an element in creating the key, but "linksys" and other default network names are often unchanged by users. Apple names its networks by default with part of the base station identifier, making a brute-force crack probably a million, maybe a billion times harder.)
ElcomSoft recently updated their "key recovery software" to use the graphical processing unit (GPU) in modern computers, which the company said in press releases--they haven't gotten back to a request I made for a briefing weeks ago--could improve key cracking by a factor of 100. Their software is also distributed, so you could conceivably put 1,000 computers on the task.
How does Elcomsoft's breakthrough affect the 2003 advice on passphrases? Security experts I've talked to, including Erik Tews, the co-author of the paper on the new WPA flaw, said that 20 characters should still require such a vast amount of time even with all the horsepower that one could throw at it, that there's no risk.
If there were a risk, you could increase a passphrase to 22 characters in length, and suddenly push the time to crack out by another factor of 100 (more or less; dissenting opinions welcome).
Average users can bypass all this by buying Wi-Fi gear that uses Wi-Fi Protection Setup (WPS), which uses for its source material a passphrase longer than the 20-character minimum, and employs excellent methods of securely exchanging key material over the untrusted network.
Of course, as I discovered when reviewing the excellent Linksys WRT610N (concurrent dual-band 802.11n router) for Macworld magazine, there's surprisingly no precise standard for WPS interface implementation. That is, the Wi-Fi Alliance defines the way in which WPS works on a protocol level, but not how the details are presented to a user.
Apple has two methods neither of which match up correctly with Linksys's three or four methods (depending on how you count). It's frustrating. Apple never responded to a comment about the mismatch; Linksys said they're looking in how to improve compatibility in future releases.