[NTLUG:Discuss] Usenix 03 Brief Summary
Chris Cox
cjcox at acm.org
Tue Jun 17 15:31:58 CDT 2003
> In response to the welcome remarks of David Simmons at 09:39 AM 6/17/03
> -0500:
>
>> What differentiates the 128bit WEP and 128bit SSL encryption to the
point
>> that one is considered 'wide open' and the other is considered 'more
than
>> required for banking security'??
Two different protocols... SSL and WEP.
Btw... (sorry about the rant)...
There is NO difference between WEP 40bit vs. WEP 128bit.
Time to crack either differs only by a few nanoseconds...
(assuming Pentium 233).
Time to crack is mere minutes if not using a late
model bios with iv filtering (using the FMS crack).
Otherwise, a successful dictionary crack (results in
a completely compromised key) will take anywhere
from 1 to 2 days depending on the amount of traffic
on the net.
Layer 2 control messages on WiFi are completely
insecure, so even if you are using WPA (still
in beta, but soon to be released... requires
a separate authentication server btw) you will
be able to effectively spoof any access point
and create DoS and message routing issues.
SSL (as an example) rides on top of all of this.
A (relatively) secure protocol on top of a known insecure
protocol == insecure protocol.
WPA combined with TKIP or RSN (for PKI) doesn't
answer the Layer 2 protocol issue. However, it
does prevent the WEP problem. The problem is
that it's a VERY complicated series of key
exchanges. There is a sub-standard of WPA
which uses fixed keys stored in the AP instead
of the separate authentication server, but
obviously, it's not as good security wise.
WiFi is insecure at least till the end of
the year.
SSL is relatively safe for now :-) (as long
as it's not on WiFi).
More information about the Discuss
mailing list