WEP Security Improvements - How pervasive and how tight?

Archived from groups: alt.internet.wireless (More info?)

I read recently that manufacturers of some wi-fi equipment have improved
their software so that WEP is more difficult to crack. Specifically, they
have reportedly quit sending type 4 packets (as I recall it is type 4) which
are apparently the key to WEP cracking.

Anyone know the straight scoop on this. Is this correct? How widespread
have these improvements been implemented? How to tell if implemented on
your equipment?


--
Bob Alston

bobalston9 AT aol DOT com


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.746 / Virus Database: 498 - Release Date: 8/31/2004
26 answers Last reply
More about security improvements pervasive tight
  1. Archived from groups: alt.internet.wireless (More info?)

    > I read recently that manufacturers of some wi-fi equipment have improved
    > their software so that WEP is more difficult to crack. Specifically, they
    > have reportedly quit sending type 4 packets (as I recall it is type 4) which
    > are apparently the key to WEP cracking.

    I doubt it can fix the real problem. I.e. it might make it harder (10min
    instead of 5), but who cares: use WPA and forget about it,


    Stefan
  2. Archived from groups: alt.internet.wireless (More info?)

    "Bob Alston" <bobalston9NOSPAM@aol.com> wrote in message
    news:aOqZc.132114$Lj.31258@fed1read03...
    > I read recently that manufacturers of some wi-fi equipment have improved
    > their software so that WEP is more difficult to crack. Specifically, they
    > have reportedly quit sending type 4 packets (as I recall it is type 4)
    which
    > are apparently the key to WEP cracking.
    >
    > Anyone know the straight scoop on this. Is this correct? How widespread
    > have these improvements been implemented? How to tell if implemented on
    > your equipment?

    No. I don't know what "type 4 packets" are, but 802.11 frames have a 2-bit
    type and a 4-bit subtype field. The type field values range from 0 - 3, with
    3 unused. Type 0 (management) frames have a subtype 4, which is beacon.
    So-called SSID hiding is a modification to beacon frames that nearly all
    vendors support. It is claimed to be a security improvement, in that your
    network id is no longer broadcast 10 times a second, but the improvement is
    in fact trivial. It has nothing to do with WEP or WPA.

    >
    >
    >
    > --
    > Bob Alston
    >
    > bobalston9 AT aol DOT com
    >
    >
    > ---
    > Outgoing mail is certified Virus Free.
    > Checked by AVG anti-virus system (http://www.grisoft.com).
    > Version: 6.0.746 / Virus Database: 498 - Release Date: 8/31/2004
    >
    >
  3. Archived from groups: alt.internet.wireless (More info?)

    "gary" <pleasenospam@sbcglobal.net> wrote in message
    news:N0rZc.15840$Ka2.8846@newssvr22.news.prodigy.com...
    >
    > "Bob Alston" <bobalston9NOSPAM@aol.com> wrote in message
    > news:aOqZc.132114$Lj.31258@fed1read03...
    >> I read recently that manufacturers of some wi-fi equipment have improved
    >> their software so that WEP is more difficult to crack. Specifically,
    >> they
    >> have reportedly quit sending type 4 packets (as I recall it is type 4)
    > which
    >> are apparently the key to WEP cracking.
    >>
    >> Anyone know the straight scoop on this. Is this correct? How widespread
    >> have these improvements been implemented? How to tell if implemented on
    >> your equipment?
    >
    > No. I don't know what "type 4 packets" are, but 802.11 frames have a 2-bit
    > type and a 4-bit subtype field. The type field values range from 0 - 3,
    > with
    > 3 unused. Type 0 (management) frames have a subtype 4, which is beacon.
    > So-called SSID hiding is a modification to beacon frames that nearly all
    > vendors support. It is claimed to be a security improvement, in that your
    > network id is no longer broadcast 10 times a second, but the improvement
    > is
    > in fact trivial. It has nothing to do with WEP or WPA.
    >
    >>
    >>
    >>
    >> --
    >> Bob Alston
    >>
    >> bobalston9 AT aol DOT com
    >>
    >>
    >> ---
    >> Outgoing mail is certified Virus Free.
    >> Checked by AVG anti-virus system (http://www.grisoft.com).
    >> Version: 6.0.746 / Virus Database: 498 - Release Date: 8/31/2004
    >>
    >>
    >
    >

    The link below is an example of the reference I was recalling, and states
    that "the weak IV exploit is virtually non-existent".

    http://www.security-focus.com/infocus/1792

    Not sure if this is but one exploit that allows WEP to be cracked.

    --
    Bob Alston

    bobalston9 AT aol DOT com


    ---
    Outgoing mail is certified Virus Free.
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.746 / Virus Database: 498 - Release Date: 8/31/2004
  4. Archived from groups: alt.internet.wireless (More info?)

    "Bob Alston" <bobalston9NOSPAM@aol.com> wrote in message
    news:pRsZc.132341$Lj.9128@fed1read03...
    >
    > "gary" <pleasenospam@sbcglobal.net> wrote in message
    > news:N0rZc.15840$Ka2.8846@newssvr22.news.prodigy.com...
    >>
    >> "Bob Alston" <bobalston9NOSPAM@aol.com> wrote in message
    >> news:aOqZc.132114$Lj.31258@fed1read03...
    >>> I read recently that manufacturers of some wi-fi equipment have improved
    >>> their software so that WEP is more difficult to crack. Specifically,
    >>> they
    >>> have reportedly quit sending type 4 packets (as I recall it is type 4)
    >> which
    >>> are apparently the key to WEP cracking.
    >>>
    >>> Anyone know the straight scoop on this. Is this correct? How
    >>> widespread
    >>> have these improvements been implemented? How to tell if implemented on
    >>> your equipment?
    >>
    >> No. I don't know what "type 4 packets" are, but 802.11 frames have a
    >> 2-bit
    >> type and a 4-bit subtype field. The type field values range from 0 - 3,
    >> with
    >> 3 unused. Type 0 (management) frames have a subtype 4, which is beacon.
    >> So-called SSID hiding is a modification to beacon frames that nearly all
    >> vendors support. It is claimed to be a security improvement, in that your
    >> network id is no longer broadcast 10 times a second, but the improvement
    >> is
    >> in fact trivial. It has nothing to do with WEP or WPA.
    >>
    >>>
    >>>
    >>>
    >>> --
    >>> Bob Alston
    >>>
    >>> bobalston9 AT aol DOT com
    >>>
    >>>
    >>> ---
    >>> Outgoing mail is certified Virus Free.
    >>> Checked by AVG anti-virus system (http://www.grisoft.com).
    >>> Version: 6.0.746 / Virus Database: 498 - Release Date: 8/31/2004
    >>>
    >>>
    >>
    >>
    >
    > The link below is an example of the reference I was recalling, and states
    > that "the weak IV exploit is virtually non-existent".
    >
    > http://www.security-focus.com/infocus/1792
    >
    > Not sure if this is but one exploit that allows WEP to be cracked.
    >
    > --
    > Bob Alston
    >
    > bobalston9 AT aol DOT com
    >


    O'Reilly's comments:

    http://www.oreillynet.com/cs/user/view/cs_msg/26023

    --
    Bob Alston

    bobalston9 AT aol DOT com


    ---
    Outgoing mail is certified Virus Free.
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.746 / Virus Database: 498 - Release Date: 8/31/2004
  5. Archived from groups: alt.internet.wireless (More info?)

    "Bob Alston" <bobalston9NOSPAM@aol.com> wrote in message
    news:pRsZc.132341$Lj.9128@fed1read03...
    >
    > "gary" <pleasenospam@sbcglobal.net> wrote in message
    > news:N0rZc.15840$Ka2.8846@newssvr22.news.prodigy.com...
    > >
    > > "Bob Alston" <bobalston9NOSPAM@aol.com> wrote in message
    > > news:aOqZc.132114$Lj.31258@fed1read03...
    > >> I read recently that manufacturers of some wi-fi equipment have
    improved
    > >> their software so that WEP is more difficult to crack. Specifically,
    > >> they
    > >> have reportedly quit sending type 4 packets (as I recall it is type 4)
    > > which
    > >> are apparently the key to WEP cracking.
    > >>
    > >> Anyone know the straight scoop on this. Is this correct? How
    widespread
    > >> have these improvements been implemented? How to tell if implemented
    on
    > >> your equipment?
    > >
    > > No. I don't know what "type 4 packets" are, but 802.11 frames have a
    2-bit
    > > type and a 4-bit subtype field. The type field values range from 0 - 3,
    > > with
    > > 3 unused. Type 0 (management) frames have a subtype 4, which is beacon.
    > > So-called SSID hiding is a modification to beacon frames that nearly all
    > > vendors support. It is claimed to be a security improvement, in that
    your
    > > network id is no longer broadcast 10 times a second, but the
    improvement
    > > is
    > > in fact trivial. It has nothing to do with WEP or WPA.
    > >
    > >>
    > >>
    > >>
    > >> --
    > >> Bob Alston
    > >>
    > >> bobalston9 AT aol DOT com
    > >>
    > >>
    > >> ---
    > >> Outgoing mail is certified Virus Free.
    > >> Checked by AVG anti-virus system (http://www.grisoft.com).
    > >> Version: 6.0.746 / Virus Database: 498 - Release Date: 8/31/2004
    > >>
    > >>
    > >
    > >
    >
    > The link below is an example of the reference I was recalling, and states
    > that "the weak IV exploit is virtually non-existent".
    >
    > http://www.security-focus.com/infocus/1792
    >
    > Not sure if this is but one exploit that allows WEP to be cracked.

    The article was a survey of security issues. It looked reasonably accurate
    and complete to me. I see no reference to "type 4 packets" or even SSID
    hiding. It does mention that WEP is an incorrect implementation of RC4, a
    common stream cypher algorithm. The defects of the WEP implementation are
    not completely curable, but there is a problem called "weak IVs" which has
    been eliminated in newer chipsets. You'll probably get weak IV suppression
    with recent 802.11g chipsets, and maybe also as a firmware upgrade to some
    older 802.11b devices.

    If I were you, I'd follow the bullet list under "Basic Steps to Fix WEP
    Problems" and not worry too much about weak IVs. Use 128-bit keys or better
    if you have them (40/64 can be cracked by brute force). Change keys
    reasonably often ("reasonable" depends on how much traffic you generate, and
    how important security is to you). Use a wifi firewall in addition to a
    regular one. For anything that *really* needs security, use independent
    encryption (secure HTTP, PGP, VPN, whatever). And if you really need good
    security, buy WPA-capable equipment that can be upgraded to WPA2 with AES
    (that is, equipment that can do AES in the wifi chipset).

    >
    > --
    > Bob Alston
    >
    > bobalston9 AT aol DOT com
    >
    >
    > ---
    > Outgoing mail is certified Virus Free.
    > Checked by AVG anti-virus system (http://www.grisoft.com).
    > Version: 6.0.746 / Virus Database: 498 - Release Date: 8/31/2004
    >
    >
  6. Archived from groups: alt.internet.wireless (More info?)

    "gary" <pleasenospam@sbcglobal.net> wrote in message
    news:pitZc.15870$TZ2.4723@newssvr22.news.prodigy.com...
    >
    > "Bob Alston" <bobalston9NOSPAM@aol.com> wrote in message
    > news:pRsZc.132341$Lj.9128@fed1read03...
    >>
    >> "gary" <pleasenospam@sbcglobal.net> wrote in message
    >> news:N0rZc.15840$Ka2.8846@newssvr22.news.prodigy.com...
    >> >
    >> > "Bob Alston" <bobalston9NOSPAM@aol.com> wrote in message
    >> > news:aOqZc.132114$Lj.31258@fed1read03...
    >> >> I read recently that manufacturers of some wi-fi equipment have
    > improved
    >> >> their software so that WEP is more difficult to crack. Specifically,
    >> >> they
    >> >> have reportedly quit sending type 4 packets (as I recall it is type 4)
    >> > which
    >> >> are apparently the key to WEP cracking.
    >> >>
    >> >> Anyone know the straight scoop on this. Is this correct? How
    > widespread
    >> >> have these improvements been implemented? How to tell if implemented
    > on
    >> >> your equipment?
    >> >
    >> > No. I don't know what "type 4 packets" are, but 802.11 frames have a
    > 2-bit
    >> > type and a 4-bit subtype field. The type field values range from 0 - 3,
    >> > with
    >> > 3 unused. Type 0 (management) frames have a subtype 4, which is beacon.
    >> > So-called SSID hiding is a modification to beacon frames that nearly
    >> > all
    >> > vendors support. It is claimed to be a security improvement, in that
    > your
    >> > network id is no longer broadcast 10 times a second, but the
    > improvement
    >> > is
    >> > in fact trivial. It has nothing to do with WEP or WPA.
    >> >
    >> >>
    >> >>
    >> >>
    >> >> --
    >> >> Bob Alston
    >> >>
    >> >> bobalston9 AT aol DOT com
    >> >>
    >> >>
    >> >> ---
    >> >> Outgoing mail is certified Virus Free.
    >> >> Checked by AVG anti-virus system (http://www.grisoft.com).
    >> >> Version: 6.0.746 / Virus Database: 498 - Release Date: 8/31/2004
    >> >>
    >> >>
    >> >
    >> >
    >>
    >> The link below is an example of the reference I was recalling, and states
    >> that "the weak IV exploit is virtually non-existent".
    >>
    >> http://www.security-focus.com/infocus/1792
    >>
    >> Not sure if this is but one exploit that allows WEP to be cracked.
    >
    > The article was a survey of security issues. It looked reasonably accurate
    > and complete to me. I see no reference to "type 4 packets" or even SSID
    > hiding. It does mention that WEP is an incorrect implementation of RC4, a
    > common stream cypher algorithm. The defects of the WEP implementation are
    > not completely curable, but there is a problem called "weak IVs" which has
    > been eliminated in newer chipsets. You'll probably get weak IV suppression
    > with recent 802.11g chipsets, and maybe also as a firmware upgrade to some
    > older 802.11b devices.
    >
    > If I were you, I'd follow the bullet list under "Basic Steps to Fix WEP
    > Problems" and not worry too much about weak IVs. Use 128-bit keys or
    > better
    > if you have them (40/64 can be cracked by brute force). Change keys
    > reasonably often ("reasonable" depends on how much traffic you generate,
    > and
    > how important security is to you). Use a wifi firewall in addition to a
    > regular one. For anything that *really* needs security, use independent
    > encryption (secure HTTP, PGP, VPN, whatever). And if you really need good
    > security, buy WPA-capable equipment that can be upgraded to WPA2 with AES
    > (that is, equipment that can do AES in the wifi chipset).
    >
    >>
    >> --
    >> Bob Alston
    >>
    >> bobalston9 AT aol DOT com
    >>
    >>
    >> ---
    >> Outgoing mail is certified Virus Free.
    >> Checked by AVG anti-virus system (http://www.grisoft.com).
    >> Version: 6.0.746 / Virus Database: 498 - Release Date: 8/31/2004
    >>
    >>
    >
    >

    The portion of the article I was intending to refer to was the following:

    "...the weak IV exploit is virtually non-existent. The manufacturers have
    eliminated that issue, at least as far as I have been able to tell. I have
    only been able to crack it once in the past several years and that was
    because an old wireless adaptor with outdated firmware was on the system."

    --
    Bob Alston

    bobalston9 AT aol DOT com


    ---
    Outgoing mail is certified Virus Free.
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.746 / Virus Database: 498 - Release Date: 8/31/2004
  7. Archived from groups: alt.internet.wireless (More info?)

    "Bob Alston" <bobalston9NOSPAM@aol.com> wrote in message
    news:%xtZc.132398$Lj.62506@fed1read03...
    >
    >
    >
    > "gary" <pleasenospam@sbcglobal.net> wrote in message
    > news:pitZc.15870$TZ2.4723@newssvr22.news.prodigy.com...
    > >
    > > "Bob Alston" <bobalston9NOSPAM@aol.com> wrote in message
    > > news:pRsZc.132341$Lj.9128@fed1read03...
    > >>
    > >> "gary" <pleasenospam@sbcglobal.net> wrote in message
    > >> news:N0rZc.15840$Ka2.8846@newssvr22.news.prodigy.com...
    > >> >
    > >> > "Bob Alston" <bobalston9NOSPAM@aol.com> wrote in message
    > >> > news:aOqZc.132114$Lj.31258@fed1read03...
    > >> >> I read recently that manufacturers of some wi-fi equipment have
    > > improved
    > >> >> their software so that WEP is more difficult to crack.
    Specifically,
    > >> >> they
    > >> >> have reportedly quit sending type 4 packets (as I recall it is type
    4)
    > >> > which
    > >> >> are apparently the key to WEP cracking.
    > >> >>
    > >> >> Anyone know the straight scoop on this. Is this correct? How
    > > widespread
    > >> >> have these improvements been implemented? How to tell if
    implemented
    > > on
    > >> >> your equipment?
    > >> >
    > >> > No. I don't know what "type 4 packets" are, but 802.11 frames have a
    > > 2-bit
    > >> > type and a 4-bit subtype field. The type field values range from 0 -
    3,
    > >> > with
    > >> > 3 unused. Type 0 (management) frames have a subtype 4, which is
    beacon.
    > >> > So-called SSID hiding is a modification to beacon frames that nearly
    > >> > all
    > >> > vendors support. It is claimed to be a security improvement, in that
    > > your
    > >> > network id is no longer broadcast 10 times a second, but the
    > > improvement
    > >> > is
    > >> > in fact trivial. It has nothing to do with WEP or WPA.
    > >> >
    > >> >>
    > >> >>
    > >> >>
    > >> >> --
    > >> >> Bob Alston
    > >> >>
    > >> >> bobalston9 AT aol DOT com
    > >> >>
    > >> >>
    > >> >> ---
    > >> >> Outgoing mail is certified Virus Free.
    > >> >> Checked by AVG anti-virus system (http://www.grisoft.com).
    > >> >> Version: 6.0.746 / Virus Database: 498 - Release Date: 8/31/2004
    > >> >>
    > >> >>
    > >> >
    > >> >
    > >>
    > >> The link below is an example of the reference I was recalling, and
    states
    > >> that "the weak IV exploit is virtually non-existent".
    > >>
    > >> http://www.security-focus.com/infocus/1792
    > >>
    > >> Not sure if this is but one exploit that allows WEP to be cracked.
    > >
    > > The article was a survey of security issues. It looked reasonably
    accurate
    > > and complete to me. I see no reference to "type 4 packets" or even SSID
    > > hiding. It does mention that WEP is an incorrect implementation of RC4,
    a
    > > common stream cypher algorithm. The defects of the WEP implementation
    are
    > > not completely curable, but there is a problem called "weak IVs" which
    has
    > > been eliminated in newer chipsets. You'll probably get weak IV
    suppression
    > > with recent 802.11g chipsets, and maybe also as a firmware upgrade to
    some
    > > older 802.11b devices.
    > >
    > > If I were you, I'd follow the bullet list under "Basic Steps to Fix WEP
    > > Problems" and not worry too much about weak IVs. Use 128-bit keys or
    > > better
    > > if you have them (40/64 can be cracked by brute force). Change keys
    > > reasonably often ("reasonable" depends on how much traffic you generate,
    > > and
    > > how important security is to you). Use a wifi firewall in addition to a
    > > regular one. For anything that *really* needs security, use independent
    > > encryption (secure HTTP, PGP, VPN, whatever). And if you really need
    good
    > > security, buy WPA-capable equipment that can be upgraded to WPA2 with
    AES
    > > (that is, equipment that can do AES in the wifi chipset).
    > >
    > >>
    > >> --
    > >> Bob Alston
    > >>
    > >> bobalston9 AT aol DOT com
    > >>
    > >>
    > >> ---
    > >> Outgoing mail is certified Virus Free.
    > >> Checked by AVG anti-virus system (http://www.grisoft.com).
    > >> Version: 6.0.746 / Virus Database: 498 - Release Date: 8/31/2004
    > >>
    > >>
    > >
    > >
    >
    > The portion of the article I was intending to refer to was the following:
    >
    > "...the weak IV exploit is virtually non-existent. The manufacturers have
    > eliminated that issue, at least as far as I have been able to tell. I have
    > only been able to crack it once in the past several years and that was
    > because an old wireless adaptor with outdated firmware was on the system."

    The comment you cited from the O'Reilly site says about as much as can be
    said about who fixed weak IVs and by what date. Fixing weak IVs does not
    eliminate all the weaknesses of WEP. The fundamental problem is that the
    fixed portion of the key never changes, and the changeable part - the
    Initialization Vector, or IV - is 24 bits long. After *at most* 2^24 frames,
    the IV has to repeat, and therefore the keystream to encrypt the frame
    repeats. Not to mention that crackers can inject known data into your
    network to build a partial dictionary of IV/keystream pairs ... there are
    lots of possible attacks. WPA/WPA2 are much stronger than WEP ever will be.
    But WEP is perfectly useful for ordinary people who are not likely to be
    targets of sustained attacks. Just use long, random hex keys and change them
    fairly often.

    >
    > --
    > Bob Alston
    >
    > bobalston9 AT aol DOT com
    >
    >
    > ---
    > Outgoing mail is certified Virus Free.
    > Checked by AVG anti-virus system (http://www.grisoft.com).
    > Version: 6.0.746 / Virus Database: 498 - Release Date: 8/31/2004
    >
    >
  8. Archived from groups: alt.internet.wireless (More info?)

    On Wed, 01 Sep 2004 21:18:37 GMT, "gary" <pleasenospam@sbcglobal.net>
    wrote:

    >
    >"Bob Alston" <bobalston9NOSPAM@aol.com> wrote in message
    >news:aOqZc.132114$Lj.31258@fed1read03...
    >> I read recently that manufacturers of some wi-fi equipment have improved
    >> their software so that WEP is more difficult to crack. Specifically, they
    >> have reportedly quit sending type 4 packets (as I recall it is type 4)
    >which
    >> are apparently the key to WEP cracking.
    >>
    >> Anyone know the straight scoop on this. Is this correct? How widespread
    >> have these improvements been implemented? How to tell if implemented on
    >> your equipment?

    >No. I don't know what "type 4 packets" are, but 802.11 frames have a 2-bit
    >type and a 4-bit subtype field. The type field values range from 0 - 3, with
    >3 unused. Type 0 (management) frames have a subtype 4, which is beacon.
    >So-called SSID hiding is a modification to beacon frames that nearly all
    >vendors support. It is claimed to be a security improvement, in that your
    >network id is no longer broadcast 10 times a second, but the improvement is
    >in fact trivial. It has nothing to do with WEP or WPA.

    Agreed. A bit more detail plagerized from:
    802.11 7.1.3.1

    Table 1—Valid type and subtype combinations
    Type value Type Subtype value Subtype description
    b3 b2 description b7 b6 b5 b4



    00 Management 0000 Association request
    00 Management 0001 Association response
    00 Management 0010 Reassociation request
    00 Management 0011 Reassociation response
    00 Management 0100 Probe request
    00 Management 0101 Probe response
    00 Management 0110–0111 Reserved
    00 Management 1000 Beacon
    00 Management 1001 Announcement traffic indication message
    (ATIM)
    00 Management 1010 Disassociation
    00 Management 1011 Authentication
    00 Management 1100 Deauthentication
    00 Management 1101–1111 Reserved
    01 Control 0000–1001 Reserved
    01 Control 1010 Power Save (PS)-Poll
    01 Control 1011 Request To Send (RTS)
    01 Control 1100 Clear To Send (CTS)
    01 Control 1101 Acknowledgment (ACK)
    01 Control 1110 Contention-Free (CF)-End
    01 Control 1111 CF-End + CF-Ack
    10 Data 0000 Data
    10 Data 0001 Data + CF-Ack
    10 Data 0010 Data + CF-Poll
    10 Data 0011 Data + CF-Ack + CF-Poll
    10 Data 0100 Null function (no data)
    10 Data 0101 CF-Ack (no data)
    10 Data 0110 CF-Poll (no data)
    10 Data 0111 CF-Ack + CF-Poll (no data)
    10 Data 1000–1111 Reserved
    11 Reserved 0000–1111 Reserved

    Notice that there's no such thing as a WEP frame or "Type 4" packet.

    That's because *EVERY* management and data frame is preceeded by a WEP
    key frame. It's described in excruciating detail in 802.11 8.1. I
    don't see anything that can be deleted to make it more difficult to
    crack. Basically, AirSnort, WEPCrack, and other collect the WEP 24
    bit initialization vectors looking for a pattern.

    Oh, I see the confusion. Initialization Vector is often acronymified
    as "IV" which is Roman numberal 4. Maybe that's where the type 4
    stuff came from?


    --
    # Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
    # 831.336.2558 voice http://www.LearnByDestroying.com
    # jeffl@comix.santa-cruz.ca.us
    # 831.421.6491 digital_pager jeffl@cruzio.com AE6KS
  9. Archived from groups: alt.internet.wireless (More info?)

    On Wed, 1 Sep 2004 18:23:12 -0500, "Bob Alston"
    <bobalston9NOSPAM@aol.com> wrote:


    >The link below is an example of the reference I was recalling, and states
    >that "the weak IV exploit is virtually non-existent".
    >
    >http://www.security-focus.com/infocus/1792
    >
    >Not sure if this is but one exploit that allows WEP to be cracked.

    Here's a good article on how WEP works:
    http://www.wi-fiplanet.com/tutorials/article.php/2106281

    The problem is that the IV (initialization vector) tends to get
    re-used. One of the fixes in WPA is TKIP, which increases the size of
    the initialization vector from 24 to 48bits, and make sure it doesn't
    get re-used.
    http://www.wi-fiplanet.com/tutorials/article.php/2148721

    --
    # Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
    # 831.336.2558 voice http://www.LearnByDestroying.com
    # jeffl@comix.santa-cruz.ca.us
    # 831.421.6491 digital_pager jeffl@cruzio.com AE6KS
  10. Archived from groups: alt.internet.wireless (More info?)

    >I doubt it can fix the real problem. I.e. it might make it harder (10min
    >instead of 5), but who cares: use WPA and forget about it,

    A lot of people use 802.11b-equipment which only offer WEP-support.
    Completely changing all hardware on a WLAN might not be the first
    option for everyone. We are not about to shell out around $1700 for 15
    new NIC's and two AP's.

    /Jan
  11. Archived from groups: alt.internet.wireless (More info?)

    First of all is WEP vulnerable yes. The real question is how
    vulnerable.

    For the average how use enviroment implementing WEP is more than
    sufficient to protect a netowork as long as firmware has been kept up
    to date. The manufactures have made the IV (intercept vector)
    vulnerability almost obsolete. Two years ago with Cisco access points
    I tried to crack a WEP key using the airsnort program and in 16 hours
    of testing with an access point sending and receiving packets at a
    rate of 300 per second we caught less than 100 weak packets. The
    estimate is that 3000 to 9000 weak packets are needed to crack a
    single WEP key.

    In my opinion the only reason that anyone is still harping about WEP
    being weak is that they are usually trying to sell you a very
    expensive solution to a problem that doesn't exist.

    Bigger threat to most any netowrk is going to be the wired connection.
    A wireless connection requires the hacker be within range to capture
    traffic or to connect to a network. A wired connection can be hacked
    from anywhere in the world.


    "Bob Alston" <bobalston9NOSPAM@aol.com> wrote in message news:<aOqZc.132114$Lj.31258@fed1read03>...
    > I read recently that manufacturers of some wi-fi equipment have improved
    > their software so that WEP is more difficult to crack. Specifically, they
    > have reportedly quit sending type 4 packets (as I recall it is type 4) which
    > are apparently the key to WEP cracking.
    >
    > Anyone know the straight scoop on this. Is this correct? How widespread
    > have these improvements been implemented? How to tell if implemented on
    > your equipment?
    >
    >
    >
    > --
    > Bob Alston
    >
    > bobalston9 AT aol DOT com
    >
    >
    > ---
    > Outgoing mail is certified Virus Free.
    > Checked by AVG anti-virus system (http://www.grisoft.com).
    > Version: 6.0.746 / Virus Database: 498 - Release Date: 8/31/2004
  12. Archived from groups: alt.internet.wireless (More info?)

    Taking a moment's reflection, Jan Bachman mused:
    |
    | We are not about to shell out around $1700 for 15
    | new NIC's and two AP's.

    So, how much is your data worth?
  13. Archived from groups: alt.internet.wireless (More info?)

    "Jeff Liebermann" <jeffl@comix.santa-cruz.ca.us> wrote in message
    news:tg7dj0pet49d503lev6v24sep23lee0rd2@4ax.com...
    > On Wed, 01 Sep 2004 21:18:37 GMT, "gary" <pleasenospam@sbcglobal.net>
    > wrote:
    >
    > >
    > >"Bob Alston" <bobalston9NOSPAM@aol.com> wrote in message
    > >news:aOqZc.132114$Lj.31258@fed1read03...
    > >> I read recently that manufacturers of some wi-fi equipment have
    improved
    > >> their software so that WEP is more difficult to crack. Specifically,
    they
    > >> have reportedly quit sending type 4 packets (as I recall it is type 4)
    > >which
    > >> are apparently the key to WEP cracking.
    > >>
    > >> Anyone know the straight scoop on this. Is this correct? How
    widespread
    > >> have these improvements been implemented? How to tell if implemented
    on
    > >> your equipment?
    >
    > >No. I don't know what "type 4 packets" are, but 802.11 frames have a
    2-bit
    > >type and a 4-bit subtype field. The type field values range from 0 - 3,
    with
    > >3 unused. Type 0 (management) frames have a subtype 4, which is beacon.
    > >So-called SSID hiding is a modification to beacon frames that nearly all
    > >vendors support. It is claimed to be a security improvement, in that your
    > >network id is no longer broadcast 10 times a second, but the improvement
    is
    > >in fact trivial. It has nothing to do with WEP or WPA.
    >
    > Agreed. A bit more detail plagerized from:
    > 802.11 7.1.3.1
    >
    > Table 1-Valid type and subtype combinations
    > Type value Type Subtype value Subtype description
    > b3 b2 description b7 b6 b5 b4
    >
    >
    >
    > 00 Management 0000 Association request
    > 00 Management 0001 Association response
    > 00 Management 0010 Reassociation request
    > 00 Management 0011 Reassociation response
    > 00 Management 0100 Probe request
    > 00 Management 0101 Probe response
    > 00 Management 0110-0111 Reserved
    > 00 Management 1000 Beacon
    > 00 Management 1001 Announcement traffic indication message
    > (ATIM)
    > 00 Management 1010 Disassociation
    > 00 Management 1011 Authentication
    > 00 Management 1100 Deauthentication
    > 00 Management 1101-1111 Reserved
    > 01 Control 0000-1001 Reserved
    > 01 Control 1010 Power Save (PS)-Poll
    > 01 Control 1011 Request To Send (RTS)
    > 01 Control 1100 Clear To Send (CTS)
    > 01 Control 1101 Acknowledgment (ACK)
    > 01 Control 1110 Contention-Free (CF)-End
    > 01 Control 1111 CF-End + CF-Ack
    > 10 Data 0000 Data
    > 10 Data 0001 Data + CF-Ack
    > 10 Data 0010 Data + CF-Poll
    > 10 Data 0011 Data + CF-Ack + CF-Poll
    > 10 Data 0100 Null function (no data)
    > 10 Data 0101 CF-Ack (no data)
    > 10 Data 0110 CF-Poll (no data)
    > 10 Data 0111 CF-Ack + CF-Poll (no data)
    > 10 Data 1000-1111 Reserved
    > 11 Reserved 0000-1111 Reserved
    >
    > Notice that there's no such thing as a WEP frame or "Type 4" packet.
    >
    > That's because *EVERY* management and data frame is preceeded by a WEP
    > key frame. It's described in excruciating detail in 802.11 8.1. I
    > don't see anything that can be deleted to make it more difficult to
    > crack. Basically, AirSnort, WEPCrack, and other collect the WEP 24
    > bit initialization vectors looking for a pattern.
    >
    > Oh, I see the confusion. Initialization Vector is often acronymified
    > as "IV" which is Roman numberal 4. Maybe that's where the type 4
    > stuff came from?

    Yes, I think you're right. Don't know why I didn't see it. Also, the Beacon
    frame is subtype 8, and the Probe is subtype 4, so my suggeston about the
    Beacon was based on a misreading anyway. Probes of course have to have the
    SSID in them.

    >
    >
    > --
    > # Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
    > # 831.336.2558 voice http://www.LearnByDestroying.com
    > # jeffl@comix.santa-cruz.ca.us
    > # 831.421.6491 digital_pager jeffl@cruzio.com AE6KS
  14. Archived from groups: alt.internet.wireless (More info?)

    > So, how much is your data worth?

    It's a shared internet connection between appartments.
    We have no shared data or server.
    Security is defined as the user's problem.

    /Jan
  15. Archived from groups: alt.internet.wireless (More info?)

    Taking a moment's reflection, Jan Bachman mused:
    |
    | It's a shared internet connection between appartments.
    | We have no shared data or server.
    | Security is defined as the user's problem.

    So, how does the user secure himself when the infrastructure is weak?
  16. Archived from groups: alt.internet.wireless (More info?)

    >| It's a shared internet connection between appartments.
    >| We have no shared data or server.
    >| Security is defined as the user's problem.
    >
    > So, how does the user secure himself when the infrastructure is weak?
    >
    Personal firewall, antivirus and anti-spyware.

    There is of course a danger, if the network has been compromised, and
    the users are sending passwords to whatever in plain-text across the
    network.

    I change the WEP-key monthly. So far I have seen no suspicious traffic
    on the network, besides some eDonkey activtity which was dealt with,
    as filesharing is against our policy.

    /Jan
  17. Archived from groups: alt.internet.wireless (More info?)

    On Thu, 02 Sep 2004 00:23:56 GMT, "gary" <pleasenospam@sbcglobal.net>
    wrote:

    >But WEP is perfectly useful for ordinary people who are not likely to be
    >targets of sustained attacks. Just use long, random hex keys and change them
    >fairly often.

    Speaking as a home user without anything of vast importance to protect
    (but nevertheless not wishing to be an easy target) I currently use
    128bits WEP. However the key I use is generated by a passphrase from
    which the native GUI creates the key. Does this strengthen, weaken or
    make no difference to my overall security? The resulting key is
    certainly gibberish to the human eye but might a hacker have the
    ability to reverse engineer whatever process the GUI used to create
    the key in the first place?

    Also, presumably different manufacturer's have different methods of
    generating the key from passphrases? When I first got my wireless
    equipment my neighbour gave me the passphrase to his own network to
    share some files. However nothing I did allowed a successful
    connection between my laptop and his network. At the time as a
    complete newbie I had no real ideas and nor did he, but since
    connecting to my own network was not a problem we never really
    investigated properly. Looking back I think different WEP keys
    (because his passphrase generated a different key on my Netgear
    equipment than on his US Robotics equipment) were one of two possible
    problems.

    Anyone know how much more of a processing overhead exists with WPA?
  18. Archived from groups: alt.internet.wireless (More info?)

    Taking a moment's reflection, Jan Bachman mused:
    |
    | I change the WEP-key monthly. So far I have seen no suspicious traffic
    | on the network, besides some eDonkey activtity which was dealt with,
    | as filesharing is against our policy.

    You are aware that someone doesn't have to be connected to your network
    directly in order to compromise user security, right? Firewall, antivirus,
    and anti-spyware won't keep someone from sniffing packets. If you have
    several users on the network, the key likely can be broken by someone within
    a week ... let alone a month.
  19. Archived from groups: alt.internet.wireless (More info?)

    >You are aware that someone doesn't have to be connected to your network
    >directly in order to compromise user security, right?

    Yes.

    >Firewall, antivirus, and anti-spyware won't keep someone from sniffing packets.

    True.

    >If you have several users on the network, the key likely can be broken by someone within
    >a week ... let alone a month.

    That is the situation. I would welcome moving to WPA, but that is
    sadly not an option right now for economic reasons.

    We choose to gamble that noone in the vicinity are persistent enough
    to cause us problems. Surely a kid with Airsnort will break the WEP.
    He will play around, tell his friends, download some porn, look for
    shared files and find none, and then leave. Staying around in the back
    unnoticed sniffing every packet searching for something really useful
    with regard to theft or fraud takes someone with bad intent indeed.
    That someone is hopefully not living next to us. I have seen no people
    with laptops in the bushes either :-)

    I just hope we're not being too naive about this.

    /Jan
  20. Archived from groups: alt.internet.wireless (More info?)

    >> Firewall, antivirus, and anti-spyware won't keep someone from sniffing
    >> packets

    MHI:

    A switch will block unicasts, which severely reduces the value of packet
    sniffing
  21. Archived from groups: alt.internet.wireless (More info?)

    Taking a moment's reflection, CZ mused:
    |
    | A switch will block unicasts, which severely reduces the value of packet
    | sniffing

    Save that, within a confined area (say a building complex), all the
    wireless packets are floating around available for capture anyway.
  22. Archived from groups: alt.internet.wireless (More info?)

    Taking a moment's reflection, Jan Bachman mused:
    |
    | I just hope we're not being too naive about this.

    I guess that's the crux. People think they aren't big targets because
    they don't have anything worth while on their systems. But, many people use
    online banking, or e-commerce. All it takes is the right combination of
    packets sent to an unsecured merchant site, and a casual packet sniffer, who
    has broken your WEP key, potentially has the user's bank information/credit
    card data. Also consider that, from your description, everyone using the
    network uses the same WEP key ... so there's no real protection from someone
    on the network sniffing others.
  23. Archived from groups: alt.internet.wireless (More info?)

    "mhicaoidh" <®êmõvé_mhic_aoidh@hotÑîXmailSPäM.com> wrote in message
    news:N9r_c.35666$_g7.25040@attbi_s52...
    > Taking a moment's reflection, Jan Bachman mused:
    > |
    > | I just hope we're not being too naive about this.
    >
    > I guess that's the crux. People think they aren't big targets because
    > they don't have anything worth while on their systems. But, many people
    > use
    > online banking, or e-commerce. All it takes is the right combination of
    > packets sent to an unsecured merchant site, and a casual packet sniffer,
    > who
    > has broken your WEP key, potentially has the user's bank
    > information/credit
    > card data. Also consider that, from your description, everyone using the
    > network uses the same WEP key ... so there's no real protection from
    > someone
    > on the network sniffing others.
    >
    >
    Having started this thread I thought I would add in a "closer". My point is
    that with the software improvements in AP and clients of the past two years,
    people using up to date hardware and firmware with WEP should have virtually
    no exposure to cracking due to elimination of the "weak IV" packets. It
    appears that is a key to the cracking approach I have read about. Beyond
    that I read that brute force takes a lot of time with a 128 bit key.

    And as several have said, probably not very much focus on cracking a home
    network.

    One final note, while such cracking even with weak IV packets can be done
    fairly easily, it takes Linux, a laptop and some time. That certainly rules
    out a lot of people who don't have or won't bother.

    Would be interesting to hear about people who have a home WAP with WEP and
    who HAVE been hacked. So if this has happened to you, please report in.

    --
    Bob Alston

    bobalston9 AT aol DOT com


    ---
    Outgoing mail is certified Virus Free.
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.749 / Virus Database: 501 - Release Date: 9/1/2004
  24. Archived from groups: alt.internet.wireless (More info?)

    Bob Alston <bobalston9NOSPAM@aol.com> wrote:

    > Having started this thread I thought I would add in a "closer". My point is
    > that with the software improvements in AP and clients of the past two years,
    > people using up to date hardware and firmware with WEP should have virtually
    > no exposure to cracking due to elimination of the "weak IV" packets.

    IIRC, vendors started shipping wireless equipments that included "weppplus"
    (weak IVs filtering) in late 2001; nowadays all wep implementations I know of
    have this countermeasure built-in, and thus make the so-called "standard FMS"
    attack (used by AirSnort) useless.

    However, there are other attacks on WEP not described in the FMS paper that
    are quite successful even when there are 0 weak IVs amongst the N millions
    IVs you've collected - search Google for korek+attacks.

    > One final note, while such cracking even with weak IV packets can be done
    > fairly easily, it takes Linux, a laptop and some time. That certainly rules
    > out a lot of people who don't have or won't bother.

    Indeed, wep cracking is not an instant process - it usually takes hours to
    gather enough packets.
  25. Archived from groups: alt.internet.wireless (More info?)

    "Christophe Devine" <devine@iie.cnam.fr> wrote in message
    news:chesdf$2uff$1@biggoron.nerim.net...
    > Bob Alston <bobalston9NOSPAM@aol.com> wrote:
    >
    >> Having started this thread I thought I would add in a "closer". My point
    >> is
    >> that with the software improvements in AP and clients of the past two
    >> years,
    >> people using up to date hardware and firmware with WEP should have
    >> virtually
    >> no exposure to cracking due to elimination of the "weak IV" packets.
    >
    > IIRC, vendors started shipping wireless equipments that included
    > "weppplus"
    > (weak IVs filtering) in late 2001; nowadays all wep implementations I know
    > of
    > have this countermeasure built-in, and thus make the so-called "standard
    > FMS"
    > attack (used by AirSnort) useless.
    >
    > However, there are other attacks on WEP not described in the FMS paper
    > that
    > are quite successful even when there are 0 weak IVs amongst the N millions
    > IVs you've collected - search Google for korek+attacks.
    >
    >> One final note, while such cracking even with weak IV packets can be done
    >> fairly easily, it takes Linux, a laptop and some time. That certainly
    >> rules
    >> out a lot of people who don't have or won't bother.
    >
    > Indeed, wep cracking is not an instant process - it usually takes hours to
    > gather enough packets.
    >
    Thanks for the reference to Korek. Interesting stuff. I had not seen
    anything on it previously.

    --
    Bob Alston

    bobalston9 AT aol DOT com


    ---
    Outgoing mail is certified Virus Free.
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.749 / Virus Database: 501 - Release Date: 9/2/2004
  26. Archived from groups: alt.internet.wireless (More info?)

    Taking a moment's reflection, Christophe Devine mused:
    |
    | Indeed, wep cracking is not an instant process - it usually takes hours to
    | gather enough packets.

    Indeed. Though consider that due to the range of APs, someone doesn't
    necessarily have to sit in their car on the street for hours collecting
    packets. They can do it from their office, their living room, or their
    garage. It takes no intervention from the user to sniff packets ... just
    set up the software, leave the computer running, and come back and check it
    periodically.

    Sure it takes Linux, for now, but you can easily download it ... and
    anyone interested can do it. Perhaps the mere site of 3 or 4 other wireless
    networks in a person's immediate area is enough of a prompt to get them to
    "check into it." Certainly one might be more tempted if they knew that
    everyone else in their building was on the same wireless network using the
    same WEP key.
Ask a new question

Read More

Security WEP Wireless Networking