tim finin writes: "WEP is the security protocol used in the widely deployed IEEE 802.11
wireless LAN's. "Weaknesses in the Key Scheduling Algorithm of RC4" by Scott Fluhrer, Itsik Mantin and Adi Shamir describes new results on
RC4 with a practical attack against WEP -- an extremely powerful attack which can be applied even when WEP's RC4 stream cipher uses a 2048 bit secret key (its maximal size) and 128 bit IV modifiers (as proposed in WEP2). The attacker can be a completely passive eavesdropper (i.e., he does not have to inject packets, monitor responses, or use accomplices) and thus his existence is essentially undetectable. After scanning several hundred thousand packets, the attacker can completely recover the secret key and thus decrypt all the ciphertexts. The running time of the attack grows linearly instead of exponentially with the key size, and thus it is negligible even for 2048 bit keys." The brave can jump straight to the paper in pure, clean, postscript or PDF format.
2. I have not yet seen an access point that really gives you the freedom to use whatever the client wants. Typically, you have to
configure the access point to certain strategy (40 bit, 128 bit encryption), and every single client must know the key and follow
that everyone sharing the same encryption key.
I have not personally used these since their release but here's ciscos [cisco.com] new access points that are suppose to support unique keys per client and other things, but the new crack would invalidate this improvement too.
This will mean tons of wireless LAN hardware will have to go in the junker. This isn't a small problem, its a BIG security hole, in hardware that is being used today in thousands of homes.
Either way, when will we learn that any security measure will eventually be compromised, its only a matter of time. Using lousy encryption schemes as was the case here, will only mean that a hole in the security is found sooner rather than later.
Re:Hardly a surprise (Score:1)
I have not personally used these since their release but here's ciscos [cisco.com] new access points that are suppose to support unique keys per client and other things, but the new crack would invalidate this improvement too.
Anyone have details or use this cisco stuff??
DMCA time (Score:2)
(Not that there's any chance of it. But still, it makes you think.)
-----
Re:Why hide this? (Score:1)
Why hide this? (Score:2)
This should be on the front page!! (Score:1)
Either way, when will we learn that any security measure will eventually be compromised, its only a matter of time. Using lousy encryption schemes as was the case here, will only mean that a hole in the security is found sooner rather than later.