Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 24 Mar 2004 23:32:27 +0900 (JST)
From:      Motonori Shindo <mshindo@mshindo.net>
To:        ken@kdm.org
Cc:        freebsd-net@freebsd.org
Subject:   Re: WEP problems with ndis and ath drivers
Message-ID:  <20040324.233227.125900342.mshindo@mshindo.net>
In-Reply-To: <20040324055204.GB57761@panzer.kdm.org>
References:  <406108F7.3030704@comcast.net> <20040324.143622.59463083.mshindo@mshindo.net> <20040324055204.GB57761@panzer.kdm.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Kenneth,

Well, this is a bit off topic of this mailing list but let me
continue:-)

From: "Kenneth D. Merry" <ken@kdm.org>
Subject: Re: WEP problems with ndis and ath drivers
Date: Tue, 23 Mar 2004 22:52:04 -0700

> > Shared-key authentication is in fact a worse option than open
> > authentication. Basic idea how shared-key authentication works is as
> > follows:

(snip)

> > Considering all this, Access Point should always reject shared-key
> > authentication even if Station requests it. 
> 
> Yikes!!
> 
> That is bad.  So what's the point of WEP then?  I knew it was insecure, but
> that is pretty lame.  Is there any other authentication scheme for WEP that
> won't reveal the key to a malicious 3rd party?

A couple of clarifications I'd like to make:

 1) Shared-key Authentication is broken not bcause WEP is insecure.
    It is broken by design. Any stream cipher with this type of
    authentication scheme will exhibit the same problem. 

 2) Shared-key Authentication doesn't reveal the WEP key. What it
    reveals is the "key stream" that is generated out of RC4.

As for authentication scheme, 802.1x with EAP/TLS is considered to be
reasonably secure.

> I suppose, at least with my router, the best thing to do would be to use
> WEP for data transmission and control access via MAC address.  The next
> step would probably be to put a firewall on the inside of the router and
> only allow through traffic that is encrypted with IPSec...

WEP is also broken and MAC address spoofing is quite easy. If your
router supports neither 802.1x nor WPA, use WEP wisely:-) For example,
change the key as frequently as you can, use the longest key length
possible, and stay away from automatic key generation from pass
phrase, etc.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040324.233227.125900342.mshindo>