From owner-freebsd-questions@FreeBSD.ORG Wed Apr 24 20:16:51 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 6AA803C5 for ; Wed, 24 Apr 2013 20:16:51 +0000 (UTC) (envelope-from freebsd-questions@m.gmane.org) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) by mx1.freebsd.org (Postfix) with ESMTP id 2AD491CAD for ; Wed, 24 Apr 2013 20:16:50 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1UV67V-0000Tw-44 for freebsd-questions@freebsd.org; Wed, 24 Apr 2013 22:16:49 +0200 Received: from pool-173-79-84-117.washdc.fios.verizon.net ([173.79.84.117]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 24 Apr 2013 22:16:49 +0200 Received: from nightrecon by pool-173-79-84-117.washdc.fios.verizon.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 24 Apr 2013 22:16:49 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-questions@freebsd.org From: Michael Powell Subject: Re: Home WiFi Router with pfSense or m0n0wall? Date: Wed, 24 Apr 2013 16:16:32 -0400 Lines: 58 Message-ID: References: <20130423010407.25a73c92@gumby.homeunix.com> Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 7Bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: pool-173-79-84-117.washdc.fios.verizon.net X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: nightrecon@hotmail.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Apr 2013 20:16:51 -0000 Alejandro Imass wrote: [snip] >>> Most consider the answer to use WPA2, which I do use too. Many think >>> it is 'virtually' unbreakable, but this really is not true; it just >>> takes longer. I've done WPA2 keys in as little as 2-3 hours before. >> >> Are you saying that any WPA2 key can be cracked or or you simply >> referring to weak keys? > > I would also like to specifically if it's for weak keys or are all > WPA2 personal keys crackable by brute force. Also is WPA2 Enterprise > as weak also. Could anyone expand on how weak is WPA2 and WPA2 > Enterprise or is this related to weak PSKs only?? > I'm just a lowly sysadmin and not any kind of crypto expert. The problem is time and horsepower. While a ridiculously easy key of say 4 characters that is not salted may be doable on a PC, once you start to get to 8-9 characters or more the time it takes begins to get huge fast. It's a matter of can you tie up the resource long enough to wait it out. Throw salting into the mix and it gets longer again. What I do at home is concatenate 2 ham radio call signs of friends that I can remember. Then I sha256 that and select from the end backwards 15 characters. This won't actually defeat the inherent weakness of using a pre- shared key, but it will take longer for a simple brute force. You should also throw in additional characters from your character set beyond just alpha/numerics. Also, my little tinkertoy i5-3570K overclocked up to 4.5GHz is just that - a toy. I can use it to generate a trace file, which I then take to work and replay it using a z196 when they occasionally allow me to play for bit. I also have rainbow tables and dictionary word-lists pregenerated for cheating. Another thing people are playing with is stuffing 4 high end video cards in a box and using them for computation. This enhances the PC platform beyond just using the CPU. There are also people doing this "in the cloud". And they will rent you compute time for a fee. :-) The pre-shared key is the weakest as compared to Enterprise. Enterprise WPA is stronger because it is a user account based system which authenticates using 802.1x via a Radius server. You can even assign certificates to user accounts and if they don't have the cert on the client they are trying to connect with, it won't. Throw Kerberos re-ticketing into the mix adds another layer to the onion. I seem to think recalling something about Kerberos re-ticketing something like every 900 seconds, or something like that. Switches and other network equipment that supports 802.1x can also filter out traffic that is not authorized. Bottom line is Enterprise is better than a simple pre-shared key. But it involves radius, dns/dhcp, windows domain controllers, active directory, a PKI infrastrucure and access points that are designed for use in this environment (and they cost more). So while it may be more secure than a simple pre-shared key, it is simply not practical for the home user as they won't have all the 'other' resources required to utilize it. -Mike