[Dshield] Wireless networks and corporate Lans

Chris Brenton cbrenton at chrisbrenton.org
Mon Mar 1 01:34:39 GMT 2004


On Sun, 2004-02-29 at 15:38, John Holmblad wrote:
>
> The problem is not with the RC4 algorithm which is widely used in many 
> crypto systems very successfully.

Since when does "successful" translate into "secure"? ;-)

>  It is the way RC4 is applied in the 
> original WEP standard that caused the problems associated with 
> Initialization Vector wraparound and weak keys.

I'll agree that if we created a list of "the top 10 worst things about
WEP", that the small IV and failure to specify the proper handling of
the shared secret would be at the top of the list (not to mention MAC
authentication as well as a host of other issues). RC4 is less than
perfect however, and there have been a number of papers over the last 10
years on RC4's key generation and scheduling issues. Even RSA is aware
of this which is why they specify perfect forward secrecy and changing
the key _in every single packet_. A more robust algorithm with the same
IV and shared secret issues would have less of a problem. 

RC4 works better with SSL because the keys are per session and there are
typically only a few hundred packets to work with. This is a much
smaller sample to work with than you would get out of your typical AP
node, thus making cracking that much harder. So I'm not saying RC4
sucks, just that its the wrong tool for the job.

> WPA corrects those 
> defects in the implementation while keeping the RC4 ahgorithim intact  
> which is why many if not most AP's and NIC cards can be upgraded via 
> software firmware to use WPA with TKIP.

I think I already stated the above in an earlier e-mail, except that WPA
only band-aids the problem (i.e. still not up to full RSA requirements).
That's why WPA is only a temporary measure till 802.11i is completed.
Yes its better than WEP but not as good as it could be. Otherwise why
bother with 802.11i?

>  In other words TKIP is also 
> based on RC4.  RC4 is good because it is a) simple to implement in 
> combinitorial logic and b) therefore very fast.

Both points are important when you are taking about an encryption
algorithm, but IMHO integrity is far more important. If we only cared
about simple and fast we would still be using WEP.

>  You may also be aware 
> that the soon to be ratified 802.11i standard will support, in addition 
> to TKIP, the Advanced Encryption Standard which is even more 
> cryptogrpahically robust than TKIP.

I mentioned this in an another e-mail as well, except AES is designed to
replace RC4, not TKIP.

HTH,
C





More information about the list mailing list