Security Basics mailing list archives

Re: Is Dynamic WEP Secure Enough?

From: John Pettitt <jpp () cloudview com>
Date: Wed, 23 Mar 2005 11:15:34 -0800



shankarnarayan.d () netsol co in wrote:

[snip]

To an external user (sitting in the parking lot) this poses 5 levels of randomness - 

1.  different users have different keys
2.  different users changing their keys at different points in time 
3.  different users traversing across Access Points and hence changing their keys 
4.  The physical security that is existing on the ground that can contribute (if not greatly - at least to a 
reasonable extent) and hence the probability of finding out a parking lot hacker 
5.  Add again the probability of this guy getting sufficient numbers of weak IV's

The point is that even with lots of different keys an active attack can
generate enough traffic to exploit.

SHOULD WE STILL BE AS PARANOID AS THESE MAILS SOUND OR CAN WE RELAX A BIT.

There are two issues here.

One is understanding the threat.   Given that the organization in the
original post feels strongly enough about security to have guards
roaming the parking lots one can assume a high enough value target to be
worth attacking.   A motivated attacker will have the latest tools and
enough computing power to exploit a weak system.

Second - once you understand the threat the question becomes how to
respond.  WEP is not a good response for several reasons.  Chief amongst
them is that it's basically flawed (bad design) so anything you do on
top of it is effectivly re-arranging the deck furniture on the
Titanic.   While dynamically changing the WEP key makes it harder to
attack it doesn't make it infeasible to attack.    The point of
cryptographic security is to make attacks prohibitively expensive in
terms of computing power and time - WEP doesn't meet this test.

So when considering a new infrastructure upgrade do you a) use a system
that's known to be broken and hope it holds together or b) do it right
and switch to a VPN system designed from the ground up for use in
hostile environments?

Remember "Just because I'm paranoid it doesn't mean they are not out to
get me:"

John

Current thread:

Is Dynamic WEP Secure Enough? Jon Smith (Mar 21)
- Re: Is Dynamic WEP Secure Enough? John Pettitt (Mar 21)
- Re: Is Dynamic WEP Secure Enough? Vladamir (Mar 21)
- Re: Is Dynamic WEP Secure Enough? Kelly Martin (Mar 21)
  - Re: Is Dynamic WEP Secure Enough? Vladamir (Mar 22)
- RE: Is Dynamic WEP Secure Enough? David Gillett (Mar 22)
- Re: Is Dynamic WEP Secure Enough? Steve (Mar 22)
- <Possible follow-ups>
- Re: Is Dynamic WEP Secure Enough? Jon Smith (Mar 22)
- Re: Is Dynamic WEP Secure Enough? shankarnarayan.d (Mar 23)
  - Re: Is Dynamic WEP Secure Enough? John Pettitt (Mar 23)
  - Re: Is Dynamic WEP Secure Enough? Vladamir (Mar 23)
    - Re: Is Dynamic WEP Secure Enough? Kinnell (Mar 28)