Firewall Wizards mailing list archives
Re: (In)security of wireless LANs and the Cisco Wireless Security Sui te
From: daw () taverner cs berkeley edu (David Wagner)
Date: Wed, 5 Nov 2003 08:26:59 +0000 (UTC)
Ben Nagy wrote:
LEAP is "broken". That's easy for people to say, and to an extent it's true. However, some people may overestimate the extent of its broken-ness. The basic problem is that there's a really, really _stupid_ crypto mistake which I can't believe they missed. The LEAP Flaw: The SekRiT PaSsWorD is shoved through MD4, which produces a 16 byte hash. This hash is then padded with 5 nulls (whups!) to produce 21 bytes. The result is split into three chunks of 7. That happens to be the same as a 56 bit DES key. These three keys are each used to encrypt one single challenge in sort of ECB (no chaining, anyway), concatenate the outputs and send it as the response. In other words, the response is E(chunk1){challenge} + E(chunk2){challenge} + E(chunk3){challenge}. This is a dumb idea.
Hey, you're right -- that *IS* a lame idea. Good catch. Gee, this is looking awfully familiar to me. Hmm... Oh, right, now I remember why: This is the same broken scheme used in MS-CHAPv2 (the authentication mechanism for Microsoft's PPTP). I remembering finding exactly this flaw in MS-CHAPv2 back in 1999. I'm sure I'm not the only one who has noticed this, but here's a pointer to the MS-CHAPv2 analysis: http://www.cs.berkeley.edu/~daw/my-posts/mschapv2-twobytes Bruce Schneier, Mudge, and David Wagner, "Cryptanalysis of Microsoft's PPTP Authentication Extensions (MS-CHAPv2)", http://www.cs.berkeley.edu/~daw/papers/pptpv2.pdf One is surprised that they didn't take more care with the crypto in LEAP. Silly rabbit, no trix for you!
Please remember that the authentication is only one part of the security - there is still some link encryption, and to my quick skim Cisco's pre-standard "TKIP" fixes the most egregious of the WEP problems.
Yes. WPA (TKIP) and 802.11i (CCMP) should be a significant step forward, though the key management issues still seem challenging. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- (In)security of wireless LANs and the Cisco Wireless Security Sui te Stewart, John (Nov 04)
- Re: (In)security of wireless LANs and the Cisco Wireless Security Sui te R. DuFresne (Nov 04)
- Re: (In)security of wireless LANs and the Cisco Wireless Security Sui te John Adams (Nov 04)
- Re: (In)security of wireless LANs and the Cisco Wireless Security Sui te R. DuFresne (Nov 05)
- Re: (In)security of wireless LANs and the Cisco Wireless Security Sui te John Adams (Nov 04)
- RE: (In)security of wireless LANs and the Cisco Wireless Security Sui te Ben Nagy (Nov 04)
- Re: (In)security of wireless LANs and the Cisco Wireless Security Sui te David Wagner (Nov 05)
- Problem with TCP 1433, conduits and ACLs... Wes Noonan (Nov 26)
- RE: Problem with TCP 1433, conduits and ACLs... Andy Lyakhovetskiy (Nov 28)
- Re: (In)security of wireless LANs and the Cisco Wireless Security Sui te David Wagner (Nov 05)
- Re: (In)security of wireless LANs and the Cisco Wireless Security Sui te R. DuFresne (Nov 04)
- Re: (In)security of wireless LANs and the Cisco Wireless Security Suite Mikael Olsson (Nov 04)
- <Possible follow-ups>
- RE: (In)security of wireless LANs and the Cisco Wireless Security Sui te Sloane, David (Nov 04)