WEP is dead

Not sure where I saw this originally, since it floated throught he aggregator just before the machine went off to Apple, but WEP (wireless equivalent privacy) is now, officially, completely, and totally dead. Not resting, not tired, although there probably have been some prolonged squwaks. It appears to have been nailed to the perch.

The final nail (pdf link) is a paper that details how to use some of the more unfortunate design decisions in WEP to inject valid data in to a closed network after sniffing just one encrypted packet. Using that, they bootstrap to decrypting individual packets or build a dictionary of keystream bits within a minute.

This news provided the kick in the butt that I needed to get the home network off of WEP. I was using WEP because it worked out of the box with the macs and the WET11 that runs the music system, and intertia. Networks that are mostly working tend to remain in that state aslong as I’m not playing with them.

Using OpenWRT, it’s actually quite easy to get WPA (the next generation, that is apparently not vunerable to this attack) working with the family macs. I’m using the WhiteRussian RC5 on a Buffalo Airstream and a Linksys WRT54GL router.

First, according ot the docs you need to install the nas package. As root on the router:

ipkg update
ipkg install nas 

Apparently the mac is not too happy with AES for encryption. I simply get that there was an error joining the network. So the appropriate settings for WPA with pre-shared keys on the wireless confuguration page are:

WPA1 on, WPA2 off
RC4 (tkip) on, AES off

Put in a password, and the macs should be good. I’ve tested with airports and airport extremes, but only with tiger, nothing older.

The music network is still working, but it’s running on a separate network, 802.11b only, and no encryption at all. Since there’s no DHCP, no routing, and only the music service (a SliMP3 server) available, I’m not bothering with encryption there.

No comments

No comments yet. Be the first.

Leave a reply

You must be logged in to post a comment.