A wireless security expert has detected a glaring weakness in the
interface design of a highly touted Wi-Fi Protected Access (WPA) protocol
deployed in numerous Wireless LAN
According to a research paper posted
on Wi-Fi Networking News, the weakness could allow intruders to crack
poorly chosen passphrases via offline dictionary attacks.
The weakness detailed in the research paper written by IEEE and IETF
committee member Robert Moskowitz means that Wi-Fi
products that ship with WPA might be less secure than the older Wireless
Encryption Protocol (WEP), which it replaced.
The WPA standard, unveiled in
late 2002 as the replacement for WEP
upon the security features in wireless networks. Specifically, WPA offered
improved data encryption through the temporal key integrity protocol (TKIP).
The TKIP feature scrambles the keys using a hashing algorithm and, by
adding an integrity-checking feature, ensures that the keys haven’t been
tampered with. WEP, on the other hand, uses a static key that is seldom
changed by users. This cryptographic weakness is responsible for many of the
known security issues in WLANs because intruders could easily figure out an
encryption key and access a wireless network.
The latest weakness only takes effect when short, text-based keys are
used and does not reflect a fault in the WPA
weakness was described as an interface problem that allows a user to enter
weak keys that can be cracked with offline dictionary attacks.
And, according to Moskowitz, the weakness can be avoided if WLAN hardware
manufacturers build units with the ability to generate random keys that can
be copied and pasted across systems. Manufacturers can also restrict the
ability to enter weak keys by requiring passphrases with numerous characters
instead of words that can be found in the dictionary.
The researcher warned that dictionary based programs used to crack
passwords are heavily used by criminal hackers.
has rolled out a free Windows
XP download with support for WPA.
The XP update tweaks the way the OS communicates with the Wi-Fi protocol.
Instead of having one encrypted key for everyone to connect to the network,
Microsoft said its WPA update would provide separate keys for each system
connecting to the Wi-Fi network.