AirPort 3.3 Extends WPA Security

tackaberry writes "Apple has released an update for AirPort. Version 3.3 (AEBS firmware version 5.3) includes support for Wi-Fi Protected Access (WPA) specification for non-Extreme AirPort cards (WPA was added for Extreme cards last fall in version 3.2), an alternative to the oft-maligned Wired Equivalent Privacy (WEP). Those who wish to use WPA will have to have Mac OS X Panther 10.3."

Re:What's wrong with WEP?

[Anonymous Coward]

You should be quite concerned. WEP is poorly implemented cryptography, you should see what LinkSys supports to limit access to your Router by MAC address, this won't solve the problem of your data not being 100% unreadable and such when sent over your connection, but at least no one else could hop on your network easily and steal bandwidth.

Re:What's wrong with WEP?

[NetJunkie]

Some implementations of WEP are weaker than others. The main problem is that given enough data from your network I can break your key rather quickly. Usually you are looking at several GBs of data (3 to 5GB usually). While someone wardriving wouldn't bother a neighbor with nothing but time might.

If you have a Mac...and I'm assuming you do...go check out the Kismac tool.

WPA also has some weaknesses...mainly in the WPA-PSK (pre-shared key) implementation that most home users use. You can do a dictionary attack against the key.

Re:What's wrong with WEP?

[amnesiacdotorg]

the keys used in WEP are static, not dynamic . sure, 128-bit RC4 is generally secure, but it would be really secure if the key was rotated by the access point . this is done by WPA . WPA is only a placeholder until WPA2 is released, featuring wireless robust authentication protocol and cipher block chaining message authentication code protocol or CCMP.

Re:What's wrong with WEP?

[kinnell]

You can find a good analysis here [berkeley.edu].

Re:What's wrong with WEP?

[The Bum]

Have you checked to see if Linksys has a firmware update available that adds WPA support for your access point? My Netgear WGR614 didn't support WPA until a week or so ago, although the firmware that's available is still in beta. BTW, so far it works pretty well with my 12" PowerBook G4 and iBook SE/466.

Re:Still left out in the cold for Cisco

[NetJunkie]

What's the issue? It should work fine. The AirPort Does WPA and WPA-PSK. Are you sure you are using WPA and not LEAP? I do LEAP on our 1100s..and the AirPort works with that too.

WPA PSK Dictionary attack

[nsayer]

Not only is there a WPA PSK dictionary attack, it is actually an OFFline dictionary attack - meaning that the attacker can sniff a valid authentication, then take the sniffed data back home and run the dictionary attack on his own without involving the real gatekeeper (who otherwise would see n invalid attempts in a row and have a chance to raise an alarm).

In general, any scheme where you send a random number to the client, he takes that and adds the secret sauce and sends it back for your comparison is vulnerable to offline dictionary attack.

The good news is that you can pretty easily trash an offline dictionary attempt by making up a really long and obscure passphrase.

Re:What's wrong with WEP?

[clarkcox3]

In a word, YES. WEP is a horribly insecure protocol. All it takes is time, and you can sniff WEP keys out of the air. My basic strategy for securing WiFi is to place the access point outside of my firewall, and use some VPN (or a simple ssh tunnel) to access my "real" network.

The moral: never rely on WEP to secure your network, always use some higher-level encryption to secure sensitive information.

Can't use WPA with WDS

[tackaberry]

If you've set up multiple AirPort Extreme Base Stations as a wireless distribution system (WDS) to extend your network, you have to use WEP for security. WPA cannot be used with WDS.

If you want to use WPA, you'll have to string your base stations together on the lan

Re:*&^%$#@ it! I want WPA for non-Extreme hard

[General Sherman]

They're talking about base stations here, not the wireless cards. The regular AirPort cards are upgraded, as I can confirm on my 466Mhz iBook SE. It just doesn't upgrade non-Extreme base stations. The Graphite one especially cannot handle this with it's sad little 486. =\

Works great with DLink DI624.

[Trillan]

Just installed the 1.2.8 firmware for my DLink DI624 (b) and turned it on. It works great! Bit weirded out by one thing, though: Apple's system profiler lists the AirPort card's firmware as 3.3b1. Bad Apple!

Re:WPA PSK Dictionary attack

[Beryllium Sphere(tm)]

I recommend Diceware (http://world.std.com/~reinhold/diceware.html) for generating sorta-memorable passphrases with quantifiable security. A ten-word Diceware passphrase has about 129 bits of entropy.

Linksys upgraded to support WPA

[theEd]

I don't know which Linksys product you are using, but I'm using a WRT54G. When I first bought the router it only supported WEP, but then a firmware upgrade came one day that had WPA support. Check Linksys support site.

My iBook G4 running Panther connects to my router just fine using WPA Personal (Pre-shared key in Linksys). Although I've been thinking of playing around with WPA Enterprise (RADIUS), but that takes time :)