WEP is dead ?
Dominick, David
David.Dominick at delta.com
Tue Aug 7 05:28:36 EST 2001
/rant on
Well the sad thing is that we have been telling them this all along. WEP is
not dead, it was never alive. Hardly any security engineers that I know have
even considered using WEP because even before the crack came out WEP was far
too easy to break. Heck all you had to do if you don't want to crack it is
capture the snmp password and turn off the WEP on the AP yourself!
Now there are tools for script kiddies to circumvent WEP without disabling
it.
Yet the pat answer from IEEE and the WEP boyz is, "the Berkeley report was
far too complex to be widely implemented, and that WEP should not be used by
itself to protect sensitive data."
Typical response of people who don't understand computers. Once the crack
was discovered and a script was written to perform it, it took about 5
seconds for that script to appear on the newsgroups that these people would
be well served to subscribe to.
If one of these IEEE people would bother to read Phrack or any of the
thousands of newsgroups, maybe we could get a solution that worked.
Several of us have been saying for a long time that you should not let your
BRIDGE provide your security.
/rant off
Good luck all.
Thank you,
David Dominick
Enterprise Security Engineering
404-202-2848
-----Original Message-----
From: Jean Tourrilhes [mailto:jt at bougret.hpl.hp.com]
Sent: Monday, August 06, 2001 2:19 PM
To: Samba/Wavelan mailing list
Subject: WEP is dead ?
WEP is not going too well lately :
http://www.eetimes.com/story/OEG20010803S0082
http://www.eyetap.org/~rguerra/toronto2001/rc4_ksaproc.pdf
This attack is on the key schedule of RC4, so pretty close to
the core of the encryption mechanism.
Note that 802.1x still use WEP for the encryption (it just use
dynamic key instead of static key), so won't fix this problem. And
Radius/LEAP is only an authentication, not encryption.
IPsec anyone ?
Jean
More information about the wireless
mailing list