Re: Wireless home LAN - WiFi vs Bluetooth?

To: debian-user@lists.debian.org
Subject: Re: Wireless home LAN - WiFi vs Bluetooth?
From: Reco <recoverym4n@enotuniq.net>
Date: Wed, 31 Jul 2019 16:07:33 +0300
Message-id: <[🔎] E1hsoKL-0001UP-UQ@enotuniq.net>
In-reply-to: <[🔎] 20190731075854.8da1526625a8a003afc62414@gmail.com>
References: <[🔎] 3706dbf6-3b95-2458-071e-3e77581608ba@cloud85.net> <[🔎] E1hs3LL-0000fA-P9@enotuniq.net> <[🔎] 20190730190608.1e7bace469fcf4d8ee2be47a@gmail.com> <[🔎] E1hsjH3-00011O-7U@enotuniq.net> <[🔎] 20190731075854.8da1526625a8a003afc62414@gmail.com>

	Hi.

On Wed, Jul 31, 2019 at 07:58:54AM -0400, Celejar wrote:
> On Wed, 31 Jul 2019 10:43:48 +0300
> Reco <recoverym4n@enotuniq.net> wrote:
> 
> > 	Hi.
> > 
> > On Tue, Jul 30, 2019 at 07:06:08PM -0400, Celejar wrote:
> > > On Mon, 29 Jul 2019 13:57:25 +0300
> > > Reco <recoverym4n@enotuniq.net> wrote:
> > > 
> > > ...
> > > 
> > > > WPA2's (that's your conventional WiFi standard) secure configuration is
> > > > fiendishly difficult. 
> > > 
> > > I take your point, but "fiendishly difficult"? I think you're
> > > exaggerating.
> > 
> > WPA Enterprise. 802.1r. An "interesting" choice between CCMP and TKIP
> > (yep, it's hardware dependent). De-authentication attacks. "Evil twin"
> > attacks.
> > 
> > I meant it when I wrote "fiendishly difficult".
> 
> I'm afraid that I'm missing your point. The context here was a home
> user choosing between wifi and wired ethernet, and you are arguing that
> configuring wifi securely is fiendishly difficult. Why are we talking
> about WPA Enterprise, as opposed to PSK?

If you need to eavesdrop Ethernet you need to tap wires physically.
If you need to eavesdrop WiFi then all you need is 802.1x compliant card
and to be in range.
Hence WPA encryption is a vital part of WiFi security. Such encryption
is as good as the session key, transmission of which is protected either
by PSK (bad), EAP (better if you can use these '09 extensions).
Therefore one *needs* to use EAP aka WPA Enterprise to get a secure
WiFi.

> > > > You have authentication frames that can be intercepted (so WPA
> > > > passphrase can be bruteforced).
> > > 
> > > Lots of things (such as TLS, ssh) can theoretically be brute forced -
> > > the question is whether such brute forcing is sufficiently practical to
> > > be a threat. I have seen nothing to indicate that properly configured
> > > WPA2 can be realistically brute forced.
> > 
> > For WPA2 it's not that hard really, assuming pre-shared key usage.
> > Can be expensive (all those videocards and ASICs have their cost), but
> > definitely doable.
> 
> I'd be interested in seeing some real-world studies, or simply just a
> mathematical analysis of how much hardware would be necessary to crack
> a good WPA2 password. I've seen lots of sites explaining how to use
> hashcat with a GPU, and various real-world tests on lists of hashed
> passwords (e.g., [1]), but can you provide a serious analysis of the
> practical cost, in time or hardware, of cracking a real-world WPA setup?

Cost - Amazon will take 11c per hour for that VM that comes with NVIDIA
Tesla videocard.
Said hour is more than enough to bruteforce 8 character WPA passphrase
with hashcat.

> > You have several encryption algorithms, but:
> > > > b) You may have a hardware that lack support for a good ones.
> > > 
> > > I suppose, but my impression is that most hardware from the last few
> > > years is fine.
> > 
> > Cheap smartphones and tablets. Whatever they put instead of a proper
> 
> This misses the point - we're comparing ethernet to wifi. Cheap
> smartphones and tablets aren't usually going to support ethernet.

You seem to misunderstand me.

You have a network that's supposed to be secure.
You have that small herd of assorted client devices, some of them are
better, some are worse.
Excommunicating "bad devices" from the network is usually out of
question if said devices are owned by family members or trusted friends
or, say, business associates.

Due to the way APs work you cannot announce one set of encryption
algorithms to one client, and different one to another, hence you bring
down announced algorithms to the lowest common denominator.

You can announce several, but it's bad for obvious reasons.
You *could* get away with it with mutliple virtual APs, but that adds
complexity.

A classical example of one rotten apple spoiling the whole barrel.

> > WiFi in printers (yep, I'm looking at you, HP). Oh, D-Link and Linksys.
> > There are *always* some exceptions to "newer is the better" rule.
> 
> D-Link and Linksys don't support WPA2-PSK with AES?

If you mean "random hangs and CPU exhaustion" by trying to use CCMP -
then yes, they do. But usually you're limited to TKIP if you need a
glimpse of stability. Ones that I've seen, anyway. Maybe they hid good
ones from me ;)

Reco

Reply to:

Follow-Ups:
- Re: Wireless home LAN - WiFi vs Bluetooth?
  - From: Brian <ad44@cityscape.co.uk>

References:
- Wireless home LAN - WiFi vs Bluetooth?
  - From: Richard Owlett <rowlett@cloud85.net>
- Re: Wireless home LAN - WiFi vs Bluetooth?
  - From: Reco <recoverym4n@enotuniq.net>
- Re: Wireless home LAN - WiFi vs Bluetooth?
  - From: Celejar <celejar@gmail.com>
- Re: Wireless home LAN - WiFi vs Bluetooth?
  - From: Reco <recoverym4n@enotuniq.net>
- Re: Wireless home LAN - WiFi vs Bluetooth?
  - From: Celejar <celejar@gmail.com>

Prev by Date: Re: xsane: incoherent behaviours
Next by Date: Re: xsane: incoherent behaviours
Previous by thread: Re: Wireless home LAN - WiFi vs Bluetooth?
Next by thread: Re: Wireless home LAN - WiFi vs Bluetooth?
Index(es):
- Date
- Thread