How Secure Is Your Wi-fi? Sometimes slow is good!

At one time Wi-fi used WEP, which used a shared key across the network. Because of a flaw in the method it could be cracked in just a few hours. Then, once the key was cracked, it was cracked for the whole network. Nowadays we use session keys for each wi-fi connection, but the password is often shared - WPA Pre-shared key. So we generate an encryption key which we share with the network.

As we want to slow down the cracking of passwords in Wi-fi we use PBKDF2 with a number of rounds and with salt.

PBKDF2's main focus is to produce a hashed version of a passphrase, and includes a salt to reduce the opportunity for a rainbow table attack. It generally uses over 1,000 iterations in order to slow down the creation of the hash, so that it can overcome brute force attacks. The generalise format for PBKDF2 is:

DK = PBKDF2(Password, Salt, MInterations, dkLen)

Where Password is the pass phrase, Salt is the salt, MInterations is the number of interations, and dklen is the length of the derived hash. Within wi-fi, the IEEE 802.11i standard defines that the pre-shared key is defined by (4,096 iterations and a 256 bit key):

PSK = PBKDF2(PassPhrase, ssid, ssidLength, 4096, 256)

So we take a passphase, add the SSID as then we generate the key. For example, let's say the passphrase is "bill" and I connect to the SSID named "bill123". You can see, as an intruder I already know the salt used, so I could guess the name of the passphrase. If we now do hash we get [Try]:

7345A3F2A0F0CA4F98AB842E03305D588B10D9B6A780CDB2D5E4D771024A59EE

Once an intruder has that, they can then decrypt an encrypted traffic, where the pre-shared key can be decrypted with:

Some other examples are:

• For WPA-2, we have a pass phrase of "originalgangster", and SSID of "og150-test" (6F673135302D74657374) with a count of 4096 and dklen of 32 bytes (256 bits) gives: 22743...6B3DA1E278C41DC1F117E [Try!][Validate]
• For WPA-2, we have a pass phrase of "foxtrot, and SSID of "ankle123" (616E6B6C65313233) with a count of 4096 and dklen of 32 bytes (256 bits) gives: 60bc...5432fa62209fe19f4d86c62 [Try!]
• For WPA-2, we have a pass phrase of "foxtrot, and SSID of "ankle123" with a count of 4096 and dklen of 32 bytes (256 bits) gives: 60bc...d5432fa62209fe19f4d86c62 [Try!]

The main thing here is that PBKDF2 is slow for 4,096 iterations, typically taking at least one second to calculate, so it is likely to take thousands of years to try a six character password (52^6 = 19,770,609,664 -> more that 37,000 years). If it is a weak password such as "password" or "qwerty", it could be easily cracked in just a few tries.

So, make sure you have a password which is more than six characters for your PSK.

If your interested, your wi-fi access point sends out a beacon for you to see its SSID (we can see an SSID of Coherer here):

In Wireshark, we can then decrypt, by either giving the raw key and the SSID, or just the passphrase and SSID:

If you are interested in PBKDF2:

In computing, sometimes slow is good: