Which encryption method should I use for my home network?

[cube_rat]

El Gaupo - Kathy says "long time, no see!"

Quote:

Originally Posted by cube_rat

El Gaupo - Kathy says "long time, no see!"

Not El Guapo, but I use WPA - Which is supposed to be more secure than WEP. -

[cute fuzzy bunny]

wpa or wpa2, using a 'pre-shared key' or PSK. WEP is less than worthless. I've had some trouble with lousy vendor implementations of wpa2, so if it doesnt work or requires a driver/firmware upgrade to implement wpa2 and that driver/firmware creates new problems for you, drop back to the original s/w and use wpa.

[soupcxan]

You should definitely use WPA-PSK as it is more secure than WEP, and all standard equipment now supports it. However, for as much as WEP is put down for being "insecure" - it is not a trivial task for someone to crack it, and I doubt someone would really invest the effort just to get into your home network (if you had a corporate network, that might attract more attention).

I set about trying to crack my own home WEP network just to see how hard it would be. First you need to get the right software, most of which runs on Linux (this is going to be beyond most average users). Eventually I found a copy for Windows (that only runs from the command line) but found that it didn't support my wireless card's chipset. So I borrowed a compatible card and after some tweaking, it started capturing packets. But for an infrequently used home network, there was not nearly enough traffic to get enough packets to crack the password. The solution is to use packet injection (where you create your own traffic on the target network, then use those packets to decrypt the key). However, this requires a second computer with a wireless card. Once I got that setup, it was still fairly slow to generate sample packets. At the rate I was going, it would have taken several days or possibly even a few weeks to get enough data to crack the password. I also found that the cracking software was quite unreliable and would often crash randomly, losing a entire days' worth of packets. At that point, I gave up, never successfully breaking into my own network.

Now, if you were experienced with this, and had done all the prep work (bug-free software/hardware, probably running linux, and a 2nd computer for packet injection) then it would go a lot faster, but you'd still have to wait for the software to capture enough packets to get a password. And I seriously doubt that anyone with this capability is going to bother breaking into my home network...there's just nothing exciting about that. Even if he did this in the hopes of getting into my Vanguard account, there's another layer of security from the browser encryption. Could someone potentially bypass that with man-in-the-middle attack and then get my Vanguard info? Theoretically, yes, but they would have to know that I have an account there...and do a whole lot more legwork after cracking WEP.

In terms of the effort vs. return tradeoff...you could do all of this work in the off chance of catching someone with a large account, and then hope they don't notice when you transfer all your funds out. But it's far easier to send out phishing emails or distribute spyware, so these types of attacks are much more prevalent and present a much greater risk to the "average" person.

[F M All]

Quote:

Originally Posted by soupcxan

But for an infrequently used home network, there was not nearly enough traffic to get enough packets to crack the password. The solution is to use packet injection (where you create your own traffic on the target network, then use those packets to decrypt the key).

How do you get the second computer to generate packets on the network if you do not know the WEP code to get it on the network?

[soupcxan]

Quote:

Originally Posted by F M All

How do you get the second computer to generate packets on the network if you do not know the WEP code to get it on the network?

Once you have captured a legtimately encrypted packet from an authorized system to the access point, you can re-send it thousands of times from your second computer, which will generate thousands of encrypted reponses from the access point, which your first computer can see (even though it can't read the contents of these packets). Each of these packets has an unencrypted intitalization vector (IV) from the access point, and once you've gathered enough IVs (between 100k-1M depending on the key strength) you can narrow the range of possible WEP keys, then brute force it (which can still take a while if your WEP key isn't a standard dictionary word).

It's easier said than done.

[donheff]

Sounds like for a home network WEP security is a factor of distance to and makeup of neighbors. Close by with a lot of teen-agers and 20 somethings and you might have to worry about a prank "can I do it" crack. The odds of Russian mobsters sitting at the curb with their mobile packet sniffers are so remote they are not worth considering. It would be a heck of a lot easier to break in and steal the computers. Or drive down the block - when I visit NY City it still looks like about 1/3 to 1/2 of WIFI networks are left unsecured.

[cube_rat]

Fellas - My post was a joke! Kathy Bates missed Mr. El Guapo.

I'm pretty comfortable with my home network set-up. I am a paid IT geek afterall... :P