Odd WEP Passphrase Implementation in AirPort Extreme...possible security issue?

Discussion in 'Networking & Security' started by Tim_axe, Jul 12, 2007.

  1. Tim_axe

    Tim_axe Gawd

    Messages:
    921
    Joined:
    Dec 12, 2003
    I've been googling around to see if anyone else noticed this issue, but I'm only getting results from my other forum posts regarding this. Anyways, here is the deal...I thought that the [H] should know about it... This deals with the Apple AirPort Extreme (54n?) that my dad just bought, but probably applies to other past AirPort products as well...


    When you're setting up WEP protection, you get to set up a key. For 128bit encryption, you get to provide a 104bit key, which is equivalent to 26 hexadecimal characters or 13 ASCII characters.

    Since using ASCII severely limits available key combinations (whose keyboard can readily input null / extended characters - or type control characters into an input box?) you are usually presented with the input for 26 hexadecimal characters.

    Unless you use the AirPort Extreme... Then you are allowed to type in a "passphrase" that needs to be less than 13 characters long...see the issue? This "passphrase" is used directly as the key, and if your passphrase is shorter then the hexadecimal equivalent of your key is simply padded with x00's until it is the correct length.

    Other routers implement a different passphrase system as specified in 802.11b/g. As far as I know, Apple is the only one that I know of to dissent from the standard. This difference puts users of WEP encryption at greater possible risk - few people will come up with 13 characters because this maximum length is optional, and as a result a large portion of the key can simply be padded x00's...


    On one hand, since current WEP cracking depends on the IV's (and this is 24bits long) - this means that the passphrase of at least characters theoretically (but not practically since users can't input all ASCII characters) offers more combinations and would be a slower attack. But who knows if there is an attack that makes use of known parts of the key to speed up the process?


    Here is the original example passphrase / WEP key representation that I posted:

    Code:
    Passphrase:   TheTazZone
    
    Apple Key:    54686554617A5A6F6E65000000
    Standard Key: C536E9626A397395AF5329928A


    Anyways, I thought the [H] might be interested in knowing this. If you use an AirPort product, and used a WEP passphrase...you'll want to look into getting the "standard" key conversion for it at http://www.powerdog.com/wepkey.cgi - or you might just want to take some time to set up your own random hexadecimal key to make sure you're making full use of the available key space.
     
  2. RoBo

    RoBo 2[H]4U

    Messages:
    3,533
    Joined:
    Jan 5, 2007
    I would use WPA.
     
  3. nessus

    nessus 2[H]4U

    Messages:
    2,221
    Joined:
    Jan 30, 2001
    If the wireless clients don't suppoort WPA-2. Sounds like he might have some wireless slients that don't support WPA. I can't think of another reason to stay on WEP if security is a concern.
     
  4. Tim_axe

    Tim_axe Gawd

    Messages:
    921
    Joined:
    Dec 12, 2003
    My parents initially had to use WEP to allow their older laptop to have wireless access - but I finally managed to track down updated drivers that support WPA-2 to get everything working better. I'm much happier now that we have a nice long PSK in place to keep people away from our fiber connection. :)

    But my concern over the passphrase implementation still stands - people need to realize that there are problems with a passphrase system. The example I discovered affects WEP on the AirPort. Apple didn't follow the rest of the industry here and produced a product that was not readily compatible with those from other vendors - and possibly reduced security by allowing large parts of the key to be null padded at the end.

    Finding it this late, I guess it isn't a big deal anymore...but I sure found their implementation odd.

    I was just wondering if this issue was common or known before, or if the AirPort Extreme that my dad picked up was OMO (or if he just configured it wrong)...