FC: Researchers find flaws in 802.11 wireless security standard

From: Declan McCullagh (declanat_private)
Date: Tue Aug 07 2001 - 04:26:26 PDT

Next message: Declan McCullagh: "FC: Where have all the good names gone? Dupont grabs science.info"

Previous message: Declan McCullagh: "FC: Feds say keystroke logger details are covered by "national security""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Also see:

Risks of Microsoft Passport
We all know the risks of trusting DNS and the fact that users click OK when
presented with certificate warnings in their browser. So what happens when
you build a single sign-on model for e-commerce that leverages these
technologies? You end up with some risks that users might not expect.
Microsoft's ambitious Passport service uses these common Internet
standards. Avi Rubin and Dave Kormann from AT&T Research Labs document the
risks of the Passport system in their research report, "Risks of the
Passport Single Signon Protocol".
http://avirubin.com/passport.html

----

Date: Tue, 07 Aug 2001 07:04:09 -0400
From: Avi Rubin <rubinat_private>
Organization: AT&T Labs - Research
To: Declan McCullagh <declanat_private>
Subject: You may find this interesting - we broke WEP

We have a new paper:

Using the Fluhrer, Mantin, and Shamir Attack to Break WEP
by
Adam Stubblefield, John Ioannidis, and Aviel D. Rubin

Abstract

We implemented an attack against WEP, the link-layer security protocol
for 802.11 networks. The attack was described in a recent paper by
Fluhrer, Mantin, and Shamir. With our implementation, and permission of
the network administrator, we were able to recover the secret key used
in a production network, with a passive attack. The WEP standard uses
RC4 IVs improperly, and the attack exploits this design failure. This
paper describes the attack, how we implemented it, and some
optimizations to make the attack more efficient. We conclude that 802.11
WEP is totally insecure, and we provide some recommendations.
	
The paper is available at http://www.cs.rice.edu/~astubble/wep/


Take care,
Avi


---------------------------------------
Avi Rubin, AT&T Labs - Research
http://avirubin.com/

* New Book * White-Hat Security Arsenal
http://white-hat.org/
---------------------------------------




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
To subscribe, visit http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
-------------------------------------------------------------------------

Next message: Declan McCullagh: "FC: Where have all the good names gone? Dupont grabs science.info"
Previous message: Declan McCullagh: "FC: Feds say keystroke logger details are covered by "national security""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 07 2001 - 05:09:48 PDT