In Part 1 and Part 2 of my blog series, I shared some insights into how attackers continue to exploit the weaknesses of WPA and the tools and techniques they are using to gain access to poorly secured networks. In the last post of the series, I will offer some suggestions for how organizations can better protect their networks against these kinds of attacks.
Where Do We Go from Here?
Knowing some of the methods used to make cracking more efficient now allows us to make some smarter decisions on the type of PSKs we use going forward. Here are my recommendations.
1. Use longer WPA PSKs instead of more complex character sets.
Our previous example of the eight-character PSK cited roughly 1.4 years to get through the full set, but we can make that much more difficult. Contrary to what we’ve historically been told, password complexity actually matters less than password length due to the resultant entropy gained.
For instance, if we bump the character set up to alphanumeric with special characters (94 characters) our value of 94^8 gets us to a value near 38 years of compute time assuming the previous hashing rate. While this seems to be a good jump, in comparison, going back to an alphanumeric set (64) and using a password doubled in length (16), our resultant set of 64^16 would take us around 502,461,710,516,643 years to compute at 5 million hashes per second.
As you can see, increasing our key length increases compute requirements significantly faster than increasing our character set.
2. Use human readable PSKs that are not likely to be used in common language.
While we can see that using longer keys makes it harder for crackers, it can also make it harder for users if these are truly randomly generated strings, especially if entering this key in to the end device is not a trivial task such as with medical devices, IoT hardware or shared hardware.
Passphrases tend to be much easier for humans to remember and enter in without error. Usually a simple sentence (even with spaces) can accomplish this wonderfully. Care still needs to be taken so that common phrases which may already exist in password lists or targeted phrases (such as company slogans) aren’t selected, as they’ll likely be tried first.
While using something like “Hi my name is Werner Brandes my voice is my passport verify me” certainly hits the length requirement, using a quote from a popular hacker movie might not be the best idea. Instead, using random words that are human readable will still tick all the boxes without it being as likely to be found in a password/passphrase list (while the concept is sound, you might want to avoid using “correct horse battery staple“).
Key rotation can also assist in reducing the likelihood that an attacker will be able to crack a PMK from a captured handshake. We can treat time as a variable just as we have for key length and complexity by reducing the time available that the key in question is valid.
If the PSK is rotated every year and it takes several years to crack, we are again reducing the likelihood the attack can be effective. While this is great in concept, this is very difficult to accomplish in practice across all devices. Often, this means touching every single device in the environment to make the change, which is not going to be agreeable to most organizations.
3. For maximum wireless security, use WPA Enterprise whenever possible.
While the key generation process is slightly different from WPA PSK, WPA-Enterprise uses key rotation of the broadcast key to achieve a similar result. A new value for this key is generated frequently enough (a time period that is typically user adjustable) that attackers have little to no hope of breaking the key in hours or minutes before its next rotation.
Another benefit to WPA-Enterprise is that encryption passphrase is never stored on the client machine, unlike WPA PSK. Often, wireless security is compromised not by cracking software or weak PSKs but rather by the end device being compromised (malware, phishing, etc.), or even just users sharing PSKs with unauthorized people. WPA-Enterprise keys are created and assigned per user session in the background.
This prevents the user (or attacker) from being able to discover and distribute the key. The “per session” is another important security measure as a user with multiple devices (laptop and phone, for instance) using the same credentials should get unique keys for each device. This means that the (unlikely) successful key reversal for one of these devices does not equate to key reversal for the second device.
More Help Is on the Way
Thankfully, WPA3 is on the way shortly and will solve much of our key cracking problems. WPA-3 Personal will now offer Simultaneous Authentication of Equals (SAE) via the Dragonfly Key Exchange, which boasts a secure handshake backed by published cryptographic proof.
The critical thing that Dragonfly gives us that WPA2 does not is that Dragonfly is also resilient to offline attacks. Provided proper implementation of the handshake by vendors, this makes all efforts of large compute dedicated to cracking worthless.
Unfortunately, the Wi-Fi Alliance’s specification did not mandate several other originally proposed features in WPA3. So, while it is an improvement, WPA3 is not all it could have been. This means we may see feature implementation differ by vendor, which in the past has led to consumer confusion or, at worst, feature disuse due to interop issues.
Two very thoughtful posts on WPA3 by noted security researcher, Dr. Mathy Vanhoef, contain much more depth in technical detail and perspective on “what could have been” than mentioned here. These posts can be found here and here.
Wrapping these PSK suggestions into your organization’s password policies can keep you reasonably safe when securing against offline key cracking from packets captured over the air. Typically, the biggest risk is having a PSK present on all devices in the organization that are subject to theft, loss, or lack of ongoing control, such as in employee departure.
Unauthorized use of a PSK is also typically difficult to detect. As previously mentioned, WPA-Enterprise is recommended where possible to mitigate many of these risks.
Additional wider security guidance can be found at the National Institute of Standards and Technology’s digital identity guidelines page. Though these concepts are stated in more general terms, content in Document SP 800-63B may further assist in establishing policies and standards for your organization’s wireless security.