AUTHENTICATION : Open System or Shared Key

I just read that - paradoxically - Open system is more secure than
Shared Key because the Shared Key can be sniffed and cracked (iy you
pardon the expression).

I am setting up a small home system and would assume that Shared Key
is a better option as it would prevent the next door neighbour (who is
almost certainly not a hacker capable of sniffing and entering) from
associating to the network.

any thoughts on which is best for a small network ?

On Thu, 29 Jul 2004 19:24:23 +0100, sam1967@hetnet.nl spoketh

>I just read that - paradoxically - Open system is more secure than
>Shared Key because the Shared Key can be sniffed and cracked (iy you
>pardon the expression).
>
>I am setting up a small home system and would assume that Shared Key
>is a better option as it would prevent the next door neighbour (who is
>almost certainly not a hacker capable of sniffing and entering) from
>associating to the network.
>
>any thoughts on which is best for a small network ?
>

Why would you assume that the opposite of what you stated one paragraph
up would be better?

Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)

On Thu, 29 Jul 2004 15:33:09 -0400, Lars M. Hansen
<badnews@hansenonline.net> wrote:

>On Thu, 29 Jul 2004 19:24:23 +0100, sam1967@hetnet.nl spoketh
>
>>I just read that - paradoxically - Open system is more secure than
>>Shared Key because the Shared Key can be sniffed and cracked (iy you
>>pardon the expression).
>>
>>I am setting up a small home system and would assume that Shared Key
>>is a better option as it would prevent the next door neighbour (who is
>>almost certainly not a hacker capable of sniffing and entering) from
>>associating to the network.
>>
>>any thoughts on which is best for a small network ?
>>
>
>Why would you assume that the opposite of what you stated one paragraph
>up would be better?
>
is that an opinion or are you just blowing your nose - metaphorically
speaking.

I am confues as to why anyone would think an Open System was more
secure than a Shared Key system but that is what the book says.

care to contribute anything useful ?

<sam1967@hetnet.nl> wrote in message
news:j1gig09kucinuj000c96sapgv13am2rs2v@4ax.com...
> I just read that - paradoxically - Open system is more secure than
> Shared Key because the Shared Key can be sniffed and cracked (iy you
> pardon the expression).
>
> I am setting up a small home system and would assume that Shared Key
> is a better option as it would prevent the next door neighbour (who is
> almost certainly not a hacker capable of sniffing and entering) from
> associating to the network.
>
> any thoughts on which is best for a small network ?
>
>
>

The difference is really pretty trivial. In shared-key authentication, the
AP sends out a pseudo-random sequence of bytes, unencrypted. The station
trying to associate must encrypt the string and send it back. The AP doesn't
allow the association process to complete unless it recovers the original
string by decrypting (which "proves" that the client is using the same WEP
key). In open authentication, any station is allowed to associate. But if
WEP is used, association is useless. You still have to encrypt correctly in
order to exchange any IP packets. All you've really done is push
authentication up to layer 3.

The main problem with shared-key authentication is that it gives a hacker
monitoring the network a free sample of a matched plaintext/codetext pair.
At the very least it allows the hacker to recover the exact keystream used
to encrypt that frame, which can then be directly used to decrypt the first
several bytes of any subsequent frame using the same IV value. It is also a
freebie first entry in a database that could eventually be used to recover
the shared key. Also, the plaintext may give some insight into the
pseudorandom algorithm used by the AP, which might also be used in
encryption.

On Thu, 29 Jul 2004 21:19:20 GMT, "gary" <pleasenospam@sbcglobal.net>
wrote:

>
><sam1967@hetnet.nl> wrote in message
>news:j1gig09kucinuj000c96sapgv13am2rs2v@4ax.com.. .
>> I just read that - paradoxically - Open system is more secure than
>> Shared Key because the Shared Key can be sniffed and cracked (iy you
>> pardon the expression).
>>
>> I am setting up a small home system and would assume that Shared Key
>> is a better option as it would prevent the next door neighbour (who is
>> almost certainly not a hacker capable of sniffing and entering) from
>> associating to the network.
>>
>> any thoughts on which is best for a small network ?
>>
>>
>>
>
>The difference is really pretty trivial. In shared-key authentication, the
>AP sends out a pseudo-random sequence of bytes, unencrypted. The station
>trying to associate must encrypt the string and send it back. The AP doesn't
>allow the association process to complete unless it recovers the original
>string by decrypting (which "proves" that the client is using the same WEP
>key). In open authentication, any station is allowed to associate. But if
>WEP is used, association is useless. You still have to encrypt correctly in
>order to exchange any IP packets. All you've really done is push
>authentication up to layer 3.
>
>The main problem with shared-key authentication is that it gives a hacker
>monitoring the network a free sample of a matched plaintext/codetext pair.
>At the very least it allows the hacker to recover the exact keystream used
>to encrypt that frame, which can then be directly used to decrypt the first
>several bytes of any subsequent frame using the same IV value. It is also a
>freebie first entry in a database that could eventually be used to recover
>the shared key. Also, the plaintext may give some insight into the
>pseudorandom algorithm used by the AP, which might also be used in
>encryption.

so what should i implement Open authentication or shared key ?

anyone care to comment on what they are using .

<sam1967@hetnet.nl> wrote in message
news:71rig05jhouc7r36hqqgkasorgkqldnrh5@4ax.com...
> On Thu, 29 Jul 2004 21:19:20 GMT, "gary" <pleasenospam@sbcglobal.net>
> wrote:
>
> >
> ><sam1967@hetnet.nl> wrote in message
> >news:j1gig09kucinuj000c96sapgv13am2rs2v@4ax.com.. .
> >> I just read that - paradoxically - Open system is more secure than
> >> Shared Key because the Shared Key can be sniffed and cracked (iy you
> >> pardon the expression).
> >>
> >> I am setting up a small home system and would assume that Shared Key
> >> is a better option as it would prevent the next door neighbour (who is
> >> almost certainly not a hacker capable of sniffing and entering) from
> >> associating to the network.
> >>
> >> any thoughts on which is best for a small network ?
> >>
> >>
> >>
> >
> >The difference is really pretty trivial. In shared-key authentication,
the
> >AP sends out a pseudo-random sequence of bytes, unencrypted. The station
> >trying to associate must encrypt the string and send it back. The AP
doesn't
> >allow the association process to complete unless it recovers the original
> >string by decrypting (which "proves" that the client is using the same
WEP
> >key). In open authentication, any station is allowed to associate. But if
> >WEP is used, association is useless. You still have to encrypt correctly
in
> >order to exchange any IP packets. All you've really done is push
> >authentication up to layer 3.
> >
> >The main problem with shared-key authentication is that it gives a hacker
> >monitoring the network a free sample of a matched plaintext/codetext
pair.
> >At the very least it allows the hacker to recover the exact keystream
used
> >to encrypt that frame, which can then be directly used to decrypt the
first
> >several bytes of any subsequent frame using the same IV value. It is also
a
> >freebie first entry in a database that could eventually be used to
recover
> >the shared key. Also, the plaintext may give some insight into the
> >pseudorandom algorithm used by the AP, which might also be used in
> >encryption.
>
> so what should i implement Open authentication or shared key ?

Well, clearly I'm saying that shared-key offers no real advantage, and
offers a leg up to a hacker. Translation: use open authentication.

>
> anyone care to comment on what they are using .

I'm using open authentication.

>

On Thu, 29 Jul 2004 20:40:15 +0100, sam1967@hetnet.nl spoketh

>>
>>Why would you assume that the opposite of what you stated one paragraph
>>up would be better?
>>
>is that an opinion or are you just blowing your nose - metaphorically
>speaking.
>
>I am confues as to why anyone would think an Open System was more
>secure than a Shared Key system but that is what the book says.
>
>care to contribute anything useful ?
>

Shared key authentication is supposed to keep unauthorized wireless
client out, but as it turns out, it uses the encryption key as the
authentication key thus exposing your encryption key to anyone with a
wireless sniffer.

Using open authentication doesn't expose your encryption key like shared
key authentication does, so despite the fact that it should be the other
way around, open authentication are actually the better option of the
two...

Search www.wi-fiplanet.com for a nice article explaining it all in case
my nose blowing didn't do it for you...

Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"

Hi,

sam1967@hetnet.nl schrieb:
> I just read that - paradoxically - Open system is more secure than
> Shared Key because the Shared Key can be sniffed and cracked (iy you
> pardon the expression).
>
> I am setting up a small home system and would assume that Shared Key
> is a better option as it would prevent the next door neighbour (who is
> almost certainly not a hacker capable of sniffing and entering) from
> associating to the network.
>
> any thoughts on which is best for a small network ?

"Open System" is actually no authentication at all. "Shared Key" on all
WEP adapters (i.e before "Wireless Protected Access" - WPA and probably
TKIP) is an authentication that exposes a clean text / cipher text pair
to an eavesdropper that can be used to help in subsequent attacks.
For that reason, most current (i.e. before WPA) adapters do not
implement the shared key message exchange anymore at all (even if shared
key is configured). WEP adapter producers realized after some time that
shared key authentication does more harm than it helps. In this case,
the shared key is only used as paylod encryption key, but not as
authentication key.

The gist of it is:
If you have WPA, use full (shared key, "PreShared Key" - PSK in the
terms of WPA) authentication. This does not reduce your level of
security anymore. If you have WEP, it doesn't matter, since the
authentication message exchange isn't implemented at all (with most
adapters). If you have very old WEP adapters, use "Open System"
authentication.
If there is any chance, use WPA.


Hope this helps,

Michael


--
===========================================
Michael Schmidt
-------------------------------------------
Institute for Data Communications Systems
University of Siegen, Germany
-------------------------------------------
http: www.nue.et-inf.uni-siegen.de
e-mail: schmidt@nue.et-inf.uni-siegen.de
mobile: +49 179 7810214
===========================================

On Fri, 30 Jul 2004 08:36:06 +0200, Michael Schmidt
<NOSPAM_schmidt@nue.et-inf.uni-siegen.de> wrote:

>Hi,
>
>sam1967@hetnet.nl schrieb:
>> I just read that - paradoxically - Open system is more secure than
>> Shared Key because the Shared Key can be sniffed and cracked (iy you
>> pardon the expression).
>>
>> I am setting up a small home system and would assume that Shared Key
>> is a better option as it would prevent the next door neighbour (who is
>> almost certainly not a hacker capable of sniffing and entering) from
>> associating to the network.
>>
>> any thoughts on which is best for a small network ?
>
>"Open System" is actually no authentication at all. "Shared Key" on all
>WEP adapters (i.e before "Wireless Protected Access" - WPA and probably
>TKIP)

do i need a separate RADIUS server for WPA ?

On Fri, 30 Jul 2004 13:08:18 +0100, sam1967@hetnet.nl spoketh

>
>do i need a separate RADIUS server for WPA ?

Not if you pick WPA-PSK. That uses a Pre-Shared Key for authentication
and dynamic, negotiated keys for encryption.

Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"

think I read and experimented with 'Shared
requires 4 keys on each end in matching order.
Won't work with just One key.
Would not 4 keys and their order need to be cracked ?

Perhaps all manufactures have not implemented `Shared in the same manner ?


<sam1967@hetnet.nl> wrote in message
news:qgkig052tuel1gl043g1lse6992ssla415@4ax.com...
> On Thu, 29 Jul 2004 15:33:09 -0400, Lars M. Hansen
> <badnews@hansenonline.net> wrote:
>
> >On Thu, 29 Jul 2004 19:24:23 +0100, sam1967@hetnet.nl spoketh
> >
> >>I just read that - paradoxically - Open system is more secure than
> >>Shared Key because the Shared Key can be sniffed and cracked (iy you
> >>pardon the expression).
> >>
> >>I am setting up a small home system and would assume that Shared Key
> >>is a better option as it would prevent the next door neighbour (who is
> >>almost certainly not a hacker capable of sniffing and entering) from
> >>associating to the network.
> >>
> >>any thoughts on which is best for a small network ?
> >>
> >
> >Why would you assume that the opposite of what you stated one paragraph
> >up would be better?
> >
> is that an opinion or are you just blowing your nose - metaphorically
> speaking.
>
> I am confues as to why anyone would think an Open System was more
> secure than a Shared Key system but that is what the book says.
>
> care to contribute anything useful ?
>
>
>

"bumtracks" <user@unknown.org> wrote in message
news:jQsOc.22$Je5.4@nwrddc03.gnilink.net...
> think I read and experimented with 'Shared
> requires 4 keys on each end in matching order.
> Won't work with just One key.
> Would not 4 keys and their order need to be cracked ?
>
> Perhaps all manufactures have not implemented `Shared in the same manner ?

Huh? You should never need to configure more than one WEP key, unless you
choose to maintain a list, in which case you have to configure all stations
with the same list, in the same order. In fact, using a list does not seem
to be possible with Window ZCF.

The definition of open vs shared-key authentication is part of the standard.
If a vendor offers a choice, they don't have the option of implementing it
in some non-standard way. At least, not if they pay the Wi-fi Alliance for
certification testing.

>
>
> <sam1967@hetnet.nl> wrote in message
> news:qgkig052tuel1gl043g1lse6992ssla415@4ax.com...
> > On Thu, 29 Jul 2004 15:33:09 -0400, Lars M. Hansen
> > <badnews@hansenonline.net> wrote:
> >
> > >On Thu, 29 Jul 2004 19:24:23 +0100, sam1967@hetnet.nl spoketh
> > >
> > >>I just read that - paradoxically - Open system is more secure than
> > >>Shared Key because the Shared Key can be sniffed and cracked (iy you
> > >>pardon the expression).
> > >>
> > >>I am setting up a small home system and would assume that Shared Key
> > >>is a better option as it would prevent the next door neighbour (who is
> > >>almost certainly not a hacker capable of sniffing and entering) from
> > >>associating to the network.
> > >>
> > >>any thoughts on which is best for a small network ?
> > >>
> > >
> > >Why would you assume that the opposite of what you stated one paragraph
> > >up would be better?
> > >
> > is that an opinion or are you just blowing your nose - metaphorically
> > speaking.
> >
> > I am confues as to why anyone would think an Open System was more
> > secure than a Shared Key system but that is what the book says.
> >
> > care to contribute anything useful ?
> >
> >
> >
>
>

"Michael Schmidt" <NOSPAM_schmidt@nue.et-inf.uni-siegen.de> wrote in message
news:2mu8dvFqt2deU1@uni-berlin.de...
> Hi,
>
> sam1967@hetnet.nl schrieb:
> > I just read that - paradoxically - Open system is more secure than
> > Shared Key because the Shared Key can be sniffed and cracked (iy you
> > pardon the expression).
> >
> > I am setting up a small home system and would assume that Shared Key
> > is a better option as it would prevent the next door neighbour (who is
> > almost certainly not a hacker capable of sniffing and entering) from
> > associating to the network.
> >
> > any thoughts on which is best for a small network ?
>
> "Open System" is actually no authentication at all. "Shared Key" on all
> WEP adapters (i.e before "Wireless Protected Access" - WPA and probably
> TKIP) is an authentication that exposes a clean text / cipher text pair
> to an eavesdropper that can be used to help in subsequent attacks.
> For that reason, most current (i.e. before WPA) adapters do not
> implement the shared key message exchange anymore at all (even if shared
> key is configured). WEP adapter producers realized after some time that
> shared key authentication does more harm than it helps. In this case,
> the shared key is only used as paylod encryption key, but not as
> authentication key.

Do you mean these vendors no longer offer shared-key authentication as an
option? That sounds plausible. But if they continue to offer shared-key
authentication as a configuration option, how do they get away with simply
not implementing it? The standard defines exactly what these options mean,
and if you allow a user to select shared-key auth but don't implement it,
you are violating standard. It's not like SSID hiding, which can be viewed
as a proprietary tweak to the standard - here, you are claiming to do
something which you are not doing. I don't see how such a vendor could get
certification, although I suppose it's possible the test suites don't cover
authentication.

>
> The gist of it is:
> If you have WPA, use full (shared key, "PreShared Key" - PSK in the
> terms of WPA) authentication. This does not reduce your level of
> security anymore. If you have WEP, it doesn't matter, since the
> authentication message exchange isn't implemented at all (with most
> adapters). If you have very old WEP adapters, use "Open System"
> authentication.
> If there is any chance, use WPA.
>
>
> Hope this helps,
>
> Michael
>
>
> --
> ===========================================
> Michael Schmidt
> -------------------------------------------
> Institute for Data Communications Systems
> University of Siegen, Germany
> -------------------------------------------
> http: www.nue.et-inf.uni-siegen.de
> e-mail: schmidt@nue.et-inf.uni-siegen.de
> mobile: +49 179 7810214
> ===========================================

gary schrieb:
> "Michael Schmidt" <NOSPAM_schmidt@nue.et-inf.uni-siegen.de> wrote in message
> news:2mu8dvFqt2deU1@uni-berlin.de...
>
>>Hi,
>>
>>sam1967@hetnet.nl schrieb:
>>
>>>I just read that - paradoxically - Open system is more secure than
>>>Shared Key because the Shared Key can be sniffed and cracked (iy you
>>>pardon the expression).
>>>
>>>I am setting up a small home system and would assume that Shared Key
>>>is a better option as it would prevent the next door neighbour (who is
>>>almost certainly not a hacker capable of sniffing and entering) from
>>>associating to the network.
>>>
>>>any thoughts on which is best for a small network ?
>>
>>"Open System" is actually no authentication at all. "Shared Key" on all
>>WEP adapters (i.e before "Wireless Protected Access" - WPA and probably
>>TKIP) is an authentication that exposes a clean text / cipher text pair
>>to an eavesdropper that can be used to help in subsequent attacks.
>>For that reason, most current (i.e. before WPA) adapters do not
>>implement the shared key message exchange anymore at all (even if shared
>>key is configured). WEP adapter producers realized after some time that
>>shared key authentication does more harm than it helps. In this case,
>>the shared key is only used as paylod encryption key, but not as
>>authentication key.
>
>
> Do you mean these vendors no longer offer shared-key authentication as an
> option? That sounds plausible. But if they continue to offer shared-key
> authentication as a configuration option, how do they get away with simply
> not implementing it? The standard defines exactly what these options mean,
> and if you allow a user to select shared-key auth but don't implement it,
> you are violating standard. It's not like SSID hiding, which can be viewed
> as a proprietary tweak to the standard - here, you are claiming to do
> something which you are not doing. I don't see how such a vendor could get
> certification, although I suppose it's possible the test suites don't cover
> authentication.

I don't know about the latest status of the WEP-only cards - if there is
a relevant latest status at all:

The latest WLAN security standard is 802.11i (I guess there are no cards
available which are certified for it yet), and before there was WPA
(many current cards support it), which is a close subset of 802.11, and
before WPA there was TKIP, which is a subset of WPA.

802.11i and WPA and TKIP (I guess TKIP calls this feature the same)
offer PreShared Key (PSK) authentication, which is no more exposed to
the WEP shared key authentication security problem. These cards have
been out for at least one year now, so that all current cards should
support secure shared key authentication.

Other than that, I wouldn't rely too strictly on the fact that an
adapter that claims to be 802.11-compatible supports all mandatory
features of the standard. I guess certified cards will do.


Michael

--
===========================================
Michael Schmidt
-------------------------------------------
Institute for Data Communications Systems
University of Siegen, Germany
-------------------------------------------
http: www.nue.et-inf.uni-siegen.de
e-mail: schmidt@nue.et-inf.uni-siegen.de
mobile: +49 179 7810214
===========================================

"gary" <> wrote in > >

> Huh? You should never need to configure more than one WEP key, unless you
> choose to maintain a list, in which case you have to configure all
stations
> with the same list, in the same order. In fact, using a list does not seem
> to be possible with Window ZCF.
>
Yep... all clients have to have four keys in the same order as AP otherwise
they don't even see the AP let alone connect to it.