WPA PSK Cracking, a case for strong authentication

Last week, you may have read the headline "WPA Cracked!" or something to that effect. Just to clear things up now, it is not the overall standard that has been "cracked" but the simpler implementation of WPA called WPA PSK (Pre-Shared Keys). This really wasn't a surprise to the security community due to the general nature of PSK implementations, the difference now is that a weaponized form of this exploit has been released in to the wild. In actuality, two WPA Cracking tools were independently released last week. One toolcame from Takehiro Takahashi (a student at Georgia Tech) and the other tool came from Joshua Wright (author of ASLEAP). Both tools clearly illustrate the futility of the reliance on passwords or passphrases for authentication.

The WPA standard itself is fairly broad and covers Wireless LAN security for both the Enterprise and Home environments. PSK mode was really designed for the Home and Home Office environment where it was very unlikely that an Authentication infrastructure is in place to support a strong authentication protocol such as PEAP or TTLS. Well all that may change thanks to a very creative group from the College of Computing at Georgia Tech who formed TinyPEAP. The original group was comprised mainly of 2 recent alumni Brian Lee and Jim Gruen along with the guidance of Dr. Wenke Lee and Dr. Richard Lipton. Recently, they've added Takehiro Takahashi (mentioned above) to the teamwho is near graduation himself fromGeorgia Tech. TinyPEAP is a prototype Authentication server that is currently being tested as a plug-in on Linksys Wi-Fi gear. Rather than being satisfied with WPA PSK mode which has now beenprovento be susceptible to dictionary attacks, TinyPEAP allows the home user to implement the same type of strong security that was once exclusive to the Enterprise.I'll be keeping a close eye on this very exciting product and I'll be giving them lots of suggestions and feedback on this project so stay tuned!