5

In this good Information Security StackExchange question, the answers reveal that a long WPA2-PSK password does not degrade performance of the network. The reasoning is that the password itself is never transmitted, and the generated CMAC that is transmitted is always 128 bits (16 bytes).

Why then, are WPA2 passwords longer than 16 bytes more secure than WPA2 passwords of 16 bytes?

1 Answers1

11

You state your CMAC is 128 bits, so in general you don't need a passphrase with more than 128-bits of entropy. However, if you choose a 16 character password (without picking the bytes completely randomly), the entropy isn't 128-bits, it's typically much less. E.g., if you chose randomly from 95 printable ASCII characters, you'd have about 105 bits of entropy (log2(95^16) ~ 105) which is about 8 million times weaker than a 128-bit entropy passphrase. If you didn't choose randomly, but say concatenated English words, the entropy would be much smaller; e.g., meaningful English has an entropy of about 2.6 bits per character (16*2.6 ~ 42 bits), which would be quite feasible to be broken in offline attacks.

If you want to remember a meaningful English phrase as your passphrase, it should probably be about 50 characters long (128 bits/2.6(bit/char) ~ 49.2). Or if you chose a diceware passphrase randomly from a dictionary with 6^5 = 7776 words in it (12.9 bits/word), then you need about 10 words to get to 128 bits.

So, to summarize there is an upper limit to security when using a passphrase. E.g., there's no use having a 20 word diceware passphrase with a 128-bit CMAC (the entropy of the MAC maxes out at 128 bits); the 20-word passphrase won't be more secure than a 10-word one, but a 10 word diceware passphrase will be significantly more secure than a 3 word one (that say has 16 characters in it) with an entropy of about 39 bits.

EDIT: The primary key used in WPA2-PSK is the PMK (pairwise-master-key). This is derived from the pre-shared password and the name of the access point. The PMK is 256-bit (32 byte) and calculated via PMK = PBKDF2(HMAC-SHA1, preshared_password, salt=access_point_name, rounds=4096) (where PBKDF2 is password based key-derivation function 2, which in this case involves 4096 rounds of HMAC-SHA1).

If you somehow found a different password that generates the same PMK for an access point, you can connect to the access point, eavesdrop, and tamper with messages.

That said in WPA2 you also derive a transient key (PTK) from the PMK and random nonces sent over during the four-way handshake. The PTK is 512-bits, parts of which are used for different purposes, but your traffic within a session is encrypted with a 128-bit transient key. (If you find a encryption key part of the transient key you could decrypt traffic within one session, but that's it -- you wouldn't be able to sign traffic to tamper with it or create new sessions).

dr jimbob
  • 38,936
  • 8
  • 92
  • 162
  • Thank you doc! So, if I am extrapolating your answer correctly, then for WPA2, any random password generated from the 95 printable ASCII characters should only be 20 characters long. More characters would provide no added benefit, and simply would take longer to type. Am I correct? – RockPaperLz- Mask it or Casket May 13 '19 at 18:30
  • 1
    Yes, more than 20 randomly selected printable characters would be overkill, as 95^20 (number of possible 20 character printable ascii passwords) > 2^128 (number of potential 128-bit CMACs), assuming 128-bit MAC. That is if someone used a 30 character random password and attackers tried to brute force it, they would almost definitely find a ~20 character password that would generate the same 128-bit CMAC (for a given SSID). – dr jimbob May 13 '19 at 20:42
  • That said, the details of WPA2 aren't my expertise and I had assumed 128-bit (from your question), but checking ( https://www.ins1gn1a.com/understanding-wpa-psk-cracking/ ) I believe in construction of the PMK (pairwise-master-key) you generate is 256-bit key via PBKDF2 of the pre-shared key salted with the SSID's name. So you really max out passphrase security at 256 bit (32 characters). But in the real world, ~128 bit entropy is already well out of the realm of practical brute force (at least until coherent quantum computers that can execute Grover's algorithm exist). – dr jimbob May 13 '19 at 20:51
  • Hmmm... you went well over my level of expertise there. But, if I'm (re)reading your comment correctly, it sounds like you're saying that, technically, more than 16 bytes is necessary to max out entropy. Although, *current* brute force hardware may not be fast enough, I would still like to have a theoretically correct answer to accurately understand the mechanics involved. – RockPaperLz- Mask it or Casket May 13 '19 at 21:22
  • 1
    @RockPaperLizard - Brute-forcing 2^128 work is unfeasible via conventional computation. If all 7 billion people on Earth managed a million computers (if each computer weighs 10g and each computer tried a billion unique combinations per second, it would take about a million years to break. That said quantum algorithms can break a 128-bit MAC in 2^(64) work (Grover algorithm), but with public knowledge researchers are very far from experimental technique to build such quantum computers (need clean qubits and maintain coherence through 2^64 steps and wouldn't be able to easily parallelize). – dr jimbob May 14 '19 at 16:28
  • Thank you for the details. Although *very* interesting and thoughtful, I actually was referring to your comment that "...you really max out passphrase security at 256 bit[s]... (32 characters)". Does that mean it takes more than 128 bits (16 bytes) to max out entropy? If so, does your answer need updating? – RockPaperLz- Mask it or Casket May 14 '19 at 16:36