42

This is something that has been bugging me for quite some time: when I have a wifi access point with WPA2 encryption and I give out the key, how secure are the connections? With WEP you could easily decrypt all packets using the same key, but with WPA2 I'm not sure. Are all individual connections still secure?

So, this question is not about accessing the network, but about eavesdropping on individual wifi connections within the network.

Jonas
  • 5,163
  • 7
  • 33
  • 35
  • 1
    Relevant reading: http://security.stackexchange.com/questions/2214/free-wifi-password-protection-impact-on-security/2253#2253 – Iszi Nov 18 '11 at 06:53

4 Answers4

34

Anyone who witnesses the association process of a new client can eavesdrop on their connection.

As reassociations can be forced by a rogue host that sends a forged disassociation packet in the name of the target, it is practically always possible to listen in on all connections on a WPA(2) network with a preshared key.

You can even try it for yourself in Wireshark: There is a built-in option to decrypt all transmissions in the 802.11 settings; as long as you know the PSK and the initial authentication is contained in the recorded traffic, Wireshark decrypts it automatically for you.

The difference between WEP and WPA is that there is a different pairwise key (called the pairwise transient key) for every client, but as this key is always directly derived from the PSK, it doesn't really add any security at all. If you want that kind of security, you would have to use EAP and a RADIUS server (sometimes called "WPA enterprise), where the PMK is different for every client.

lxgr
  • 4,114
  • 3
  • 29
  • 37
  • How does it work for a sniffed traffic with multiple clients? You need to add initial keys for all of them? – Dog eat cat world Nov 03 '11 at 08:09
  • As long as the key echange is part of the collected packets and the PSK is known, it should work for an arbitrary number of clients. – lxgr Nov 03 '11 at 11:03
  • It is still a bit unclear to me. If PSK is known, you only need to collect key exchange for client A to decrypt client B's traffic? – Dog eat cat world Nov 03 '11 at 11:52
  • 2
    No, you need to collect the key exchange for all the clients you want to listen in on. The key exchange is where the pairwise master key is derived from the PSK. – lxgr Nov 03 '11 at 18:07
  • 3
    Correction: Actually it's the PTK (pairwise transient key) that is derived from the PMK during every authentication of a client. The PMK is just a hash of the PSK and the SSID. But it's still as I said above; it's enough to record the handshake and know the PSK to know all the keys between an AP and a client. – lxgr Nov 03 '11 at 19:03
13

To decrypt a captured connection using WPA2, you must:

  • Know the shared master key.
  • Witness the target client's last synchronization / association attempt before the data you're looking at.

WPA2 uses a key derivation method based on the shared PSK as described in RFC 4764 and your specific question is mentioned as a pitfall in section 8.10.

Effectively, you're protected from people who don't know the shared key (e.g., your neighbors) unless it is shamefully weak. Among those who do know the shared key, sniffing is only marginally more complex than with unencypted traffic.

Thus, "safe" is relative to what you're trying to protect against. If you're worried about other users who do know the passphrase sniffing your traffic, then pre-shared keys are insufficient for you.

Jeff Ferland
  • 38,170
  • 9
  • 94
  • 172
  • 2
    "_Diffie-Helman key exchange_" Really? – curiousguy Nov 04 '11 at 00:46
  • 2
    Whoopsie and a half... that's only in EAP-TLS... Diffie-Hellman exchange would actually have made what I said impossible. Fixing my answer... – Jeff Ferland Nov 04 '11 at 05:44
  • Actually, I'm wondering why the designers of 802.11 didn't use DH in WPA. It would require an active man-in-the-middle attack to recover the PTK, as opposed to just passive sniffing. Maybe they thought that it would just give users a false sense of security? – lxgr Nov 04 '11 at 10:32
  • 3
    The RFC basically hints that somebody thought keeping it simple would be the way to go. It's a shame because a DH exchange would have made every key independent and prevented this problem of somebody else with the password passively picking up the session. – Jeff Ferland Nov 04 '11 at 12:29
2

To be clear, everyone WHO KNOWS THE KEY can decrypt the data. Those who do not know the shared key cannot.

However, those who do not know the key can still set up a fake access-point.

The only completely "safe" way is setting up a RADIUS server that gives a unique password for every user, and which allows you to put a certificate on the client machine (notebook, iPad, etc.) that authenticates the WiFi access-point. If you do that, nobody (yet) knows how to do anything to hack into you.

Robert David Graham
  • 3,893
  • 1
  • 15
  • 14
  • 4
    Setting up a fake access point will not work. Since the clients are configured to use a network with WPA encryption, they will never associate with an access point that has no encryption or uses a different encryption key. In that respect, WPA-PSK provides mutual authentication between the client and the AP in addition to encryption. – lxgr Nov 02 '11 at 22:08
  • +1 to lxgr. Also, I wouldn't leave "Those who do not know the shared key cannot" as an unqualified statement. Since Wi-Fi traffic can be easily stored and worked on offline, any attacker with enough resources and patience may still be able to decrypt the packets - especially if they are protected with a weak PSK. – Iszi Nov 05 '11 at 01:45
0

if the key is the same for everyone on the network, anyone can decrypt and analyze anyone traffic.

Kedare
  • 129
  • 5