Hi Jonathan, With a simple protocol analyzer (Wireshark, OmniPeek, AirMagnet, CommView for Wi-Fi, etc), if you have the PSK that others are using, you can see their traffic in the clear if you capture their 4-way handshake. To do this, you need only deauthenticate them (spoof a deauthentication frame) from their AP. They will reauthenticate and do a 4-way handshake, which will allow them to see your traffic, provided your sniffing tool has this functionality (CommView for Wi-Fi has it built in).
Devin Yes, TKIP cannot be relied upon. The PSK isn't widely publicised, although it can't be assumed to be private. It's only given out to people who have paid for the games console service, authenticated and registered their console. I don't pretend for a second that this is a high-security solution, but it's all that the games consoles can do. It's a little better than using an open network, though. On 11/24/2010 07:41 PM, heath.barnhart wrote: > Wasn't TKIP broken recently? Don't remember for sure, but if it has, and > your PSK is public, then what security do you have? > Heath > On 11/24/2010 10:34 AM, Jonathan Gazeley wrote: >> Hi Bruce, >> We want to discourage use of the PSK network as much as possible. If >> it's too easy to use, people will probably start using their laptops >> with this instead of with the 802.1x network. >> An open network doesn't provide any barrier to entry, nor any >> encryption. Joe Public can wander past a student hall and sniff >> traffic, which may be personal/sensitive since lots of games consoles >> can now be used for Facebook, online purchases of Xbox points, etc. >> Using widely-known PSK is not ideal, but it helps. It keeps outsiders >> off, stops trivial sniffing of packets. Using TKIP, even if two users >> are authenticated with the same key, they won't be able to read each >> other's traffic in the clear. >> I also think it's pretty confusing if we are doing MAC authentication >> for registered console on an otherwise open network - it might look >> broken for users and cause confusion. >> Cheers, >> Jonathan >> On 24/11/10 12:15, Osborne, Bruce W wrote: >>> Jonathan, >>> We are just starting our migration from open/NAC network to 802.1x >>> with NAC. >>> For non-802.1X devices, what do you see as the advantages of WPA2-PSK >>> with a widely known key instead of open? >>> Obviously there is more work involved supporting the PAS, especially >>> when the key is changed. >>> Thanks, >>> Bruce Osborne >>> Wireless Design Engineer >>> Liberty University >>> -----Original Message----- >>> From: Jonathan Gazeley [mailto:[email protected]] >>> Sent: Tuesday, November 23, 2010 5:40 AM >>> Subject: Re: WPA2 Key Sharing >>> Hi Mike, >>> We use a WPA2-802.1x network wherever possible, but we do provide a >>> WPA2-PSK network for use with games consoles in halls of residence. >>> We built a home-grown system where a user has to register the MAC >>> address of their console in our web interface. The MAC is validated and >>> the user is given the WPA2 key on their screen. Only registered MAC >>> addresses can connect to the SSID. >>> We change the key once per academic year, since the vast majority of >>> students live in halls for just one year so it causes minimal >>> inconvenience to users. >>> Cheers, >>> Jonathan >>> ---------------------------- >>> Jonathan Gazeley >>> Systems Support Specialist >>> ResNet | Wireless& VPN Team >>> Information Services >>> University of Bristol >>> ---------------------------- >>> On 18/11/10 20:46, Hanson, Mike wrote: >>>> Hello, >>>> For those of you using WPA2 personal encryption on your wireless >>>> network, how do you provide the encryption key to your end users? And >>>> how often do you change the key? >>>> Thank you for your input. >>>> Mike Hanson >>>> Network Security Manager >>>> The College of St. Scholastica >>>> Duluth, MN 55811 >>>> [email protected]<mailto:[email protected]> >>>> ********** Participation and subscription information for this EDUCAUSE >>>> Constituent Group discussion list can be found at >>>> http://www.educause.edu/groups/. >>> ********** >>> Participation and subscription information for this EDUCAUSE >>> Constituent Group discussion list can be found at >>> http://www.educause.edu/groups/. >>> ********** >>> Participation and subscription information for this EDUCAUSE >>> Constituent Group discussion list can be found at >>> http://www.educause.edu/groups/. >> ********** >> Participation and subscription information for this EDUCAUSE >> Constituent Group discussion list can be found at >> http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
