Saturday, June 16, 2007

Configuring a Wifi Network with WPA using WPA_GUI

For some configuring wpa_supplicant may be a bit complicated, like identifing the rigth kind off key, etc.
Sometimes people have to use aplications like frontends to configure it's acess to a network.
This package (wpa_gui) is one off those frontends.

By default this package detects the wifi networks and you have to configure the
every time you want to use the network, which is not very practical.

You can also use it to configure wpa_supplicant.conf, but first you have to edit or create the /etc/wpa_supplicant.conf file, like this (remove the text after the #):


ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0 #the group thats used by default (root)
eapol_version=2 #generaly it's 1 but here we have 2 because we are using wpa2 which is safer

#eapol is the package that it's used at the start off the client's session

update_config=1 #this is the line that allows you to configure wpa_supplicant.conf using wpa_gui
network={
ssid="any"
key_mgmt=NONE
priority=2
}

network={
ssid="my-network"
psk="my-password"
proto=RSN
key_mgmt=WPA-PSK
pairwise=CCMP
}


Now you run the following command:

$ sudo wpa_supplicant -Dwext -ieth1 -c /etc/wpa_supplicant.conf -B

change the interface from eth1 to the interface you are using (ex: ath0, ra0, wlan0, etc.) to connect yourself to the wifi network.

Now that wpa_supplicant is running , to configure it using wpa_gui (Gui), just run the folowing command:

$ sudo wpa_gui

Now you should see the wpa_gui interface, now just go to File | Edit Network to edit one of the networks wpa_supplicant.conf, with the data off the network you want to conect.

You can also add a new network on File | Add Network or use scan and then then select the one off the detected networks and configure it.

To delete a network you have to edit wpa_supplicant.conf, you can do it by using vi or any other editor, you use vi execute the following comand:

$sudo vi /etc/wpa_supplicant.conf

if you want to use another editor replace 'vi' with the name of the editor you want.


based on a post by d4rksh3ll at http://www.tux-linux.net

---------------------------------------------------------
Here´s some information on WPA so that you now a a bit more what you are doing.

Wi-Fi Protected Access (WPA and WPA2) is a class of systems to secure wireless (Wi-Fi) computer networks. It was created in response to several serious weaknesses researchers had found in the previous system, Wired Equivalent Privacy (WEP). WPA implements the majority of the IEEE 802.11i standard, and was intended as an intermediate measure to take the place of WEP while 802.11i was prepared. WPA is designed to work with all wireless network interface cards, but not necessarily with first generation wireless access points. WPA2 implements the full standard, but will not work with some older network cards. Both provide good security, with two significant issues:

Either WPA or WPA2 must be enabled and chosen in preference to WEP. WEP is usually presented as the first security choice in most installation instructions.
In the "Personal" mode, the most likely choice for homes and small offices, a passphrase is required that, for full security, must be longer than the typical 6 to 8 character passwords users are taught to employ.
Contents

1 History
2 WPA2
3 Security in pre-shared key mode
4 EAP types under WPA- and WPA2- Enterprise
5 See also
6 Notes



1 History

WPA was created by the Wi-Fi Alliance, an industry trade group, which owns the trademark to the Wi-Fi name and certifies devices that carry that name.

WPA is designed for use with an IEEE 802.1X authentication server, which distributes different keys to each user; however, it can also be used in a less secure "pre-shared key" (PSK) mode, where every user is given the same pass-phrase. The design of WPA is based on a Draft 3 of the IEEE 802.11i standard.

The Wi-Fi Alliance created WPA to enable introduction of standard-based secure wireless network products prior to the IEEE 802.11i group finishing its work. The Wi-Fi Alliance at the time already anticipated the WPA2 certification based on the final draft of the IEEE 802.11i standard, therefore the tags on the frame fields (Information Elements or IEs) are intentionally made different from 802.11i to avoid the confusion in unified WPA/WPA2 implementations.

Data is encrypted using the RC4 stream cipher, with a 128-bit key and a 48-bit initialization vector (IV). One major improvement in WPA over WEP is the Temporal Key Integrity Protocol (TKIP), which dynamically changes keys as the system is used. When combined with the much larger IV, this defeats the well-known key recovery attacks on WEP.

In addition to authentication and encryption, WPA also provides vastly improved payload integrity. The cyclic redundancy check (CRC) used in WEP is inherently insecure; it is possible to alter the payload and update the message CRC without knowing the WEP key. A more secure message authentication code (usually known as a MAC, but here termed a MIC for "Message Integrity Code") is used in WPA, an algorithm named "Michael". The MIC used in WPA includes a frame counter, which prevents replay attacks being executed.

By increasing the size of the keys and IVs, reducing the number of packets sent with related keys, and adding a secure message verification system, WPA makes breaking into a Wireless LAN far more difficult. The Michael algorithm was the strongest that WPA designers could come up with that would still work with most older network cards. Due to inevitable weaknesses of Michael, WPA includes a special countermeasure mechanism that detects an attempt to break TKIP and temporarily blocks communications with the attacker.



2 WPA2

Main article: IEEE 802.11i
WPA2 implements the mandatory elements of 802.11i. In particular, in addition to TKIP and the Michael algorithm, it introduces a new AES-based algorithm, CCMP, that is considered fully secure. Note that from March 13, 2006, WPA2 certification is mandatory for all new devices wishing to be Wi-Fi certified.

Vendor support:

Official support for WPA2 in Microsoft Windows XP was rolled out on 1 May 2005. Driver upgrades for network cards may be required.
Apple Computer supports WPA2 on all AirPort Extreme-enabled Macintoshes, the AirPort Extreme Base Station, and the AirPort Express. Firmware upgrades needed are included in AirPort 4.2, released July 14, 2005.



3 Security in pre-shared key mode

Pre-shared key mode (PSK, also known as personal mode) is designed for home and small office networks that cannot afford the cost and complexity of an 802.1X authentication server. Each user must enter a passphrase to access the network. The passphrase may be from 8 to 63 printable ASCII characters or 64 hexadecimal digits (256 bits).[1] If you choose to use the ASCII characters, a hash function reduces it from 504 bits (63 characters * 8 bits/character) to 256 bits (using also the SSID). The passphrase may be stored on the user's computer at their discretion under most operating systems to avoid re-entry. The passphrase must remain stored in the Wi-Fi access point.

Security is strengthened by employing a PBKDF2 key derivation function. However, the weak passphrases users typically employ are vulnerable to password cracking attack. The threat of password cracking can be mitigated by using a passphrase of at least 5 Diceware words or 14 completely random letters with WPA and WPA2.

Maximum WPA-PSK protection (256 bit) requires a key consisting of 54 random letters or 39 random ASCII characters.

Some consumer chip manufacturers have attempted to bypass weak passphrase choice by adding a method of automatically generating and distributing strong keys through a software or hardware interface that uses an external method of adding a new Wi-Fi adapter or appliance to a network. These methods include pushing a button (Broadcom SecureEasySetup and Buffalo AirStation One-Touch Secure System) and entering a short challenge phrase through software (Atheros JumpStart). The Wi-Fi Alliance has standardized these methods in a program called Wi-Fi Protected Setup (formerly Simple Config).



4 EAP types under WPA- and WPA2- Enterprise

The Wi-Fi alliance has announced the inclusion of additional EAP (Extensible Authentication Protocol) types to its certification programs for WPA- and WPA2- Enterprise. This was to ensure that WPA-Enterprise certified products can interoperate with one another. Previously, only EAP-TLS (Transport Layer Security) was certified by the Wi-Fi alliance.

The EAP types now included in the certification program are:

EAP-TLS (previously tested)
EAP-TTLS/MSCHAPv2
PEAPv0/EAP-MSCHAPv2
PEAPv1/EAP-GTC
EAP-SIM
Other EAP types may be supported by 802.1X clients and servers developed by specific firms. This certification is an attempt for popular EAP types to interoperate; their failure to do so is currently one of the major issues preventing rollout of 802.1X on heterogeneous networks.



5 See also

WPS — A standard for easy and secure establishment of a wireless home network with WPA(2)
WAPI — Chinese National Standard for wireless LAN security.
tinyPEAP — A small-footprint RADIUS server designed to load into a wireless access point
FreeRADIUS - A free open source RADIUS server
Radiuz — A "cooperative WiFi network" that provides free RADIUS service for WPA-Enterprise compatible routers
SecureEasySetup — A technology developed by Broadcom to easily set up wireless LANs with WPA
Internet Authentication Service (IAS) Microsoft's Radius server that ships as part of Windows 2000 Server and Windows 2003 Server



6 Notes

^ Each character in the pass-phrase must have an encoding in the range of 32 to 126 (decimal), inclusive. (IEEE Std. 802.11i-2004, Annex H.4.1)
The space character is included in this range.


Taken from wikipedia at: http://en.wikipedia.org/wiki/WPA2 on 17/06/07

1 comment:

Unknown said...
This comment has been removed by a blog administrator.