Saturday 26 June 2010

Is Wifi encryption safe, can people see what your doing?

Can other people on an encrypted Wi-Fi AP see what you're doing? - Super User

es, with WEP encryption it's super simple. Everything's encrypted with the key you needed to know to get on the network. Everyone on the network can decode everyone else's traffic without even trying.

With WPA-PSK and WPA2-PSK, it's a little trickier, but not too hard. WPA-PSK and WPA2-PSK encrypt everything with per-client, per-session keys, but those keys are derived from the Pre-Shared Key (the PSK; the key you have to know to get on the network) plus some information exchanged in the clear when the client joins or re-joins the network. So if you know the PSK for the network, and your sniffer catches the "4-way handshake" another client does with the AP as it joins, you can decrypt all of that client's traffic. If you didn't happen to capture that client's 4-way handshake, you can send a spoofed de-authenticate packet to the target client (spoofing it to make it look like it came from the AP's MAC address), forcing the client to fall off the network and get back on, so you can capture its 4-way handshake this time, and decrypt all further traffic to/from that client. The user of the machine receiving the spoofed de-auth probably won't even notice that his laptop was off the network for a split second. Note that NO man-in-the-middle hassle is necessary for this attack. The attacker just has to capture a few specific frames at the time the target client (re-)joins the network.

With WPA-Enterprise and WPA2-Enterprise (that is, with 802.1X authentication instead of using a Pre-Shared Key), all the per-client per-session keys are derived completely independently, so there's no possibility of decoding each others' traffic. An attacker would either have to sniff your traffic on the wired side of the AP, or possibly set up a rogue AP in the hope that you'll ignore the bogus server-side certificate the rogue AP would send, and join the rogue AP anyway.