Open vs Shared-Key Authentication - Which is best? - Wi-Fi Planet Forums

Wildcats · #1 08-29-2003, 10:49 AM

I need to chose to implement either Open or Shared-Key authentication our our access points. Granted, I should use something else (EAP?), but I have no choice in this case.

Open auth is subject to DoS attacks, since the AP could be overloaded with "associations".

Shared-key auth suffers from sending both plain-text AND cipher text during the authetication process. Someone with enough time and CPU power could use these two pieces of info to obtain the WEP key. We may be talking NSA's capabilities in this case, not simply a person using WEPCrack! WEPCrack exploits a different weakness.......

I like the idea of shared-key auth, since it will allow me to see authentication failures in my logs (from people that have no WEP key or the incorrect WEP key). I can then track them down (?). However, there is an outside chance that the WEP key(s) could be compromised, as it appears that no encrpytion algorithm is perfect.

Your thoughts?

dot11guru · #2 08-29-2003, 11:18 AM

Every WLAN is open to Denial of Service (DoS) attacks. There's not much of anything you can do to prevent that except eliminate the source of the attack.

Given that, Shared Key Authentication is not a good idea IMO because of the clear text.

Aiakos · #3 08-30-2003, 01:32 PM

dot11guru is right ANY wlan can be DoSed, just get a 2.4 GHz cordless phone hand set and hide it in a desk.

Shared Key is vulnerable because the AP sends out a challenge in plain text, then the client replies with an encrypted version. If someone were able to intercept these they could compare them and deduce the key.

I have not done any research into this but I do not know of any tools that perform this comparision. For this reason I would say Shared Key has some merrits in a home network.

mvario · #4 08-30-2003, 03:30 PM

as long as you are using mandatory WEP for encryption you don't really gain any security by using shared key authentication, since packets won't be passed if the client doesn't have the WEP key. And as others have said, with shared key, during the authentication process, the some data is excahnged in both encrypted and plaintext form making it easier to crack. "Best practices" is to use open authentication.