Forum

PSK strength

26 posts by 10 authors in: Forums > CWSP - Enterprise Wi-Fi Security
Last Post: July 1, 2011:
  • Hi. Does anyone know if using a 63 character ASCII passphrase for WPA2-PSK would cause any problems as opposed to using a much shorter key? Like taking up the APs resources for example. Also do longer keys require more packets than short keys? If so what's an ideal length?

  • Don't confuse passphrases, with keys, or for that matter passphrase lengths and key lengths.

    Keys get produced from the passphrases, and are always the same length. The catch is that longer/better passphrases will produce "better" keys. (and be harder to guess).

    Look up the how "rainbow tables" and default router parameters can be used to hack wireless networks.

    PS: I believe that the currently recommended passphrase minimum length is 20 characters, and something not found in ANY dictionary.

    I once made a customers passphrase "Idonthavewingsbutmyairplanehas2".

  • I was confusing passphrases and keys, thanks! So the passphrase is never sent across the air, only the key that is generated from it?

  • Correct.

    And it's mixed with other elements to make it a connection dependent key. Multiple devices may use the same Passphrase, but each connection pair will have different encryption keys.

  • Passphrase-PSK mapping formula use to change 8-63 character ASCII passphrase to 256 bit PSK....which use as a PMK to generate encryption keys.

    Passphrase (8-63 character ASCII ) ------->256 bit PSK ------> 256 bit PMK-------->PTK

    Remember wlanman sentence "The catch is that longer/better passphrases will produce "better" keys. (and be harder to guess)."

  • I think I saw a calculation once on the time taken for a computer to crack passphrases and it was something ridiculous once you got above a certain number of characters, longer = better

  • Thanks everyone! I'm troubleshooting an issue where, ever since I added a WLAN to the controller-based APs that uses a 63 char passphrase for WPA2-PSK, devices on a different WLAN (using WPA2, 802.1x PEAP) are having intermittent connectivity problems in multiple locations. I'm wondering if maybe the new PSK WLAN is taking up the APs/controller resources to the point where the EAP conversations are timing out.

    Prior to this new WLAN, the other WLANs were only using WPA2 802.1x or Open auth. When I added the PSK WLAN I disabled another so there are the same number of WLANs as there were before the problem started.

  • I've heard that some Macs will only support a 62 char passphrase.

    As far as connectivity issues, the passphrase has nothing to do with intermittent connectivity. It's either right, or wrong.

    As a side note, how many devices do you have on this PSK network?

    GT

  • Just fishing, but for the heck of it:

    1. What types of devices are the clients?
    2. What channels are you using, and are you having co-channel interference issues?
    3. What are your WPA key refresh settings?

    And are you WLANS truly separate LANS, or do they share subnets or VLANS?

  • @GTHill - currently only 20 test devices, potentially 350 in the future. In case you're wondering, I have the ability to change the passphrases with remote management software.

    @Wlanman -
    1. handheld computers for barcode scanning
    2. 1,6,11. Yes, there is definitely co-channel interference with omni antennas in the warehouses. I often see channel utilization up around 50-70%. Channels are set dynamically. We still have all data rates enabled, so beacons travel far. I had a demo of Airmagnet WiFi Analyzer running a couple weeks ago and it showed over 99% of traffic was 1 mbps.
    3. I'm not sure where this is configured, but we have the WLAN "Session timeout" set to 8 hours. Is this the same thing?
    Most WLANs are on separate virtual interfaces and VLANs. There are 2 that share the same, out of 9 WLANs.

    thank you,
    Andy

Page 1 of 3