[MLB-WIRELESS] /dev/random WEP Keygen webpage

Grant Diffey nevyn-wlan at artificial-stupidity.net
Thu May 8 16:05:06 EST 2003


On Thu, May 08, 2003 at 03:20:31PM +1000, Jason Hecker wrote:
> I slapped together a page that generates 64, 128 and 256 bit WEP keys from 
> the server's /dev/random stream, so it doesn't use any pseudorandom keygen 
> like most other stuff (webpages and the like) seem to.
Using a webpage to generate your wep key is just such a 
mind boglingly stupid idea it's difficult to know where
start.

at the most basic level.. you're generating a secret
over an untrusted network using an untrusted protocol
with who knows how many caches and such.

not to mention that you're trusting the remote end
not to store the key anywhere.


to put it in perspective if someone offerd a service
to generate you a random pin to go with your banking
service would you use it?



> 
> Lemme know what youse think and if it's buggy at all.
The concept is broken by design

Even tho wwep is broken by design there's no need to 
break it further with bad security practices


-- 
Grant Diffey aka "nevyn"

President of Computerbank Australia Inc.
http://www.computerbank.org.au/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 230 bytes
Desc: not available
URL: <http://lists.wireless.org.au/pipermail/melbwireless/attachments/20030508/2b85c2c4/attachment.sig>


More information about the Melbwireless mailing list