On Fri, 2004-11-05 at 08:30, Dan Williams wrote: > > Shared Key auth is worse than no authentication/encryption at all. > > Anyone with a clue will be using Open System. I don't think we should > > put too much effort into making Shared Key easy to use. > > Charles, > > Why is it so much worse? Basically, apparently you can crack the encryption just by listening in on the handshake (as far as I have understood you get the plaintext challenge going across in one direction and then a the same thing encrypted send in the other direction - an absolute boon for code cracking, since WEP apparently is sensitive to known-plaintext attacks) instead of having to process many GB of data (well, you might not need that much for the 40/64-bit version, but 128-bit WEP does take a fair bit of data collecting to crack as far as I hav understood). > Also, did you read my explanation of how its much much harder with Open > System to figure out if the WEP key is wrong? That's the big sticking > point here. If we can't automatically detect whether the WEP key is > wrong or not (and waiting 30s for a failed DHCP certainly isn't > "automatic"), then we might as well not even try to improve on the > current system-config-network. I totally disagree with you here, I think that getting quick feedback on whether the WEP key you typed in (once!) is an utterly minor feature compared to automatic network switching to work once you have plugged in the right WEP key. Seriously, don't take everything Apple does in networking as gospel, there are some things in wireless that Macs get _all wrong_! When connecting through the access point in my lab, sometimes the DHCP server is kind of slow (it might take at least several seconds to respond when traffic is heavy). Occasionally, for no obvious reason, the Macs that some people have just refuse to pick up IP addresses. They are able to get onto the network when you force a static IP. I haven't gotten very far in my troubleshooting since this is so erratic, but my current suspicion is that in addition to Apple also uses the rather ugly trick of timing out DHCP requests after pretty much no time at all to get quick response times. Please, please, please don't go there, I'd rather wait a few seconds to get an IP address than be completely dead in the water! (I realize that doing something this stupid probably hasn't even crossed your mind, please just see it as an example of how the Apple guys sometimes are a bit too fundamentalist in their quest for user friendliness.) /Per -- Per Bjornsson <perbj@xxxxxxxxxxxx> Ph.D. Candidate, Department of Applied Physics, Stanford University