Wpa

up2thetime · May 2010

Hey there... I thought i had the whole encryption and authentication thing figure out, but it looks like i dont...

Heres what happened...I was playing around with my wireshark and trying to understand all the information contained in packet captures. While my capture was running, i sent an email from my email client (Outlook). I found the info in wireshark, and did "Follow Tcp Stream". As it turns out I was able to view the email in wireshark including my email address, the recipients address, AND the entire content of the message...

So this means that other people around me could capture this same info?

What i really wanna know is, why wasn't it encrypted between me and the AP since my home router is set to WPA?

Thanks in advance!

dynamik · May 2010

It was encrypted. WPA is a layer-2 protocol, and you followed a layer-4 (TCP) protocol. You'd need to use something like SSL or TLS to encrypt that.

Try to sniff the wireless traffic from another machine when you send your email from that machine and see what the results are.

up2thetime · May 2010

dynamik wrote: »

It was encrypted. WPA is a layer-2 protocol, and you followed a layer-4 (TCP) protocol. You'd need to use something like SSL or TLS to encrypt that.

Try to sniff the wireless traffic from another machine when you send your email from that machine and see what the results are.

Hey thanks for the reply dynamic. I understand now...so it was only encrypted at layer 2. But that leads me to another question:

What is the point of encrypting at layer 2, when someone who might be sniffing around me is able to capture my email packets and follow the layer 4 stream....? Being able to follow the TCP stream kinda of defeats the purpose of encryption in the first place.

I will try sniffing while sending an email from another machine...just don't have another machine with a wireless nic available. But I suspect it would work in a similar fashion, correct? I would be able to sniff the traffic sent from the alternate machine, and then follow the TCP stream to identify the message contents.

I know encryption has surely accounted for this...so I know that I am missing something...just not sure what...

tiersten · May 2010

up2thetime wrote: »

What is the point of encrypting at layer 2, when someone who might be sniffing around me is able to capture my email packets and follow the layer 4 stream....? Being able to follow the TCP stream kinda of defeats the purpose of encryption in the first place.

1. You may be using protocols that aren't encrypted like POP3 without TLS/SSL.
2. You may be sharing the WiFi with people you don't trust but they do know the WiFi passwords.
3. You may not want random people using your unsecured WiFi since unencrypted WiFi anybody can use.
4. What is the point of locking your front door when you've got a safe to protect your valuables? :P

alan2308 · May 2010

up2thetime wrote: »

Hey thanks for the reply dynamic. I understand now...so it was only encrypted at layer 2. But that leads me to another question:

What is the point of encrypting at layer 2, when someone who might be sniffing around me is able to capture my email packets and follow the layer 4 stream....? Being able to follow the TCP stream kinda of defeats the purpose of encryption in the first place.

I will try sniffing while sending an email from another machine...just don't have another machine with a wireless nic available. But I suspect it would work in a similar fashion, correct? I would be able to sniff the traffic sent from the alternate machine, and then follow the TCP stream to identify the message contents.

I know encryption has surely accounted for this...so I know that I am missing something...just not sure what...

You're sniffing traffic on the same laptop sending packets to the AP? You're seeing traffic before its encrypted. If you sniff that same traffic on another computer, it will be encrypted.

dynamik · May 2010

up2thetime wrote: »

What is the point of encrypting at layer 2, when someone who might be sniffing around me is able to capture my email packets and follow the layer 4 stream....? Being able to follow the TCP stream kinda of defeats the purpose of encryption in the first place.

I will try sniffing while sending an email from another machine...just don't have another machine with a wireless nic available. But I suspect it would work in a similar fashion, correct? I would be able to sniff the traffic sent from the alternate machine, and then follow the TCP stream to identify the message contents.

WPA will encrypt the wireless traffic between your machine and the WAP. The entire purpose of WPA is to encrypt wireless traffic, so you're not just blasting unencrypted traffic across the airwaves for anyone to capture.

If you want end-to-end encryption, you're going to need to use network or transport-layer encryption, such as IPSec, SSH, SSL, etc. Since WPA is only encrypting traffic to the WAP, the use of insecure protocols (Telnet, HTTP, POP, etc.) will result in unencrypted traffic between the WAP and the destination.

This is why it's important to realize the extent of the protection offered by the encryption you're using. You could be "securely" transmitting information between yourself and the WAP, but the owner of the WAP could be capturing all your traffic between the WAP and the destination. Is the information you're transmitted still encrypted at that point? Maybe, maybe not. It depends on the higher protocols you're using.

Someone eavesdropping on your WPA-encrypted traffic will not be able to follow the TCP stream since anything higher than layer-2 will be encapsulated, encrypted, and transmitted at layer-2. You might want to review how data flows up and down the OSI model.

Wpa

Comments