wrt54g ssid broadcast disabled

Lucia Di Occhi saint_lucy
Wed Nov 2 18:20:24 PST 2005


Thank you for your reply.  I did get it to work using only TKIP in the 
config and removing CCMP, but I am curious about the statement you made 
about EAS-CCMP.  My router, the WRT54G, supports Security Mode WPA2-Personal 
and two encryption algorithms:

TKIP+AES
AES

The router is configured for WPA2 and TKIP+AES but you are saying that 
AES-CCMP is more secure.  So my question is: what is the difference between 
the two encryption options offered by the linksys WPA2 security mode, which 
one is deemed more secure and why?

since my wpa_supplicant.conf now reads:
        proto=WPA
        key_mgmt=WPA-PSK
        pairwise=TKIP
        group=TKIP
what am I really using, is it WPA instead of WPA2 even if the AP is set for 
WPA2?

Thanks.

>From: Bryan Kadzban <bryan at kadzban.is-a-geek.net>
>To: hostap at shmoo.com
>Subject: Re: wrt54g ssid broadcast disabled
>Date: Sun, 30 Oct 2005 17:52:30 -0500
>
>Lucia Di Occhi wrote:
> > Is there any configuration/workaround to connect to a wrt54g v3.1
> > latest firmware with disabled ssid broadcast?  I am using the
> > ndiswrapper driver.
>
>Sure; check the sample config file, specifically the section on ap_scan.
>The ndiswrapper driver does support the required mode.  ;-)
>
> > Spare me the talk about disabling SSID Broadcast when using WPA which
> > is secure, etc., etc.:-)
>
>Yes, WPA is "secure", so removing the SSID doesn't add much.  (Actually
>WPA and TKIP are only an interim measure; the long-term fix is to move
>to WPA2 and AES-CCMP.  TKIP wouldn't include countermeasures that get
>invoked when a MIC check fails, if it was a long-term fix.  AES-CCMP
>doesn't include these countermeasures, because it doesn't need them.)
>
>But you should know that removing the SSID IE from the beacons wouldn't
>give you anything anyway, even with 40-bit WEP.  The beacons still go
>out (they have to, otherwise the supplicant would not know whether the
>AP matched its security configuration, or whether a downgrade attack was
>happening), and the association-request/association-response frames
>include the SSID anyway.  So anyone listening while an association
>happened would still know the SSID.
>
>But, if you still want to turn the SSID off, look at the sample config
>file, in the ap_scan section, as above.


><< signature.asc >>




>_______________________________________________
>HostAP mailing list
>HostAP at shmoo.com
>http://lists.shmoo.com/mailman/listinfo/hostap

_________________________________________________________________
On the road to retirement? Check out MSN Life Events for advice on how to 
get there! http://lifeevents.msn.com/category.aspx?cid=Retirement





More information about the Hostap mailing list