Bug 120843

Summary: Clear key storage is security problem
Product: [Fedora] Fedora Reporter: Sepehr <skiani>
Component: kernelAssignee: Arjan van de Ven <arjanv>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 1CC: alan, redhat-bugzilla
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-05-03 00:56:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sepehr 2004-04-14 14:10:46 UTC 
Description of problem:
I filed a bug under the redhat-config-network but rejected because it
appears to belong here (see issue 20731). Basically our corporate
systems person refuses to setup my wireless because as he puts it she
puts it she could lose her job. Main reason is that the wep key is a
highly guarded code here. If they set up my laptop I can see the key
just by opening any of the wireless network configuration utiltities
or just running iwconfig as root. Since root access is required for me
and others to do our work this is a serious security problem.
Therefore, the wep key must be encripted on the system as it is in
other os's.
Comment 1 Bill Nottingham 2004-04-14 19:50:58 UTC 
If you're root, you'll always be able to get it.
Comment 2 Sepehr 2004-04-14 20:49:31 UTC 
Not true!! If you do one way encription like the /etc/passwd file it
is very secure. Look at:

http://www.hack.gr/users/atlantis/unixpasswd.html

WEP keys need to be kept even more secure than you do passwords.
Comment 3 Bill Nottingham 2004-04-14 21:10:43 UTC 
You may want to read:

http://wepcrack.sourceforge.net/

http://airsnort.shmoo.com/
Comment 4 Sepehr 2004-04-15 20:19:06 UTC 
OK so wep has problems. That's not the point. No security system is
perfect only a set of barriers to prevent inadvertant breaches or to
slow down attackers. If it takes a day or two of sniffing to hack the
wep code that is a barrier. Besides as the wifi security standards
improved wouldn't you want have laid the foundation for that to sit
on. Instead of throwing up your arms and saying, well there is no
point since it has been hacked? I'm noting that redhat is wasting its
time having this page on a https site since that can be cracked too.

Back to my main point. I'm in a real corporate environment (6000
employees) and clear text key storage is not acceptable by the IT
department. I would assume the same for many others.
Comment 5 Bill Nottingham 2004-04-15 20:31:12 UTC 
Assigning to kernel, then.

root will easily be able to get a plaintext key without kernel changes.
Comment 6 Ralf Ertzinger 2004-04-28 16:47:23 UTC 
Please read the documentation about how WEP works. It needs the key in
the clear to do encryption in the first place.
Comment 7 Alan Cox 2004-05-03 00:56:03 UTC 
No OS keeps WEP keys somehow magically safe. The only stuff that uses
smart cards I know doesn't use WEP.