Red Hat Bugzilla – Bug 120843
Clear key storage is security problem
Last modified: 2007-11-30 17:10:40 EST
Description of problem:
I filed a bug under the redhat-config-network but rejected because it
appears to belong here (see issue 20731). Basically our corporate
systems person refuses to setup my wireless because as he puts it she
puts it she could lose her job. Main reason is that the wep key is a
highly guarded code here. If they set up my laptop I can see the key
just by opening any of the wireless network configuration utiltities
or just running iwconfig as root. Since root access is required for me
and others to do our work this is a serious security problem.
Therefore, the wep key must be encripted on the system as it is in
If you're root, you'll always be able to get it.
Not true!! If you do one way encription like the /etc/passwd file it
is very secure. Look at:
WEP keys need to be kept even more secure than you do passwords.
You may want to read:
OK so wep has problems. That's not the point. No security system is
perfect only a set of barriers to prevent inadvertant breaches or to
slow down attackers. If it takes a day or two of sniffing to hack the
wep code that is a barrier. Besides as the wifi security standards
improved wouldn't you want have laid the foundation for that to sit
on. Instead of throwing up your arms and saying, well there is no
point since it has been hacked? I'm noting that redhat is wasting its
time having this page on a https site since that can be cracked too.
Back to my main point. I'm in a real corporate environment (6000
employees) and clear text key storage is not acceptable by the IT
department. I would assume the same for many others.
Assigning to kernel, then.
root will easily be able to get a plaintext key without kernel changes.
Please read the documentation about how WEP works. It needs the key in
the clear to do encryption in the first place.
No OS keeps WEP keys somehow magically safe. The only stuff that uses
smart cards I know doesn't use WEP.