The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hi again,

> Normal passwords aren't dependent on an SSID, and I don't know from the
> top of my head if the 256-bit PSK generated from WPA passphrases is
> reversible to get the cleartext back. (Apparently it is, otherwise your
> storing of a password with this method wouldn't work...)

Not that I care much about PSK-based networks ;-) but I found that too
suspicious to not look it up. Wikipedia quickly gave away:

"This key may be entered either as a string of 64 hexadecimal digits, or
as a passphrase of 8 to 63 printable ASCII characters.[10] If ASCII
characters are used, the 256 bit key is calculated by applying the
PBKDF2 key derivation function to the passphrase, using the SSID as the
salt and 4096 iterations of HMAC-SHA1."

With PBKDF2 and 4096 times HMAC-SHA1 it is really impossible to recover
the original password from the hash (which would be needed for
TTLS-PAP). The hash is also incompatible with MSCHAPv2 (which would be
needed for PEAP).

So, whatever it is that wpa_passphrase is doing on your box, it's
against the documentation and not very logical.

Greetings,

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature