Reply
Thread Tools
stevecrye's Avatar
Posts: 226 | Thanked: 38 times | Joined on May 2008 @ Texas/Earth/Sol System/Milky Way/Local Group/Hubble Bubble/Infinity
#1
Hi;

This is also posted in Troubleshooting, but I've not received replies. Only a couple hours left today to test. I'm very close to figuring this out - please help.

Our corporate WPA-PSK is 64 characters; too long to enter in the config diaglogs. Tests with shorter keys work OK.

We can't change the 64 char PSK at our ~ 100 sites, or easily add new SSIDs with shorter keys to our ~ 1500 Cisco APs.

I've read that the gconftool-2 has a mode to write strings. I've seen plenty of examples. All I need to do is add one itty bitty character ( "5") to the end of the passphrase (for one particular network) that is truncated at 63 characters.

I was able to run gconftool-2 -R /system/osso/connectivity/IAP/theParticularNetwork and pipe it to a file. I then used vi to add that one pesky character, and saved the file. But, how to write it back? The file has ~ 1000 characters. I've looked over the man page for gconftool-2 , and did not see an option for file input.

I tried this:
gconftool-2 --type string --set /system/osso/connectivity/IAP/theParticularNetwork < TheInputFile
But, gconftool-2 returns the error : " Value type is only relevant when setting a value"

As I learned more about the tool, I realized that EAP_wpa_preshared_passphrase was a value. So, I tried this:
gconftool-2 --get /system/osso/connectivity/IAP/theParticularNetwork/EAP_wpa_preshared_passphrase
, and it printed out the passphrase value.

But, if I try this:
gconftool-2 --type string --set /system/osso/connectivity/IAP/theParticularNetwork/EAP_wpa_preshared_passphrase "blablabla", it still returns error : " Value type is only relevant when setting a value"

Man ... I sense I am so close. Any help would be greatly appreciated.

Thanks,
Steve
Loving my n810 more and more every day - Linux in my pocket!
 
Benson's Avatar
Posts: 4,930 | Thanked: 2,272 times | Joined on Oct 2007
#2
Well, in your first example, you indicate input redirection from a file; this is wrong...

Your last attempt,
Code:
gconftool-2 --type string --set /system/osso/connectivity/IAP/theParticularNetwork/EAP_wpa_preshared_passphrase "blablabla"
seems to indicate that you realized this, and are using a string on the command line. That's the correct approach. (Unless, of course, the quoted argument in the last one was actually an oversight, and you were still trying it... that's why I mention it.)

It looks right, so I'm not sure why it's not working. But I just use gconf-editor for prowling around gconf, and making changes. Of course, gconftool is good for scripting those changes, and posting them for others, but it's not as handy for this.

Also, I'm not sure you're gonna get what you want here, if this does work. See this post. (The 64 hexits are a hash of the 63-byte passphrase; hashing them as though they were a passphrase won't work, and is probably what you're gonna wind up telling it to do.)

p.s. It makes things a lot easier to deal with if you post that sort of stuff in [CODE] tags to delimit it from text...

Last edited by Benson; 2008-06-06 at 21:59.
 

The Following User Says Thank You to Benson For This Useful Post:
stevecrye's Avatar
Posts: 226 | Thanked: 38 times | Joined on May 2008 @ Texas/Earth/Sol System/Milky Way/Local Group/Hubble Bubble/Infinity
#3
Benson!

You da man. Thanks for the fast reply.

I had read that post from Brontide - that's what led me to gconf - but did not quite understand the relationship between the WPA preshared passphrase and the PSK. Is the PSK generated from the passphrase? So, if I just modify the passphrase, then the PSK won't be updated? Perhaps I can get the PSK from my laptop or somewhere.

I'll start using the code tags - I wondered how to get stuff to appear in those boxes. Is there a FAQ or howto for that kind of forum-related stuff? I've always had problems with advanced posting techniques in forums; now is the time to learn. For example, when I insert an image, forums seem to want a URL. I put the image file on my webserver, but it still does not seem to look right in the preview.

I'm installing gconf-editor right now. I'll let everyone know what happens if I just add that missing character to the passphrase.

Steve
 
stevecrye's Avatar
Posts: 226 | Thanked: 38 times | Joined on May 2008 @ Texas/Earth/Sol System/Milky Way/Local Group/Hubble Bubble/Infinity
#4
Waaahh!

gconf-editor works great - I wish I had known about it 6 man-hours ago. It's right there in the list of installable apps in application manager. Duh. ( I can hear my daughter calling me a 'tard again...)

But, - even with the editor, it will not save the 64th character. Something in the OS2008 is stuck at 63 characters.

This reminds me - in my job, I live or die by log files. Are there logs on the n810 that can shed light on problems? What kind of logs, and where?

Anyway, this is looking like a bug - and it is a nasty one for me. We can't change our world to use a shorter passphrase.

Waaah! again ...

Thanks again,

Steve

Last edited by stevecrye; 2008-06-06 at 22:30. Reason: typos
 

The Following User Says Thank You to stevecrye For This Useful Post:
Benson's Avatar
Posts: 4,930 | Thanked: 2,272 times | Joined on Oct 2007
#5
The key is hashed from the passphrase with a one-way hash. You can get instructions and programs online to compute the key given the passphrase, I'm sure, but getting a pass-phrase from the key is computationally difficult; impossible for individuals, practically so for almost everyone else. Unless it's in the rainbow tables...

What you've got, if it's 64 hex digits, is the key. Unfortunately, at least at that layer, you can't put in the key directly, only the passphrase that generates it. So you'll need to set it so that it'll be read "further down" (for all I know, just a different gconf key, but possibly somewhere else entirely) instead of there.

Umm... Don't know of an FAQ right off; use "Go Advanced" and play with those buttons and the preview, of course, but that won't show you everything. I can do stuff like this manually, but there's no strikeout button in advanced edit. If you see someone doing some formatting you don't know about, you can always hit the Quote button, and you'll be able to see the codes in the quote... Yeah, this message would be a good exercise.
 
stevecrye's Avatar
Posts: 226 | Thanked: 38 times | Joined on May 2008 @ Texas/Earth/Sol System/Milky Way/Local Group/Hubble Bubble/Infinity
#6
Ok...

Now I'm really going nuts. Been reading on WPA PSK, PMK, PMT, Windows XP, 63 character max vs 64 character max.

So, I decided, just for the heck of it, to convert the 64 character passphrase into 32, 8-bit decimal values and plug them into the EAP_wpa_preshared_key field with gconf-editor. ( BTW, our passphrase is a string of "hexits", not ascii characters) .

After tediously entering all 32 of the decimal values, I hit ok, ok - then discovered to my horror that the values were unchanged. Some experimentation revealed that not only can't I change those values with gconf-editor, I can't change any of the passphrase values either - I can't seem to change any of the values via gconf-editor!

Arrgh.

Now I don't know what to think or do.
<sigh>

Steve

Last edited by stevecrye; 2008-06-07 at 22:41.
 
stevecrye's Avatar
Posts: 226 | Thanked: 38 times | Joined on May 2008 @ Texas/Earth/Sol System/Milky Way/Local Group/Hubble Bubble/Infinity
#7
Hi all;

OK, been doing some research and talking to my staff.

First, read this summary from Wikipedia. I've cross checked it against a number of sources and it seems accurate

"Security in pre-shared key mode
Pre-shared key mode (PSK, also known as personal mode) is designed for home and small office networks that don't require the complexity of an 802.1X authentication server. Each user must enter a passphrase to access the network. The passphrase may be from 8 to 63 printable ASCII characters or 64 hexadecimal digits (256 bits).[2] If you choose to use the ASCII characters, a hash function reduces it from 504 bits (63 characters * 8 bits/character) to 256 bits (using also the SSID). The passphrase may be stored on the user's computer at their discretion under most operating systems to avoid re-entry. The passphrase must remain stored in the wireless access point."

Our passphrase is exactly 64 hexits, and therefore should not need to be hashed - it already is 256 bits in length. I've concluded that because the N810's WLAN config dialog rejects a 64 character passphrase, the N810 is expecting ascii characters, not hexits, in that field; it is not looking to see if each "character" passes the 'hexit' test, as described in this post I found on a Palm forum, where Palm users are having the exact same problem.:
"The 64 characters ~have~ to be Hexadecimal ONLY, no other ASCII characters are allowed. Legal characters are a-f, and 0-9."

Now, the question is: what is the relationship between a 64-hexit passphrase and the 256 bit pre-shared key? Is the PSK in the case of a 64-hexit passphrase still generated by a function, or is it the same thing as the 64-hexit passphrase?

I'm trying to hack into my laptop to see if I find the PSK stored somewhere. I'm also poring over the RFCs to see if the answer is there.

Now, regarding my problem on Friday with using gconf-editor to change either/both the passphrase and the PSK. I am now able to do those edits. I think I may have found a bug in the gconf-editor. If I change a value, hit OK, and then exit the editor, the value will not stick. However, if I change a value, hit ok, then click on another value, look at it, hit cancel, and then go back to the value I changed, the change then 'sticks', and will persist through a power off/on cycle.

So, if I can figure out what the PSK is supposed to be for our 64-hexit passphrase, I think I can get this to work.

But - I'm still desperate and confused . Is there a WPA doctor in the forum? Please help.

Thanks,

Steve
 
brontide's Avatar
Posts: 868 | Thanked: 474 times | Joined on Oct 2007 @ Capital District, NY, USA
#8
IIRC, the /system tree can only be written to as root... are you running as root, that might explain why you can't update those fields.

I think you are on the right track by modifying the decimal values directly as I think those are the actual key ( as opposed to the passphrase )
 
brontide's Avatar
Posts: 868 | Thanked: 474 times | Joined on Oct 2007 @ Capital District, NY, USA
#9
Originally Posted by stevecrye View Post
Hi all;
Now, the question is: what is the relationship between a 64-hexit passphrase and the 256 bit pre-shared key? Is the PSK in the case of a 64-hexit passphrase still generated by a function, or is it the same thing as the 64-hexit passphrase?
63 Hex Passphrase, which is usually a string.

SSID + Passphrase(63hex) -> HASH -> Key(64hex/256bit) - In the 810 it appears to be stored as a string of decimals

You either need the Passphrase or the Key to access the network.

Last edited by brontide; 2008-06-08 at 01:54.
 

The Following User Says Thank You to brontide For This Useful Post:
stevecrye's Avatar
Posts: 226 | Thanked: 38 times | Joined on May 2008 @ Texas/Earth/Sol System/Milky Way/Local Group/Hubble Bubble/Infinity
#10
Thanks, Brontide;

All I had to do is convert our 64-hexit PSK to 32, 8-bit decimal integers, and poke them in with gconf-editor. The hardest part was struggling with the maddening bug in the editor. I finally figured out that instead of hitting the second "OK" after editing one of the integers, if I clicked on the "title bar" at the top of the editing window, and then clicked "Cancel", it would accept the edited value without reverting to the unedited integer.

Apparently the Intel wireless chipsets and the Cisco PCcards understand that when one enters a string of 64 hexits (the PSK that is derived from our 63-character passphrase) it is not an ASCII string, and those drivers just put the 64 hexits into the PSK field. However, many other chipset/driver combos, such as Linksys, the Nokia, the HP iPaq210, don't try to tell if the entry one makes when the dialog box asks "enter your pre-shared key" is the 8 to 63 character long passphrase or the actual 64 hexit PSK.

Thanks for everyone for their patience with me on this one. I've learned a lot.

Steve

Last edited by stevecrye; 2008-06-09 at 05:24.
 

The Following User Says Thank You to stevecrye For This Useful Post:
Reply

Thread Tools

 
Forum Jump


All times are GMT. The time now is 17:00.