Add a wireless hex password

Hello Forum,

I want to make a little fun with some guests that are using my guest wpa2 wifi.
I want to set the password to special characters and watch them failing.

The manual says If a 64-character hexadecimal string is supplied, it will be used directly as the pre-shared key instead. So I opened the /etc/config/wireless and changed the line to:
option key '41414141414141410000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'

41 is hex for A, so the password should be 'AAAAAAAA'. But after a wlan restart, the wifi dont come up. In the OpenWRT Gui, the password is marked red. Only if I change the PW back to a normal string PW, the wifi come up.

  1. How can I set a hex password for my wpa2 wifi?
  2. I have to use utf8 for the hex encoding?

Thanks

Peter

My guess is that you'd need to write '000000....0004141414141' in order to mean AAAAAA and not AAAAA00...00
My question is why do you need to use the hex value there?
Also please refrain from signing your posts as per rules.

2 Likes

You have 128 characters not 64

41 is two hexadecimal characters. Yes they do represent the ASCII characters A but still count as two hex characters. Similarly 00 are two hex characters representing NULL

3 Likes

Following your theory, shouldn't it be:

0000000000000000....4141414141414141

With the populated characters nearer the 0x0 place

:question:

I'm also curious, since the users type in the translated passphrase anyways. You're the only person able to see Hex entered in the config - instead of the passphrase.

1 Like

I tried several forms. I added the points to sever 9 signs in this posting, they are not in the config file.

option key '41414141.41414141.00000000.00000000.00000000.00000000.00000000.00000000'
option key '00000000.00000000.00000000.00000000.00000000.00000000.41414141.41414141'

The password is still not AAAAAAAA.
If I remove the enclosing quotes (') then they are added after a restart of the wifi.

I remember that there where a problem typing german umlauts in the wifi password. Maybe because of different encodings (umlauts in utf8 and the upper 8bit ascii table [codepage 850?]). Are there still such problems known for Android or iPhone devices? If not I want to try some chars that are not reachable by a english or german keyboard. Therefor I must use hex.

There is a name for the problem you are having: pre-hashed karma :smile:

INCORRECT! Such a passphrase is invalid!

See: https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access#Target_users_(authentication_key_distribution)

This key may be entered either as a string of 64 hexadecimal digits, or as a passphrase of 8 to 63 printable ASCII characters.[18] If ASCII characters are used, the 256 bit key is calculated by applying the PBKDF2 key derivation function to the passphrase, using the SSID as the salt and 4096 iterations of HMAC-SHA1.[19] WPA-Personal mode is available with both WPA and WPA2.

So how would your clients enter an ASCII passphrase if you did such a thing?

Most user devices do not support entering a pre-hashed key. A pre-hashed key needs to be in hex and exactly 256 bits (64 hex characters) long. It is used directly in binary format in the encryption system.

Pre-hashing the key will slightly reduce startup time on devices with a slow CPU, since the hashing step can be skipped. Other than that there is no reason to do it.

The utility program wpa_passphrase can be used to hash a text passphrase.

The reason for hashing the key is to make it more difficult to brute-force guess the passphrase. In order for this measure to be effective the SSID needs to be something unique and not found in a pre-hashed "rainbow table" of common SSIDs and dictionary passphrases.

5 Likes

...furthermore with WPA3/ SAE you need to use passphrases anyways.

1 Like