# 722 Does Not Accept 63 character Wireless WPA2 Encryption Key



## DennisL (Feb 16, 2004)

Trying to set up my VIP-722 with a new Netgear WNDA3100V2 wireless adpater. The receiver recoginzes the adapter successfully, and the SSID scan correctly identifies the encryption on my network as WPA2 (although it's actually WPA2-PSK).

However, when I attempt to enter my 63 character alphanumeric encryption key, the reciever accepts the first 26 characters, and then refuses to accept any characters beyond that. Each attempt to enter a new character overwrites the character in the26th position.

WPA should accept 8-63 alphanumeric or 64 hex characters. FWIW, there is a neighbor's WEP network within range, and I tried selecting that and entering a key. Also only accepted 26 characters, which is correct for WEP 104/128.

Receiver firmware is L672.

Any thoughts on what might be happening here? Anyone else able to use a WPA2 key longer than 26 characters?

Thanks.


----------



## RasputinAXP (Jan 23, 2008)

...that's a lot of characters. Realistically what are you trying to accomplish with that?

8-10 is fine for most, 26 is kind of crazy but 63? Are you keeping state secrets on your wireless network?


----------



## Jim5506 (Jun 7, 2004)

Local Wikileaks hub??


----------



## Kevin F (May 9, 2010)

"Jim5506" said:


> Local Wikileaks hub??


Hahaha +1


----------



## RasputinAXP (Jan 23, 2008)

I suppose the real answer is "I've only ever used the wired ethernet connection." 

At the rate you're going you might as well set up a RADIUS server.


----------



## BqWUDUDj (Feb 26, 2007)

I use a 63-character WPA2-PSK key as well. I had a password generator spit out 63 characters at random and it's a simple matter of cut and paste to get those into the wireless acces point and all connecting computers. Windows will even put the config into a USB key. You can avoid even the cut and paste. Too bad that Dish doesn't support this.

My receiver is wired, but I would be upset to find out that limitations of a Dish receiver restrict my house-wide wireless key to 26 characters and impose changes to all my computers (and my friends computers who visit). It's not Dish's place to make these decisions. If you are going to support WPA2-PSK (and I think it's a great thing to do), do it right.

By the way, Windows XP has a bug in its support of WPA2-Enterprise. If you did go the RADIUS route, you'd find that your Windows XP remote desktops would disconnect after a minute or two. So that's not always an option, if you have older systems.


----------



## DennisL (Feb 16, 2004)

Thanks for the responses. Yes, know that 63 characters is more than probably needed. Will probably just reduce the key length and go on. But, like BqWUDUDj, I;m annoyed that Dish has either an obvious bug or made an arbitary decision to implement a non-compliant setup. The help screen for the encryption key entry says WPA will accept an 8-63 character key.


----------



## SaltiDawg (Aug 30, 2004)

DennisL said:


> ... I;m annoyed that Dish has either an obvious bug or made an arbitary decision to implement a non-compliant setup. ...


Why would you think that there are only two "obvious" bug or "arbitary" (sic) decision? It might also be that, as explained, there is simply not enough time to do the required processing with the longer key... or maybe something else.


----------



## P Smith (Jul 25, 2002)

_If ASCII characters are used, the 256 bit key is calculated by applying the PBKDF2 key derivation function to the passphrase, using the SSID as the salt and 4096 iterations of HMAC-SHA1_ - doesn't matter how long your passphrase is - the algo to generate the KEY is the same !


----------



## ZBoomer (Feb 21, 2008)

DennisL said:


> Yes, know that 63 characters is more than probably needed.


Ya think? :lol:

So overkill I'm kinda at a loss for words, so I'll just leave it alone.


----------



## LtMunst (Aug 24, 2005)

P Smith said:


> _If ASCII characters are used, the 256 bit key is calculated by applying the PBKDF2 key derivation function to the passphrase, using the SSID as the salt and 4096 iterations of HMAC-SHA1_ - *doesn't matter how long your passphrase is - the algo to generate the KEY is the same* !


This is absolutely untrue. Attacks against WPA/WPA2 are all dictionary based. The attack program will run through it's "dictionary" using the SSID salt and the key derivation function to test against the handshake. If you are stupid enough to use 12345 as your password...or any other easy password, it will be cracked. The key derivation function does not, in and of itself, make your system 256 bit secure. The system (any Crypto system actually) is only as good as the password. A 10 bit password run through a 256 bit hash algorithm is still only 10 bit secure.


----------



## LtMunst (Aug 24, 2005)

SaltiDawg said:


> Why would you think that there are only two "obvious" bug or "arbitary" (sic) decision? It might also be that, as explained, there is simply not enough time to do the required processing with the longer key... or maybe something else.


I would lean towards believing it is a bug. There is no reason from a processing standpoint to deliberately shorten the password length. The passphrase is hashed to 256 bit key on the first pass and then that 256 bit key is passed thru the hash again....and again 4096 times total. This entire process is performed on a grand total of 4 data packets. From that point on, the data payload is encrypted with a pseudo-randomly generated 128 bit key.

Long story short....there is no way a longer password would be a processing drain on the receiver.


----------



## SaltiDawg (Aug 30, 2004)

LtMunst said:


> ...
> Long story short....there is no way a longer password would be a processing drain on the receiver.


LtMunst,

Thanks for the explanation.

CdrSaltiDawg


----------



## LtMunst (Aug 24, 2005)

DennisL said:


> However, when I attempt to enter my 63 character alphanumeric encryption key, the reciever accepts the first 26 characters, and then refuses to accept any characters beyond that. Each attempt to enter a new character overwrites the character in the26th position.


Are you sure? I have seen similar behavior in the generic windows interface for entry of WEP keys. The data field may only be 26 characters long visually, but it may actually continue to take additional characters typed....or not. Worth a try to keep typing the entire passphrase even though it no longer looks like it is being taken.


----------



## P Smith (Jul 25, 2002)

LtMunst said:


> This is absolutely untrue. Attacks against WPA/WPA2 are all dictionary based. The attack program will run through it's "dictionary" using the SSID salt and the key derivation function to test against the handshake. If you are stupid enough to use 12345 as your password...or any other easy password, it will be cracked. The key derivation function does not, in and of itself, make your system 256 bit secure. The system (any Crypto system actually) is only as good as the password. A 10 bit password run through a 256 bit hash algorithm is still only 10 bit secure.


That's right; how I forgot dict attack ... ? :nono2:


----------



## saberfly (Apr 5, 2010)

63 characters!?!?! If you crack that code can you launch nukes?


----------



## LtMunst (Aug 24, 2005)

saberfly said:


> 63 characters!?!?! If you crack that code can you launch nukes?


Yes. :lol:


----------



## LtMunst (Aug 24, 2005)

Paranoia aside, there is actually a good practical reason for choosing to use a full 64 character hex password. In WPA2, if a 64 character Hex is used, the entire key derivation process is skipped. The 256 bit key is used directly in the authentication. Skipping the 4096 rounds of the hash function used for Ascii passwords saves a noticeable few seconds when you first connect. It does not matter for devices that are always connected, but for laptops, smartphones, etc...it makes a difference.

I was planning on springing for a Sling adapter and USB network adapter from Dish for my 722. If this bug is real, I will probably skip the USB adapter and swap places with my 622 (right next to router). That's easier than re-keying my 11 other network devices.


----------



## mdavej (Jan 31, 2007)

Can't you set up the adapter with the proper key on a PC then plug it in to the DVR until this bug is fixed?


----------



## DennisL (Feb 16, 2004)

LtMunst said:


> Are you sure? I have seen similar behavior in the generic windows interface for entry of WEP keys. The data field may only be 26 characters long visually, but it may actually continue to take additional characters typed....or not. Worth a try to keep typing the entire passphrase even though it no longer looks like it is being taken.


Didn't think of that, thanks. Visually it looks like the 26th character is overwritten by each subsequent one. Already switched to shorter key, which works fine. Will try a longer one when I get the chance.

Thanks for the explanations on the hash algorithm.


----------



## LtMunst (Aug 24, 2005)

mdavej said:


> Can't you set up the adapter with the proper key on a PC then plug it in to the DVR until this bug is fixed?


No, the password is saved on the host device, not the adapter.


----------



## YurMom (Apr 24, 2013)

I know this a very old thread but I was wondering if anyone found out the truth of this. The help screen indeed states upto 64 characters but one can only enter 26. Has Dish released a new wireless adapter that DOES allow for 63/64H keys?

It would be extremely lame for Dish to say I need to lower my security because they don't understand how easy it is to BRUTE FORCE now days.. a 2 or 3 machine PS3 cluster and viola :smoking: !

(They used a PS3 super cluster to break open SSL certificates)

BTW... unless you don't care for your identity !rolling , these days to use anything less than the longest, random key is asking to spend the next five or ten years just trying to prove you are you :eek2: . If you don't understand that some areas of this country are 'trolled' for wireless signals (even non-broadcast SSID's) more than yours, it doesn't mean my key is overkill just that yours is much easier to break and run with your identity.

Personally, if DishNetwork doesn't understand this either would not be a surprise :bang ... no 3D, multiple issues with 1080p on the 722, etc.

Will DishNetwork ever step at least into yesterday :blackeye: so we can start using our products to their FULLEST potential!!!


----------



## Orion9 (Jan 31, 2011)

Has anyone tried entering more characters? It might be a display bug rather than a data entry bug. Maybe. I have another wi-fi device that doesn't _appear_ to allow more than 32 characters but it really does - just doesn't display them.


----------



## YurMom (Apr 24, 2013)

I cant enter more than 26 characters. It stops adding any characters... they are not hidden so you can tell whats being taken.

Also, my network is WPA2 but I hide my SSID. The adapter, by default, sets my network type to WPA (not WPA2) after I type in my SSID. I will call Dish tomorrow but thought Id try with some people with actual training on this before some basic CSR... good as Dish's CSR's may be.

It really seems like no one in the Dish Executive branches are paying ANY attention.


----------



## RasputinAXP (Jan 23, 2008)

YurMom said:


> I know this a very old thread but I was wondering if anyone found out the truth of this. The help screen indeed states upto 64 characters but one can only enter 26. Has Dish released a new wireless adapter that DOES allow for 63/64H keys?
> 
> It would be extremely lame for Dish to say I need to lower my security because they don't understand how easy it is to BRUTE FORCE now days.. a 2 or 3 machine PS3 cluster and viola :smoking: !
> 
> ...


Then why use wireless at all? Why use WPA2? Why not use WPA2 Enterprise with RADIUS if you're that concerned about data safety?


----------



## P Smith (Jul 25, 2002)

Lets run KERBEROS server for the rise security !


----------



## Orion9 (Jan 31, 2011)

Does the 722 support WPA2 Enterprise with RADIUS?


----------



## saiyan (Jul 12, 2006)

I don't get why people buy individual WiFi adapter for their VIP DVR, AV receiver or other equipment. I would just get a WiFi bridge with built-in 4 port switch like Dlink's DAP-1522 to connect my VIP DVR, AV receiver, Xbox and so on.


----------

