Still, I feel additional discussion is in order. One of the tenets of cryptography is that new security systems deserve to be beaten on mercilessly without deference to their creator. And I would argue that the Michael countermeasure is no ordinary design tradeoff. It is rather like a doctor prescribing a drug with severe side effects on the theory that it is the only way to save the patient's life, something that should be done only with the greatest caution:
o First, the doctor should be sure that the side effects aren't as bad as the disease.
There is a community of "wardrivers," people who look for 802.11b networks they can access. Even assuming most of them are ethical hacker types, who will good naturedly find something else to do when WPA starts to spread, there might be a few who are less sporting about it. All they have to do is write some code that sends a couple of bad packets every minute or so to any network it finds. This won't even be noticed by 802.11 nets that aren't using WPA, but those that are will be severely disrupted. Guess what will happen? The network administrators attacked will turn WPA off. As word spreads, other net admins won't even bother turning it on. They are overburdened anyway and installing WPA won't be a picnic.
Here is a story from today's Security Wire Digest:
At 2:00 AM -0600 11/11/02, [EMAIL PROTECTED] wrote:
I would argue that the Michael countermeasure DOS attack breaks WPA security as effectively as a cryptographic attack. It's simple, it's practical, it's specific to WPA, and could even be spread by virus. And if such an attack occurs, it will generate as much bad press as a cryptographic attack. How will the WiFi Alliance respond? Issue a press release pointing out that other DOS possibilities exist in ordinary 802.11? And how much credibility will be left when 802.11i is finally ready?*STILL AN INSECURE WIRELESS WORLD By Michael Fitzgerald The results of the second World War Drive are in, and they don't look good for wireless security.Of the almost 25,000 wireless access points surveyed, only 35 percent used Service Set Identifier (SSID), a default security feature in the 802.11b protocol. Only 28 percent had Wired Equivalent Privacy (WEP) enabled. Of those using SSID, less than 4 percent also use WEP. The issue comes down to management information system (MIS) staffing, says Pete Shipley, an independent security consultant. "It's a key distribution problem," Shipley says. "When you're in the corporate environment with a large number of laptops deploying wireless, without encryption you pretty much hand out a wireless card and it works. With WEP, you have to configure the system." While not difficult, the effort requires time, and MIS staffs typically have more pressing issues than wireless security. Shipley thinks that as security becomes more important to companies, they will revisit their wireless security setup. ... http://www.worldwidewardrive.org
o Second, the doctor should be certain of the diagnosis.
Is the patient's life really in danger? In this case that means asking how easy it really is to break Michael. Normally, cryptographers should be extremely conservative in assessing the strength of an algorithm. But when the response to perceived weakness is to add a different vulnerability, I would argue that the test should be what is realistic, not the ultra conservative worst case. The Intel article said the best known attack is a 29-bit differential cryptanalysis. How practical is that? Does it require vast amounts of chosen plain text?
If there is no practical Michael busting attack on the horizon, than the objection to allowing users to turn the countermeasure off, perhaps with a warning that doing so risks security, seems harder to understand.
o Third, the doctor should be certain that no other treatments are available.
The question of whether a significantly stronger MIC can be created within the limited computational budget available is still an interesting one. I hope more details about the algorithm and the constraints, both in time and space for object code, will be available very soon, if they are not already. If something markedly better were developed in the next few months, perhaps the WiFi Alliance could be persuaded to drop it in before release. At worst, work in this area could be a useful backup in case AES-based solutions prove too cumbersome to retrofit. I have some preliminary ideas based on what I read in the Intel paper, but I will put them in a separate message.
o Then there is the notion (which is never supposed to cross a doctor's mind) that the patient's job isn't vital so why worry?
I take issue with is the proposition that users can be expected to avoid 802.11 for mission critical applications. One of the main reasons for the explosive growth of this technology is that it enables non-technically trained people to build networks in a simple plug-and-play way. These people expect stuff they buy to work and will use this systems in ways we never imagine.
And why shouldn't they? The marketing for WiFi is very aggressive. The WPA press release uses the word "robust" three times in two paragraphs. I could find nothing on the WiFi Alliance page http://www.wi-fi.org that cautions users against mission critical applications. Yes, there is that little FCC Part 15.19 notice on the box that says you are subject to interference, but every product comes festooned with warning labels these days.
The economics of WiFi mass adoption mean that other solutions will become too expensive, if any are available at all. Even if a system designer wants to avoid the risks of using 802.11, his boss may axe the extra cost. Then there is the question of the third world, where often no hard wired infrastructure exists. In many impoverished regions, wireless solutions are providing the first and only Internet connectivity. You can be sure mission critical applications will use it.
o Some doctors might justify a risky drug because the patient has several other diseases that could be fatal.
The argument that wireless solutions don't have to worry about DOS attacks because there are so many of them smacks of this. WiFi is a huge success and with that success comes a responsibility to keep improving the product and eliminate known risks.
Take the packet cancelling attack Niels described. There may well be defenses that could be developed against packet cancelling. The higher level attacks he described could be dealt with by encapsulating over-the-air TCP/IP packets in encrypted envelopes, perhaps padded to standard lengths. Even the low level packet canceling technique itself might be defeated if the receiver cards can be persuaded to report all bad packets. If we are using military-strength crypto, why not use military strength antijam? There is a lot of AJ technology developed for military use that could be employed. Indeed the spread spectrum underpinnings for 802.11 come from that world. In my opinion, this attack ought to be on the agenda for 801.11i. And in any case, the packet cancelling attack is a lot more complex than the Michael countermeasure attack I posited.
The legal obstacles to pursuing DOS attackers also are a poor excuse. I am not a lawyer, but as I understand things, the problem arises in the U.S. because WiFi is authorized under FCC Part 15 rules, and those rules state that users of Part 15 devices have to accept interference from other users. Still, if the interference is intentional, there may be bases for actions under a variety of federal laws. For example, 47 USC 333 :
"No person shall willfully or maliciously interfere with or cause interference to any radio communications of any station licensed or authorized by or under this chapter or operated by the United States Government." (1 year in jail per 47 USC 501). If the network is used by a US Government site or someone doing defense work, 18 USC 1362 would kick in, with 10 year sentences.
Active attacks, such as the Michael countermeasure DOS attack or packet canceling, would seem to come under the anti-hacking law 18 USC 1030a5A: "knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer" (5 years). The recent anti-terrorism law broadened the definition of "damage."
The law in other countries is probably less finicky. And the U.S. Congress seems generally willing to expand the anti-hacking laws to cover new problems. The notion that a large part of the national data communication infrastructure will enjoy no protection from malicious attack is simple untenable long term. What is going to happen when hospitals start buying computers with Bluetooth peripherals?
o I'm aware of the old adage "the best is the enemy of the good." WPA is good and reflects a lot of hard work but the Michael countermeasure makes me uncomfortable. I suspect there are ways to fix it, even in the short time available.
Arnold Reinhold
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
