At 18:15 15/11/02 -0500, Arnold G Reinhold wrote: >I agree that we have covered most of the issues. One area whre you have >not responded is the use of WPa in 802.11a. I see no justification for >intoducing a crippled authentication there.
>From the point of the standard there is little difference between 802.11, 802.11a, and 802.11b. The differences are purely in the PHY layer. That is, the exact radio modulations are different, but the whole MAC layer is identical. It would break modularisation to link a MAC layer feature to a PHY layer feature. The other reason is that 802.11a hardware is already being shipped, and the AES-based cryptographic protocol has not been finalised. >Also here is one more idea for possibly improving Michael. > >Scramble the output of Michael in a way that depends on the MIC key, K. >This could be as simple as rotating each output word a number of bits >derived from K. Or you could generate a 8 by 8 permutation from K and >apply it to the bytes in the Michael output. you might even be able to use the >small cipher that is used to generate the individual packed encryption >keys in WPA. > >This would break up an attack that depends on messing with the bits of the >MIC in the message. It does nothing for attacks on parts of the message >body. Any additional integrety check on the message would catch that, >however. This would provide at most a very marginal security improvement. A differential attack can leave the final MIC value unchanged, and adding an extra encryption would not help. See the Michael security analysis for details. Rotating the output in a key-dependent way is dangerous. You expose the rotation constants to discovery using a differential attack. Additional integrety checks would require extra cycles, which we could also have spent on a more secure Michael version. Cheers! Niels ============================================================== Niels Ferguson, [EMAIL PROTECTED], phone: +31 20 463 0977 PGP: 3EC2 3304 9B6E 27D9 72E7 E545 C1E0 5D7E --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]