[please ignore previous mesage, sent by mistake -- agr] On Sat, 16 Nov 2002, Niels Ferguson wrote:
> At 18:15 15/11/02 -0500, Arnold G Reinhold wrote: > >I agree that we have covered most of the issues. One area whre you have > >not responded is the use of WPa in 802.11a. I see no justification for > >intoducing a crippled authentication there. > > >From the point of the standard there is little difference between 802.11, > 802.11a, and 802.11b. The differences are purely in the PHY layer. That is, > the exact radio modulations are different, but the whole MAC layer is > identical. It would break modularisation to link a MAC layer feature to a > PHY layer feature. > > The other reason is that 802.11a hardware is already being shipped, and the > AES-based cryptographic protocol has not been finalised. > Modularization is a poor excuse for shipping a cryptographically weak product. Second in this case the PHY layer does affect a MAC layer feature. 802.11a is much faster than 11b. That makes Michael even more vulnerable to attack. If Michael is subject to one forged packet per year on 11b, it is vulnerable to one every 10 weeks or so in 11a. Third, a stronger variant of WPA designed for 11a could also run on 11b hardware if there is enough processing power, so modularization is not broken. As for shipped hardware, does anyone know that it couldnot run with a stronger version of Michael? And a few shipped units, is far less justification than the 10's of millions of 802.11b units out there. > > >Also here is one more idea for possibly improving Michael. > > > >Scramble the output of Michael in a way that depends on the MIC key, K. > >This could be as simple as rotating each output word a number of bits > >derived from K. Or you could generate a 8 by 8 permutation from K and > >apply it to the bytes in the Michael output. you might even be able to use > the > >small cipher that is used to generate the individual packed encryption > >keys in WPA. > > > >This would break up an attack that depends on messing with the bits of the > >MIC in the message. It does nothing for attacks on parts of the message > >body. Any additional integrety check on the message would catch that, > >however. > > This would provide at most a very marginal security improvement. A > differential attack can leave the final MIC value unchanged, and adding an > extra encryption would not help. See the Michael security analysis for > details. > A marginal improvement on a marginal algorithm can be worthwhile. It does break up one attack mode at negligable cost. It might prevent other attacks that have not been envisioned. > Rotating the output in a key-dependent way is dangerous. You expose the > rotation constants to discovery using a differential attack. If the rotation constants are derived from the MIC key using a strong hash (e.g. SHA1) there is little risk of recovering key bits. Since this only needs to be done when the MIC key changes, the computation time should be afordable. There is a risk that an attacker who is doing an exhaustive key search could use knowledge of the rotation bits to rule out most trial keys with just a hash computation. But even if they could completely test all MIC key candidates with just the hash, that would require 2**63 SHA1 trials to recover the MIC key on average. That is a reasonable level of security compaired to WPA, and with 10 rotation bits we are very far from even that situation. Another cheap varient would be to derive the rotation constants from the hash of the last two MIC keys. This eliminates even this minute risk. > > Additional integrety checks would require extra cycles, which we could also > have spent on a more secure Michael version. > I wasn't suggesting they be done by 802.11, but by higher layers. With greetings form Las Vegas, Arnold Reinhold --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]