Re: DOS attack on WPA 802.11?
At 13:53 29/11/02 -0500, Arnold G. Reinhold wrote: But there _isn't_ enough processing power to run a super-Michael. If there were, I'd have designed Michael to be stronger. I'm not sure that is true for all existing 802.11b hardware. And vendors of new 802.11b hardware could certainly elect to support the stronger variant of WPA. No, but a new standard has to work on _all_ (or almost all) existing hardware. Backward compatibility is of primary importance for acceptance of the new standard. If it isn't backwards compatible it won't be used, which is much worse. There will be a stronger variant of WPA: The TGi AES-based protocol. It just isn't finished yet. Cheers! Niels == Niels Ferguson, [EMAIL PROTECTED], phone: +31 20 463 0977 PGP: 3EC2 3304 9B6E 27D9 72E7 E545 C1E0 5D7E - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: DOS attack on WPA 802.11?
At 00:55 14/11/02 -0800, Bill Stewart wrote: At 12:03 PM 11/11/2002 -0500, Arnold G. Reinhold wrote: One of the tenets of cryptography is that new security systems deserve to be beaten on mercilessly without deference to their creator. In particular, I'd be interested in finding out if the new stuff has been beaten up by Ian, Nikita, and the other people who did the earlier shreddings of the WEP system - while it certainly needs broader attention than that, it at least needs to get by some of the usual suspects rather than just approval by the same sort of standards people who let the first one out the door. That doesn't mean that it's a solid guarantee, but all this talk of 20-bit MIC codes doesn't strike me as something that could pass the Ian's Lunch Break test, much less the kind of attention that AES got. I would contend that I am not the same sort of standards people that let WEP out the door. Have a look at my website and list of publications (http://niels.ferguson.net/). I've been designing cryptographic systems since 1990. That doesn't mean that I don't make mistakes. I make many of them. Michael is very much an on-the-edge design, due to the harsh requirements. It is quite possible that someone will find a better attack against Michael, but unless I really goofed it will take Ian more than a single lunch break. Cheers! Niels == Niels Ferguson, [EMAIL PROTECTED], phone: +31 20 463 0977 PGP: 3EC2 3304 9B6E 27D9 72E7 E545 C1E0 5D7E - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: DOS attack on WPA 802.11?
TGi is doing. There are two levels of strength, the quick-fix for existing hardware which uses Michael, and a new security protocol that uses AES as the cryptographic basis. The AES-based work isn't finished yet, I gather. I agree that all new hardware should use the AES-based security system, but it has to be finalised before people can implement it. The two extremes in designing a software system are having a bunch of security options,initially turned off, that the user is supposed to select correctly and having no options at all on the assumption that all the tradeoffs were figured out correctly. In my opinion, both extremes are unwise. I've worked in cryptographic security for over a decade now, and I've yet to see a security option that helped making the systems more secure. Security is only as good as the weakest link. Any option that creates a weak link creates a security hole. If you have even a single hole, you might as well not bother with the cryptography at all. If I had things my way there wouldn't even be the option of switching the cryptography protocol off. Anyway, we seem to be mostly going around in circles, and this is quickly losing its interest for me. I think I've given all the relevant arguments from my side. We had exactly the same discussions within TGi, and after much discussion TGi chose what it considered to be the best route. I don't think this is the forum to re-do TGI's work. Cheers! Niels P.S. I'm not on this mailing list, so I can only respond to email that is sent directly to me. == Niels Ferguson, [EMAIL PROTECTED], phone: +31 20 463 0977 PGP: 3EC2 3304 9B6E 27D9 72E7 E545 C1E0 5D7E - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: DOS attack on WPA 802.11?
-lame excuse for your transmissions, but that could be as simple as doing your own experiments on microwave communication protocols. (Note: I'm not an expert on these things, but this is what I've picked up so far.) Active attacks, such as the Michael countermeasure DOS attack or packet canceling, would seem to come under the anti-hacking law 18 USC 1030a5A: knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer (5 years). The recent anti-terrorism law broadened the definition of damage. That's not how I read it. The DOS attacks do not _cause_ the transmission of a program or command. They _prevent_ it. And it isn't clear that stopping a computer from doing its work causes damage to the computer. Anyway, I believe this gets well outside the scope of Michael and should be left to the lawyers. Cheers! Niels == Niels Ferguson, [EMAIL PROTECTED], phone: +31 20 463 0977 PGP: 3EC2 3304 9B6E 27D9 72E7 E545 C1E0 5D7E - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Cryptogram: Palladium Only for DRM
At 16:00 17/09/02 +1200, Peter Gutmann wrote: But I am not suggesting to do it purely in software. Read the Intel manuals for their CPUs. There are loads of CPU features for process separation, securing the operating system, etc. The hardware is all there! There was a rather nice paper at Usenix Security 2000 on this [pause] available from http://www.usenix.org/publications/library/proceedings/sec2000/robin.html Thanks, Peter, for a nice reference. That paper points out that the Pentium doesn't make it easy to create a virtual machine that is perfectly transparent, i.e. that the OS inside the VM cannot detect the VM at all. I don't think that is the current concern, as the OS and secure kernel are being developed by the same company. I'm sure the secure kernel is significantly easier to develop if you can make some small changes to the OS code, but even without this VMware shows that it can be done without any help of the OS. Niels == Niels Ferguson, [EMAIL PROTECTED], phone: +31 20 463 0977 PGP: 3EC2 3304 9B6E 27D9 72E7 E545 C1E0 5D7E - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]