Re: DOS attack on WPA 802.11?

2002-12-24 Thread Donald Eastlake 3rd
On Fri, 13 Dec 2002, Arnold G. Reinhold wrote:

 Date: Fri, 13 Dec 2002 15:52:01 -0500
 From: Arnold G. Reinhold [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Cc: David Wagner [EMAIL PROTECTED],
  Donald Eastlake 3rd [EMAIL PROTECTED],
  William Arbaugh [EMAIL PROTECTED]
 Subject: Re: DOS attack on WPA 802.11?
 
 ...
 
 The differential attack on Michael, which prompted the addition of 
 the DoS-enabling time-out, involves sending half a billion forged 
 packets for every one packet that gets through.  Why isn't that 
 considered [by the 802.11i Task Group] a minor and even 
 currently-impractical-to-exploit weakness?

You can answer this question just as easily as I can. All you have to do 
is read the mind of all the voting members of 802.11.

 ...
 
 There are 15 million or more 802.11b units out there. The rate at 
 which people are replacing computer hardware has dropped 
 substantially.  It will be a long time before system administrators 
 can simply stop supporting them.  And system administrators are busy 
 folk. Once they install WPA, they will be in no rush to upgrade it.

All predictions I've seen show exponential growth in 802.11 equipment
through 2007. There is trenendous growth in new 802.11 installations and
upgrades to existing implementations. There are corporations that really
care about security and are today forcing everyone using their corporate
net to get wireless cards (and use them even for PCs with built in
wireless) that use proprietary stuff now and are guaranteed upgradable
to the 802.11I stadard when it comes out.

 ...
 
 Why wait a few years when it can be fixed now? 802.11a is a new 
 system. Why introduce a weak MIC on 802.11a when it is completely 
 unnecessary? Replacing Michael with an accepted cryptographic 
 algorithm on 802.11a is a zero risk solution. As for 802.11b, I am 
 simply proposing that the time-out be configurable.  How big a deal 
 is that?

802.11a hardware has been shipping for some time. No one has to build
802.11a systems supporting TKIP if they don't want to. But it would have
been silly to try to somehow restrict TKIP to 802.11b given what a
massive improvement it is over WEP, even though it is not as strong as
CCMP. For 802.11i to spend cycles on a TKIPa for 802.11a would just slow
down getting CCMP out.

 Exactly. The WPA time-out creates a DoS opportunity that is very 
 attacker friendly, only two packets per minute are needed to bring a 
 network down. Triangulating on such an attacker is very difficult.

OK, if you think it is so trivial, please outline the exact steps needed 
to execute this Denial of Service attack. I don't think you begin to 
understand how hard it would be.

 802.11 is exploding in popularity and is being used for applications 
 of increasing economic importance.  Network availability is as much a 
 part of security as authentication.  The military systems that 802.11 
 derives from were designed to operate in hostile environments.  There 
 is technology that could be transferred to the commercial world.

Network availability goes to zero with many cordless phone systems or 
any microwave oven operating at the right frequence range if you remove 
the shielding from the microwave (it is not recommended that you be too 
close to the microwave when it is operating in that mode unless you 
cause its output to be directed away from you).

 Has the IEEE committee discussed its decision to ignore DoS with 
 other WiFi constituencies? Have those constituencies agreed that DoS 
 is not something to worry about? Has this been disclosed to the 
 public? The WiFi home page http://www.wi-fi.org has a tab on security 
 with a long discussing touting WPA. I saw nothing mentioned about 
 DoS, not even the FCC Part 15.19 notice.

The WiFi Alliance is a marketing and interoperability organization, not 
a standards or techncial organization.

The IEEE process is document at exhaustive length in IEEE documents and
has been followed. Any person interested can participate. Anyone can
propose to 802.11 that a liaison be set up with any orther organization.
At this time, over 2/3rds of all IEEE 802 members are in 802.11 making
it the most widely representative of all 802 working groups with
attendance commonly over 300 persons.

Your idea that the public, whatever you mean by that, should be
consulted is pretty hilarious. The idea that the average man on the 
street is a great source of wisdom for secure communications protocol 
design is not widely held.

Perhaps they would support you. Enought scare stories in the press
exaggerating the significance of denial of service due to TKIP
countermeasures could easily stampede the public.

 ...
 
 I don't know how long it would take for a network to recover from a 
 bogus disassociate message, but I presume well less than a minute. It 
 is also not clear to me why future standards could not include 
 protection against a disassociate attack.

All this has been debated many times in 802.11i

Re: DOS attack on WPA 802.11?

2002-12-08 Thread Arnold G. Reinhold
At 10:48 PM -0500 11/29/02, Donald Eastlake 3rd wrote:

Arnold,

If you want to play with this as in intellectual exercise, be my guest. 
But the probability of changing the underlying IEEE 802.11i draft
standard, which would take a 3/4 majority of the voting members of IEEE
802.11, or of making the WiFi Alliance WPA profiling and subseting of
802.11i incompatible with the standard, are close to zero.



Cryptographic standards should be judged on their merits, not on the 
bureaucratic difficulties in changing them. Specs have been amended 
before. Even NSA was willing to revise its original secure hash 
standard. That's why we have SHA1.  If I am right and WPA needlessly 
introduces a significant denial of service vulnerability, then it 
should be fixed. If I am wrong, no change is needed of course.

Check out the President's message for September 202 at the 
Association of Old Crows web site (Serving the Electronic Warfare 
and Information Operations Community): http://www.aochq.org/news.htm


Arnold Reinhold

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: DOS attack on WPA 802.11?

2002-12-08 Thread Donald Eastlake 3rd
I'm not saying there might not be a level of error or weakness that
would cause a emergency reset of the standards process. I'm saying that
this diddle-shit minor DoS attack isn't such an error or weakness. It
was fully known about by the 802.11 working group, repeatedly debated at
great length, and discounted as being insignificant. Therefore, an
improvement which merely eliminated it has only a vanishingly small
probability of upsetting the apple-cart.

In the academic world, certainly any minor and even
currently-impractical-to-exploit weakness is of great interest. In the
real world, products have substantial lead times and at some point you
have to stop investigating minor improvements and start cranking out
code/chips/whatever.

Go ahead and design whatever wonderful improvements in TKIP you want.
Perhaps you can publish a paper or two. But unless you find something a
lot bigger wrong with it, I predict the standard will not be changed,
particularly given that TKIP is temporary and within a few years the
deployed hardware population will be swamped with newer hardware
supporting CCMP mode.

Donald

 On Thu, 5 Dec 2002, Arnold G. Reinhold wrote:

 Date: Thu, 5 Dec 2002 12:40:18 -0500
 From: Arnold G. Reinhold [EMAIL PROTECTED]
 To: Donald Eastlake 3rd [EMAIL PROTECTED]
 Cc: [EMAIL PROTECTED]
 Subject: Re: DOS attack on WPA 802.11?
 
 At 10:48 PM -0500 11/29/02, Donald Eastlake 3rd wrote:
 Arnold,
 
 If you want to play with this as in intellectual exercise, be my guest. 
 But the probability of changing the underlying IEEE 802.11i draft
 standard, which would take a 3/4 majority of the voting members of IEEE
 802.11, or of making the WiFi Alliance WPA profiling and subseting of
 802.11i incompatible with the standard, are close to zero.
 
 Cryptographic standards should be judged on their merits, not on the 
 bureaucratic difficulties in changing them. Specs have been amended 
 before. Even NSA was willing to revise its original secure hash 
 standard. That's why we have SHA1.  If I am right and WPA needlessly 
 introduces a significant denial of service vulnerability, then it 
 should be fixed. If I am wrong, no change is needed of course.
 
 Check out the President's message for September 202 at the 
 Association of Old Crows web site (Serving the Electronic Warfare 
 and Information Operations Community): http://www.aochq.org/news.htm
 
 Arnold Reinhold
==
 Donald E. Eastlake 3rd   [EMAIL PROTECTED]
 155 Beaver Street  +1-508-634-2066(h) +1-508-851-8280(w)
 Milford, MA 01757 USA   [EMAIL PROTECTED]


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]



Re: DOS attack on WPA 802.11?

2002-12-08 Thread David Wagner
Arnold G. Reinhold wrote:
If I am right and WPA needlessly 
introduces a significant denial of service vulnerability, then it 
should be fixed. If I am wrong, no change is needed of course.

But TKIP (the part of WPA you're talking about) is only a
temporary measure, and will soon be replaced by AES-CCMP.

The question is not Should we replace TKIP?, because the
answer to that is obvious: Yes, we should, and we will.
Th question is: Why bother working on a `fix' to WPA that
will likely never be deployed and that will be obsoleted
in a few years by the spread of AES-CCMP?.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]



Re: DOS attack on WPA 802.11?

2002-12-08 Thread Derek Atkins

The answer is multi-fold.

1) The 802.11i standard wont be finished for a while.

2) There is an apparent Market Requirement for something better than
   WEP __NOW__.

3) The WPA can only change their requirements once per year, so even
   if 802.11i were ready in 3 months, it would still take another year
   until it hit the WPA conformance requirements.  But they wanted to
   make some changes _now_ in order to get better security into next
   year's product line.

In other words, the answer is due to layers 8 and 9, and nothing
technical

-derek

[EMAIL PROTECTED] (David Wagner) writes:

 Arnold G. Reinhold wrote:
 If I am right and WPA needlessly 
 introduces a significant denial of service vulnerability, then it 
 should be fixed. If I am wrong, no change is needed of course.
 
 But TKIP (the part of WPA you're talking about) is only a
 temporary measure, and will soon be replaced by AES-CCMP.
 
 The question is not Should we replace TKIP?, because the
 answer to that is obvious: Yes, we should, and we will.
 Th question is: Why bother working on a `fix' to WPA that
 will likely never be deployed and that will be obsoleted
 in a few years by the spread of AES-CCMP?.
 
 -
 The Cryptography Mailing List
 Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

-- 
   Derek Atkins
   Computer and Internet Security Consultant
   [EMAIL PROTECTED] www.ihtfp.com

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]



Re: DOS attack on WPA 802.11?

2002-12-08 Thread James A. Donald
--
Arnold G. Reinhold
 Cryptographic standards should be judged on their merits, not
 on the bureaucratic difficulties in changing them. Specs have
 been amended before. Even NSA was willing to revise its
 original secure hash standard. That's why we have SHA1.  If I
 am right and WPA needlessly introduces a significant denial
 of service vulnerability, then it should be fixed.

I do not think the DOS is significant, since one can do the
same thing with a spark emitter.  The person doing the DOS has
to bring his equipment up to the target, which makes attacker
vulnerable to BBRS (Baseball bat restoration of service)

--digsig
 James A. Donald
 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
 z9usqTFDdak6fIXLvMz4FRjtDX9LwX0psRJRmfeP
 4JZ85epzXMA2AbDtWU3mqFXAi8Pu30SKDhyrx2bRN


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]



Re: DOS attack on WPA 802.11?

2002-11-29 Thread Arnold G. Reinhold
At 4:57 AM +0100 11/19/02, Niels Ferguson wrote:

At 21:58 18/11/02 -0500, Arnold G Reinhold wrote:

...




Third, a stronger variant of WPA designed for 11a could also run on
11b hardware if  there is enough processing power, so modularization is
not broken.


But there _isn't_ enough processing power to run a super-Michael. If there
were, I'd have designed Michael to be stronger.


I'm not sure that is true for all existing 802.11b hardware. And 
vendors of new 802.11b hardware could certainly elect to support the 
stronger variant of WPA.


Maybe you are suggesting is to add yet another cryptographic function; the
current Michael for existing hardware and a super-Michael for newer 802.11a
hardware. Developing super-Michael would cost a couple of month and a lot
of money. I would consider that a waste of effort that should have been
spent on the AES-based security protocols. That is where we are going, and
we need to get there ASAP. It is perfectly possible to design 802.11a
hardware today that will be able to implement the future AES-based security
protocols. That is what software updates are for.


That is what I am suggesting. If a stronger version of Michael is too 
expensive to develop, there is still the option of using a standard 
message authentication function, say an HMAC based on MD5 or an AES 
solution. I spoke to several 802.11a/g chip-set vendors at Comdex and 
they seem to be allowing extra processing power to support 11i. 
Intersel said they were using 20% of available MIPS.

...

[regarding my suggestion to rotate the Michael output words in a key 
dependant way:]



[...]


Those are standard design questions. I looked at better mixing at the end
of the Michael function and decided against it. It would slow things down
and the attack that changes the last message word and the MIC value had
much the same security bound as the differential attack that does not
change the MIC value. There is no point in strengthening one link of the
chain if there is another weak link as well. Of course, this isn't how I
normally design cryptographic functions, but Michael is a severely
performance-limited design.

[...]


I have responses to your concerns about using SHA and the issue of 
re-keying, but you point out:

It would be easier just to ask
for 128 key bits from the key management system. It has a PRF and should be
able to do it.


That would be fine. You only need ten additional keying bits for 
arbitrary rotation of the two output words. Maybe an additional bit 
to optionally swap the words. This only adds a few instructions per 
packet.


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: DOS attack on WPA 802.11?

2002-11-29 Thread Niels Ferguson
At 13:53 29/11/02 -0500, Arnold G. Reinhold wrote:
But there _isn't_ enough processing power to run a super-Michael. If there
were, I'd have designed Michael to be stronger.

I'm not sure that is true for all existing 802.11b hardware. And 
vendors of new 802.11b hardware could certainly elect to support the 
stronger variant of WPA.

No, but a new standard has to work on _all_ (or almost all) existing
hardware. Backward compatibility is of primary importance for acceptance of
the new standard. If it isn't backwards compatible it won't be used, which
is much worse.

There will be a stronger variant of WPA: The TGi AES-based protocol. It
just isn't finished yet.


Cheers!

Niels
==
Niels Ferguson, [EMAIL PROTECTED], phone: +31 20 463 0977
PGP: 3EC2 3304 9B6E 27D9  72E7 E545 C1E0 5D7E

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]



Re: DOS attack on WPA 802.11?

2002-11-29 Thread Donald Eastlake 3rd
Arnold,

If you want to play with this as in intellectual exercise, be my guest.  
But the probability of changing the underlying IEEE 802.11i draft
standard, which would take a 3/4 majority of the voting members of IEEE
802.11, or of making the WiFi Alliance WPA profiling and subseting of
802.11i incompatible with the standard, are close to zero.

Fri, 29 Nov 2002, Arnold G. Reinhold wrote:

 Date: Fri, 29 Nov 2002 13:53:41 -0500
 From: Arnold G. Reinhold [EMAIL PROTECTED]
 To: Niels Ferguson [EMAIL PROTECTED]
 Cc: [EMAIL PROTECTED]
 Subject: Re: DOS attack on WPA 802.11?
 
 At 4:57 AM +0100 11/19/02, Niels Ferguson wrote:
 At 21:58 18/11/02 -0500, Arnold G Reinhold wrote:
 ...
 
 
 Third, a stronger variant of WPA designed for 11a could also run on
 11b hardware if  there is enough processing power, so modularization is
 not broken.
 
 But there _isn't_ enough processing power to run a super-Michael. If there
 were, I'd have designed Michael to be stronger.
 
 I'm not sure that is true for all existing 802.11b hardware. And 
 vendors of new 802.11b hardware could certainly elect to support the 
 stronger variant of WPA.

Of course it is not true for all existing hardware. TKIP neede to run on 
more or less the feeblest legacy 802.11b hardware. Vendors of new 
hardware are intetested in supporting the stronger mandatory parts of 
802.11i (which will be know as WPA v2). The only reason I can think of 
that a vendor might want to support something incompatible is to lock in 
customers, probably because they had at least a patent pending on it.

 Maybe you are suggesting is to add yet another cryptographic function; the
 current Michael for existing hardware and a super-Michael for newer 802.11a
 hardware. Developing super-Michael would cost a couple of month and a lot
 of money. I would consider that a waste of effort that should have been
 spent on the AES-based security protocols. That is where we are going, and
 we need to get there ASAP. It is perfectly possible to design 802.11a
 hardware today that will be able to implement the future AES-based security
 protocols. That is what software updates are for.
 
 ...

Donald
==
 Donald E. Eastlake 3rd   [EMAIL PROTECTED]
 155 Beaver Street  +1-508-634-2066(h) +1-508-851-8280(w)
 Milford, MA 01757 USA   [EMAIL PROTECTED]


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]



Re: DOS attack on WPA 802.11?

2002-11-19 Thread Niels Ferguson
At 00:55 14/11/02 -0800, Bill Stewart wrote:
At 12:03 PM 11/11/2002 -0500, Arnold G. Reinhold wrote:
One of the tenets of cryptography is that new security systems
deserve to be beaten on mercilessly without deference to their creator.

In particular, I'd be interested in finding out if the new stuff
has been beaten up by Ian, Nikita, and the other people who
did the earlier shreddings of the WEP system -
while it certainly needs broader attention than that,
it at least needs to get by some of the usual suspects
rather than just approval by the same sort of standards people
who let the first one out the door.

That doesn't mean that it's a solid guarantee,
but all this talk of 20-bit MIC codes doesn't strike me as something
that could pass the Ian's Lunch Break test, much less the
kind of attention that AES got.

I would contend that I am not the same sort of standards people that let
WEP out the door. Have a look at my website and list of publications
(http://niels.ferguson.net/). I've been designing cryptographic systems
since 1990. 

That doesn't mean that I don't make mistakes. I make many of them. Michael
is very much an on-the-edge design, due to the harsh requirements. It is
quite possible that someone will find a better attack against Michael, but
unless I really goofed it will take Ian more than a single lunch break. 

Cheers!

Niels


==
Niels Ferguson, [EMAIL PROTECTED], phone: +31 20 463 0977
PGP: 3EC2 3304 9B6E 27D9  72E7 E545 C1E0 5D7E

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]



Re: DOS attack on WPA 802.11?

2002-11-19 Thread Arnold G Reinhold

[please ignore previous mesage, sent by mistake -- agr]
On Sat, 16 Nov 2002, Niels Ferguson wrote:

 At 18:15 15/11/02 -0500, Arnold G Reinhold wrote:
 I agree that we have covered most of the issues. One area whre you have
 not responded is the use of WPa in 802.11a. I see no justification for
 intoducing a crippled authentication there.

 From the point of the standard there is little difference between 802.11,
 802.11a, and 802.11b. The differences are purely in the PHY layer. That is,
 the exact radio modulations are different, but the whole MAC layer is
 identical. It would break modularisation to link a MAC layer feature to a
 PHY layer feature.

 The other reason is that 802.11a hardware is already being shipped, and the
 AES-based cryptographic protocol has not been finalised.


Modularization is a poor excuse for shipping a cryptographically weak
product. Second in this case the PHY layer does affect a MAC layer
feature. 802.11a is much faster than 11b. That makes Michael
even more vulnerable to attack.  If Michael is subject to one forged
packet per year on 11b, it is vulnerable to one every 10 weeks or so in
11a. Third, a stronger variant of WPA designed for 11a could also run on
11b hardware if  there is enough processing power, so modularization is
not broken.

As for shipped hardware, does anyone know that it couldnot run with a
stronger version of Michael? And a few shipped units, is far less
justification than the 10's of millions of 802.11b units out there.


 Also here is one more idea for possibly improving Michael.
 
 Scramble the output of Michael in a way that depends on the MIC key, K.
 This could be as simple as rotating each output word a number of bits
 derived from K. Or you could generate a 8 by 8 permutation from K and
 apply it to the bytes in the Michael output. you might even be able to use
 the
 small cipher that is used to generate the individual packed encryption
 keys in WPA.
 
 This would break up an attack that depends on messing with the bits of the
 MIC in the message. It does nothing for attacks on parts of the message
 body. Any additional integrety check on the message would catch that,
 however.

 This would provide at most a very marginal security improvement. A
 differential attack can leave the final MIC value unchanged, and adding an
 extra encryption would not help. See the Michael security analysis for
 details.


A marginal improvement on a marginal algorithm can be worthwhile. It does
break up one attack mode at negligable cost. It might prevent other
attacks that have not been envisioned.

 Rotating the output in a key-dependent way is dangerous. You expose the
 rotation constants to discovery using a differential attack.

If the rotation constants are derived from the MIC key using a strong hash
(e.g. SHA1) there is little risk of recovering key bits. Since this only
needs to be done when the MIC key changes, the computation time should be
afordable.

There is a risk that an attacker who is doing an exhaustive key search
could use knowledge of the rotation bits to rule out most trial keys with
just a hash computation. But even if they could completely test all MIC
key candidates with just the hash, that would require 2**63 SHA1 trials to
recover the MIC key on average. That is a reasonable level of security
compaired to WPA, and with 10 rotation bits we are very far from even that
situation.

Another cheap varient would be to derive the rotation constants from the
hash of the last two MIC keys. This eliminates even this minute risk.

 
 Additional integrety checks would require extra cycles, which we could also
 have spent on a more secure Michael version.


I wasn't suggesting they be done by 802.11, but by  higher layers.

With greetings form Las Vegas,

Arnold Reinhold



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]



Re: DOS attack on WPA 802.11?

2002-11-13 Thread Arnold G. Reinhold
At 11:40 PM +0100 11/11/02, Niels Ferguson wrote:

At 12:03 11/11/02 -0500, Arnold G. Reinhold wrote:
[...]

One of the tenets
of cryptography is that new security systems deserve to be beaten on
mercilessly without deference to their creator.


I quite agree.


I hope you won't mind another round then.


2. Refresh the Michael key frequently. This proposal rests on WPA's
[...]

This has no effect on the best attack we have so far. The attack is a
differential attack, and changing the key doesn't change the probabilities.


Tell me if I understand this attack correctly. Bob intercepts a 
packet he knows contains a certain message, even though it is WPA 
encrypted, say Transfer one hundred dollars from Alice's account to 
Bob's account. Have a nice day.  (Maybe he know what time it was 
sent, or the length, whatever.) Because WPA uses a stream cipher, Bob 
can create a message that will decrypt with the same key to Transfer 
one million dollars from Alice's account to Bob's account. Have a 
nice day.  This was one of the problems with WEP.

WPA is designed to prevent this kind of forgery by adding a 64-bit 
MIC. Even so, I could send lots of packets containing the million 
dollars message but with random stuff in the MIC field (or in the 
Have a nice day part that Bob knows nobody reads) and if I do this 
enough times I will accidently create a packet with a valid MIC.  If 
MIC were really strong, this would take about 2**64 tries, a big 
enough number not to worry about.  But because Michael is puny, you 
were able to find some clever tricks for picking the randomizing data 
so that only about 2**29 (aka half a billion) tries are needed. 
Furthermore, you are worried that there might be a way that requires 
only 2**20 (about a million) tries.  And because we are trying MIC 
codes at random, the MIC key in use at the moment doesn't matter. 
Eventually Bob gets lucky and the packet goes through.

The logic behind your countermeasure is that forgery attempts are 
very easy to detect and by shutting down for a minute after 2 forgery 
attempts within one second, Bob needs an average of half a million 
minutes to get his packet through, or about one year. And that's an 
acceptable risk.

If I got this right, here are a couple of observations. Assume for a 
moment WPA as is, but with your time out countermeasure turned off.

1. Bob only gets that one packet through.  If he wants another packet 
he has to start all over with another million or more attempts. So 
that packet had better be worth the effort.

2. This forgery only affects the 802.11 layer. If the Transfer one 
million dollars message has an electronic signature or another layer 
of protection, this attack does nothing to defeat that.

3. The network will get and detect hundreds of thousands of copies of 
the forged message before a valid one gets through. If Bob is 
tampering with the MIC code, they will all be identical. If Bob is 
munging an unimportant section of the message, they will still be 
highly correlated. So we will have hours, maybe days of warning that 
someone is attacking our system and exactly what Bob is trying to do. 
Even if we were asleep and he succeeds, we would know about the 
attack and what message he was trying to send.

4. Bob has to do a lot of transmitting and we will have hours or days 
of warning to track him down with direction finding equipment.


This is not a very attractive attack from Bob's point of view.  He 
must find a single packet so valuable it is worth all risk and time 
involved in mounting this attack. He telegraphs his scheme well in 
advance of its success. He risks being caught in the act and he 
leaves a trail of evidence that can be used to catch him, say when he 
cleans out that bank account. It sounds like a Woody Allen movie 
scenario. (What does this note mean 'I have a bun'? It says 'gun' 
Hey Charlie does this look like a 'b' or a 'g' to you?)

Furthermore, if I got this right, a filter could be turned on that 
simply blocked the packet Bob is attempting to send when it finally 
gets a valid MIC. For extra credit, you could do the following: 
automatically detect forgery attempts and devise a filter for them 
(say, look for the constant region of the forgeries). When a valid 
packet comes through that matches the filter, reject it and force a 
key change.  The transport layer will request a retry. If, by chance, 
the packet was legit, the station that sent it can send it again and 
the Internet goes on. Bob on the other hand, needs another million 
tries, after which the same thing will happen.

Any security hole is a matter for concern, but if my understanding is 
correct, I am more convinced that a valid alternative to your time 
out countermeasure is for WPA to tell us we are under attack and let 
us log the forgery attempts verbatim, which I suggested in my first 
message.


Regardless of whether my understanding of the differential attack is 
correct, I think the nub of our disagreement 

Re: DOS attack on WPA 802.11?

2002-11-13 Thread Niels Ferguson

We've gone through all the main argument here, and I think it is clear we
don't agree. I started writing a detailed reply to your last message, but
most of it was just argueing that we need authentication on 802.11 packets.
TGi had a limited brief: improve the security for 802.11, and that includes
providing authentication. 

Many of your arguments depend on properties of other parts of the system. A
few forged packets won't cause too much danger. We can DF the transmitter,
and then do something about it. We can catch Bob when he collects the
money. We can detect the attack and let the humans respond to it. We can
implement alternative countermeasures in the form of a filter. 

You can't assume that any of these are true. We can't tell our customers
something like: Here is the security upgrade for your existing hardware,
but you need to buy DF equipment, staff your wireless network security
office 24*7, re-design all your applications such that a few forged packets
do not do too much harm, buy new APs with enough memory to implement the
new filter functions, and establish a world-wide police system to arrest
Bob at any bank in the world when he tries to collect the money. 

Our job is to secure 802.11, nothing more, but certainly nothing less. That
means that we have to provide authentication for all packets. The only
sensible measure of how well we do that is how much effort it takes an
attacker to forge a single message. 

I will therefore restrict myself to the issue of securing 802.11, and not
go into any of the other aspects of the system.

[...]
Tell me if I understand this attack correctly. Bob intercepts a 

The 2^-29 probability comes from carefully choosing a particular difference
pattern in the message. For certain carefully chosen difference patterns
the MIC value does not change. Alternatively, you can use carefully chosen
difference patterns in the message and a related chosen difference in the
MIC value. The probability here is taken over all possible Michael keys.

[...]
The logic behind your countermeasure is that forgery attempts are 
very easy to detect and by shutting down for a minute after 2 forgery 
attempts within one second, Bob needs an average of half a million 
minutes to get his packet through, or about one year. And that's an 
acceptable risk.

Yes. That seems more work for Bob than breaking into the office and tapping
directly into the Ethernet cables, which is the original security goal of WEP.


[...]
There are three important differences between the Michael 
countermeasure DOS attack and the packet canceling attack you 
described earlier. First, the Michael attack is much easier to 
program, hence more likely to happen. Second, since it is new and 
specific to the touted WPA, it will be especially attractive to 
hackers, while at the same time more damaging to WPA's reputation.

We all know it only takes one smart programmer to program it, and then the
attack becomes just a tool. My DOS attack is also a super-slick one. You
can think up many other ones that are much simpler to program, like
disturbing the beacon or sending false beacons. 

Besides, I don't understand where you want to go with this argument. You
argue for a configuration switch to switch of the countermeasures. The
basic forgery attack still exists, so now the attacker can do the DOS
attack and get the countermeasures switched off. Are you saying that
Michael without countermeasures is secure enough?

Third, the countermeasure attack is inherently very hard to detect 
while I believe there are defenses against the packet cancelling 
attack that force the attacker to make lots of transmissions. As I 
mentioned, TCP/IP packets can be encapsulated in a layer above 
802.11. Also two stations on the same wireless network that also had 
a wired link could collude to force the attacker into transmitting 
more.  These aren't great defenses, but they could be developed 
fairly quickly if packet cancelling attacks became a problem.

Not if you cancel the ARP packets for new stations. And the attacker would
detect these collusing stations and ignore their packets anyway. And I can
think of several more DOS attacks against 802.11, but I don't have the time
now to work out the details.


Then why not have two levels of strength, one what is now proposed 
and the second with a stronger MIC, perhaps Michael with more rounds 
as you suggest, and let the user choose?  And why not insist that 
802.11a use the stronger mode? Because it is just coming out, 802.11a 
has no installed base and there is less crud on its 5 GHz band. It is 
also much faster so it will require more powerful processors anyway 
and any forgery attack will take much less time.

I sense a shift in argument here from We had to retrofit existing 
systems and did the best we could, which I can buy for 802.11b but 
not in the 802.11a case, to We don't care about DOS attacks, so we 
won't increase hardware cost a dime to defeat them.

That is exactly what 

Re: DOS attack on WPA 802.11?

2002-11-11 Thread Niels Ferguson
At 12:03 11/11/02 -0500, Arnold G. Reinhold wrote:
[...]
One of the tenets 
of cryptography is that new security systems deserve to be beaten on 
mercilessly without deference to their creator.

I quite agree. 

And I would argue 
that the Michael countermeasure is no ordinary design tradeoff. It is 
rather like a doctor prescribing a drug with severe side effects on 
the theory that it is the only way to save the patient's life, 
something that should be done only with the greatest caution:

Here I disagree. The Michael countermeasures do not introduce any danger
that does not already exist in the system. Therefore, removing the
countermeasures has no benneficial effects.

[...]
about it.  All they have to do is write some code that sends a couple 
of bad packets every minute or so to any network it finds.  This 
won't even be noticed by 802.11 nets that aren't using WPA, but those 
that are will be severely disrupted. Guess what will happen? The 
network administrators attacked will turn WPA off.  As word spreads, 
other net admins won't even bother turning it on.  They are 
overburdened anyway and installing WPA won't be a picnic.
[...]
I would argue that the Michael countermeasure DOS attack breaks WPA 
security as effectively as a cryptographic attack. It's simple, it's 
practical, it's specific to WPA, and could even be spread by virus. 
And if such an attack occurs, it will generate as much bad press as a 
cryptographic attack. How will the WiFi Alliance respond? Issue a 
press release pointing out that other DOS possibilities exist in 
ordinary 802.11? And how much credibility will be left when 802.11i 
is finally ready?

As I mentioned before, there are generic DOS attacks against 802.11 that
require very few transmissions. These can be used to mount the same attack
against WEP, WPA, the future AES-based security protocols, or any other
security protocol on top of 802.11. It is thus not specific to Michael or
the Michael countermeasures. It is a very valid criticism of the system,
just not of Michael.


o Second, the doctor should be certain of the diagnosis.
Is the patient's life really in danger? In this case that means 
asking how easy it really is to break Michael. Normally, 
cryptographers should be extremely conservative in assessing the 
strength of an algorithm.  But when the response to perceived 
weakness is to add a different vulnerability,  I would argue that the 
test should be what is realistic, not the ultra conservative worst 
case.  The Intel article said the best known attack is a 29-bit 
differential cryptanalysis. How practical is that? Does it require 
vast amounts of chosen plain text?

That is the currently best-known attack on Michael. It means that an
attacker can forge a packet with probability around 2^-29. That is the
probability of success for each attempted forgery. If you let him try 1000
packets per second, then we expect the first successful forgery within a
week. 

I only spent a limited amount of time searching for the best possible
attack. We have to assume that the attack will be improved somehow. Before
you know it you are down to a timescale of hours or seconds. Currently we
have a factor of 2^9 between the design strength of Michael and the best
known attack. That is a _very_ small factor for a newly invented
cryptographic function. We cut it as close as we dared, and much closer
than I feel happy with.


If there is no practical Michael busting attack on the horizon, than 
the objection to allowing users to turn the countermeasure off, 
perhaps with a warning that doing so risks security, seems harder to 
understand.

Attacking Michael without countermeasures is practical right now. Giving
the user the option to destroy security is not a good idea. The article you
quoted points out that the vast majority of networks are misconfigured. The
obvious lesson is _not_ to provide configuration options that result in
insecure networks. If you want an insecure network that is not vulnerable
to the countermeasures DOS attack, you can switch to WEP or switch of all
security. This goes back to the TGi mantra: We have enough efficient
insecure protocols. We don't need another one.


o Third, the doctor should be certain that no other treatments are available.
The question of whether a significantly stronger MIC can be created 
within the limited computational budget available is still an 
interesting one. I hope more details about the algorithm and the 
constraints, both in time and space for object code, will be 
available very soon, if they are not already.  If something markedly 
better were developed in the next few months, perhaps the WiFi 
Alliance could be persuaded to drop it in before release.  At worst, 
work in this area could be a useful backup in case AES-based 
solutions prove too cumbersome to retrofit.  I have some preliminary 
ideas based on what I read in the Intel paper, but I will put them in 
a separate message.

Michael was the best I could come 

Re: DOS attack on WPA 802.11?

2002-11-08 Thread William Arbaugh
TGi has NEVER been all that interested in DOS attacks because a number 
of people argued that all you need to do is turn on a spark gap 
transmitter. While this is true, I think it is harder (one can argue 
how much) to get a spark gap transmitter and use it correctly than a 
laptop, NIC card, and parabolic dish. As a result, the threat class 
becomes much larger than it should be. And BTW, you can do all sorts of 
DOS attacks against the base .11 protocol (sending management, EAP, 
etc. frames willy nilly; see http://802.11ninja.net/ as an example).

I think the bigger concern with the Michael countermeasures is:
	1. Will the vendors implement them, and
	2. Will they be implemented correctly?

Ideally, the compliance checking will ensure this...but then 
again..

TGi had do a delicate balancing act between finding a solution that can 
be implemented in firmware, and actually makes some improvements. I 
think they did a reasonable job with WPA1 considering the engineering 
challenges.

On Thursday, Nov 7, 2002, at 21:07 US/Eastern, Niels Ferguson wrote:

Yes, the Michael countermeasures allow a DOS attack. This was widely
discussed in 802.11-TGi before the countermeasures were accepted.



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]



DOS attack on WPA 802.11?

2002-11-07 Thread Arnold G. Reinhold
The new Wi-Fi Protected Access scheme (WPA), designed to replace the 
discredited WEP encryption for 802.11b wireless networks, is a  major 
and welcome improvement. However it seems to have a significant 
vulnerability to denial of service attacks. This vulnerability 
results from the proposed remedy for the self-admitted weakness of 
the Michael message integrity check (MIC) algorithm.

To be backward compatible with the millions of 802.11b units already 
in service,  any MIC algorithm must operate within a very small 
computing budget. The algorithm chosen, called Michael,  is spec'd as 
offering only 20 bits of effective security.

According to an article by Jesse Walker of Intel 
http://cedar.intel.com/media/pdf/security/80211_part2.pdf :

This level of protection is much too weak to afford much benefit by 
itself, so TKIP complements Michael with counter-measures. The design 
goal of the counter-measures is to throttle the utility of forgery 
attempts, limiting knowledge the attacker gains about the MIC key. If 
a TKIP implementation detects two failed forgeries in a second, the 
design assumes it is under active attack. In this case, the station 
deletes its keys, disassociates, waits a minute, and then 
reassociates. While this disrupts communications, it is necessary to 
thwart active attack. The countermeasures thus limits the expected 
number of undetected forgeries such an adversary might generate to 
about one per year per station.

Unfortunately the countermeasures cure may invite a different 
disease. It would appear easy to mount a denial of service attack by 
simply submitting two packets with bad MIC tags in quick succession. 
The access point then shuts down for a minute or more. When it comes 
back up, one repeats the attack.  All the attacker needs is a laptop 
or hand held computer with an 802.11b card and a little software. 
Physically locating the attacker is made much more difficult than for 
an ordinary RF jammer by the fact that only a couple of packets per 
minute need be transmitted. Also the equipment required has innocent 
uses, unlike a jammer, so prosecuting an apprehended suspect would be 
more difficult.

The ability to deny service might be very useful to miscreants in 
some circumstances. For example, an 802.11b network might be used to 
coordinate surveillance systems at some facility or event.  With 
802.11b exploding in popularity, it is impossible to foresee all the 
mission critical uses it might be put to.

Here are a couple of suggestions to improve things, one easier, the 
other harder.

The easier approach is to make the WPA response to detected forgeries 
more configurable.  The amount of time WPA stays down after two 
forgeries might be a parameter, for example.  It should be possible 
to turn the countermeasures off completely. Some users might find the 
consequences of forgeries less than that of lost service. For a firm 
offering for-fee public access, a successful forgery attack might 
merely allow free riding by the attacker, while denied service could 
cost much more in lost revenue and reputation.

Another way to make WPA's response more configurable would be for the 
access point to send a standard message to a configurable IP address 
on the wire side when ever it detects an attack. This could alert 
security personal to scan the parking lot or switch the access point 
to be outside the corporate firewall. The message also might quote 
the forged packets, allowing them to be logged.  Knowing the time and 
content of forged packets could also be useful to automatic radio 
frequency direction finding equipment. As long as some basic hooks 
are in place, other responses to forgery attack could be developed 
without changing the standard.

The harder approach is to replace Michael with a suitable but 
stronger algorithm (Michelle?).  I am willing to assume that 
Michael's designer, Niels Ferguson, did a fine job within the 
constraints he faced. But absent a proof that what he created is 
absolutely optimal, improving on it seems a juicy cryptographic 
problem. How many bits of protection can you get on a tight budget? 
What if you relaxed the budget a little, so it ran on say 80% of 
installed access points? A public contest might be in order.

Clearly, WPA is needed now and can't wait for investigation and 
vetting of a new MIC. But if a significantly improved MIC were 
available in a year or so, it could be included as an addendum or as 
as part of the 802.11i specification.  Some might say that 802.11i's 
native security will be much better, so why bother? My answer is that 
802.11i will not help much unless WPA compatibility is shut off.  And 
with so many millions of 802.11 cards in circulation that are not 
.11i ready, that won't happen in most places for a long time. On 
the other hand, an upgraded MIC could  be adopted by an organization 
that wished improved security with modest effort. Backward 
compatibility could be maintained, with a 

Re: DOS attack on WPA 802.11?

2002-11-07 Thread Donald Eastlake 3rd
On Thu, 7 Nov 2002, Arnold G. Reinhold wrote:

 Date: Thu, 7 Nov 2002 16:17:48 -0500
 From: Arnold G. Reinhold [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Subject: DOS attack on WPA 802.11?
 
 The new Wi-Fi Protected Access scheme (WPA), designed to replace the 
 discredited WEP encryption for 802.11b wireless networks, is a  major 
 and welcome improvement. However it seems to have a significant 
 vulnerability to denial of service attacks. This vulnerability 
 results from the proposed remedy for the self-admitted weakness of 
 the Michael message integrity check (MIC) algorithm.

Needless to say, this has been discussed time and time again in the 
meetings and on the mailing list of IEEE 802.11i.

 To be backward compatible with the millions of 802.11b units already 
 in service,  any MIC algorithm must operate within a very small 
 computing budget. The algorithm chosen, called Michael,  is spec'd as 
 offering only 20 bits of effective security.

That's right, there is this TKIP branch of 802.11i to support the 
15,000,000+ legacy units out there. If you can come up with a better MIC 
that almost all of them can support with just a firmware upgrade, you 
are welcome to submit it but to overcome the current commitment it would 
need to be substantially better and out pretty quick.

 According to an article by Jesse Walker of Intel 
 http://cedar.intel.com/media/pdf/security/80211_part2.pdf :
 
 This level of protection is much too weak to afford much benefit by 
 itself, so TKIP complements Michael with counter-measures. The design 
 goal of the counter-measures is to throttle the utility of forgery 
 attempts, limiting knowledge the attacker gains about the MIC key. If 
 a TKIP implementation detects two failed forgeries in a second, the 
 design assumes it is under active attack. In this case, the station 
 deletes its keys, disassociates, waits a minute, and then 
 reassociates. While this disrupts communications, it is necessary to 
 thwart active attack. The countermeasures thus limits the expected 
 number of undetected forgeries such an adversary might generate to 
 about one per year per station.
 
 Unfortunately the countermeasures cure may invite a different 
 disease. It would appear easy to mount a denial of service attack by 
 simply submitting two packets with bad MIC tags in quick succession. 
 The access point then shuts down for a minute or more. When it comes 
 back up, one repeats the attack.  All the attacker needs is a laptop 
 or hand held computer with an 802.11b card and a little software. 
 Physically locating the attacker is made much more difficult than for 
 an ordinary RF jammer by the fact that only a couple of packets per 
 minute need be transmitted. Also the equipment required has innocent 
 uses, unlike a jammer, so prosecuting an apprehended suspect would be 
 more difficult.

So throw all your legacy hardware in the trash (or sell it on eBay), get
only new hardware, and don't enable TKIP, if you are so worried about
this.

 The ability to deny service might be very useful to miscreants in 
 some circumstances. For example, an 802.11b network might be used to 
 coordinate surveillance systems at some facility or event.  With 
 802.11b exploding in popularity, it is impossible to foresee all the 
 mission critical uses it might be put to.

Mission critial uses on an unlicensed band where 802.11b gets to fight
it out with blue tooth, cordless phones, diathermy machines, and who
knows what else? (at least efforts are underway to coordinate with blue
tooth)

 Here are a couple of suggestions to improve things, one easier, the 
 other harder.
 
 The easier approach is to make the WPA response to detected forgeries 
 more configurable.  The amount of time WPA stays down after two 
 forgeries might be a parameter, for example.  It should be possible 
 to turn the countermeasures off completely. Some users might find the 
 consequences of forgeries less than that of lost service. For a firm 
 offering for-fee public access, a successful forgery attack might 
 merely allow free riding by the attacker, while denied service could 
 cost much more in lost revenue and reputation.

I think the feeling was there are lots of ways you can run insecure if
you want. Like just using WEP. If you want to be secure with legacy
hardware, you need countermeasures. If you don't want to be secure, you 
don't need any of TKIP or the rest of 802.11i.

 Another way to make WPA's response more configurable would be for the 
 access point to send a standard message to a configurable IP address 
 on the wire side when ever it detects an attack. This could alert 
 security personal to scan the parking lot or switch the access point 
 to be outside the corporate firewall. The message also might quote 
 the forged packets, allowing them to be logged.  Knowing the time and 
 content of forged packets could also be useful to automatic radio 
 frequency direction finding equipment. As long as some basic