Re: DOS attack on WPA 802.11?
On Fri, 13 Dec 2002, Arnold G. Reinhold wrote: Date: Fri, 13 Dec 2002 15:52:01 -0500 From: Arnold G. Reinhold [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: David Wagner [EMAIL PROTECTED], Donald Eastlake 3rd [EMAIL PROTECTED], William Arbaugh [EMAIL PROTECTED] Subject: Re: DOS attack on WPA 802.11? ... The differential attack on Michael, which prompted the addition of the DoS-enabling time-out, involves sending half a billion forged packets for every one packet that gets through. Why isn't that considered [by the 802.11i Task Group] a minor and even currently-impractical-to-exploit weakness? You can answer this question just as easily as I can. All you have to do is read the mind of all the voting members of 802.11. ... There are 15 million or more 802.11b units out there. The rate at which people are replacing computer hardware has dropped substantially. It will be a long time before system administrators can simply stop supporting them. And system administrators are busy folk. Once they install WPA, they will be in no rush to upgrade it. All predictions I've seen show exponential growth in 802.11 equipment through 2007. There is trenendous growth in new 802.11 installations and upgrades to existing implementations. There are corporations that really care about security and are today forcing everyone using their corporate net to get wireless cards (and use them even for PCs with built in wireless) that use proprietary stuff now and are guaranteed upgradable to the 802.11I stadard when it comes out. ... Why wait a few years when it can be fixed now? 802.11a is a new system. Why introduce a weak MIC on 802.11a when it is completely unnecessary? Replacing Michael with an accepted cryptographic algorithm on 802.11a is a zero risk solution. As for 802.11b, I am simply proposing that the time-out be configurable. How big a deal is that? 802.11a hardware has been shipping for some time. No one has to build 802.11a systems supporting TKIP if they don't want to. But it would have been silly to try to somehow restrict TKIP to 802.11b given what a massive improvement it is over WEP, even though it is not as strong as CCMP. For 802.11i to spend cycles on a TKIPa for 802.11a would just slow down getting CCMP out. Exactly. The WPA time-out creates a DoS opportunity that is very attacker friendly, only two packets per minute are needed to bring a network down. Triangulating on such an attacker is very difficult. OK, if you think it is so trivial, please outline the exact steps needed to execute this Denial of Service attack. I don't think you begin to understand how hard it would be. 802.11 is exploding in popularity and is being used for applications of increasing economic importance. Network availability is as much a part of security as authentication. The military systems that 802.11 derives from were designed to operate in hostile environments. There is technology that could be transferred to the commercial world. Network availability goes to zero with many cordless phone systems or any microwave oven operating at the right frequence range if you remove the shielding from the microwave (it is not recommended that you be too close to the microwave when it is operating in that mode unless you cause its output to be directed away from you). Has the IEEE committee discussed its decision to ignore DoS with other WiFi constituencies? Have those constituencies agreed that DoS is not something to worry about? Has this been disclosed to the public? The WiFi home page http://www.wi-fi.org has a tab on security with a long discussing touting WPA. I saw nothing mentioned about DoS, not even the FCC Part 15.19 notice. The WiFi Alliance is a marketing and interoperability organization, not a standards or techncial organization. The IEEE process is document at exhaustive length in IEEE documents and has been followed. Any person interested can participate. Anyone can propose to 802.11 that a liaison be set up with any orther organization. At this time, over 2/3rds of all IEEE 802 members are in 802.11 making it the most widely representative of all 802 working groups with attendance commonly over 300 persons. Your idea that the public, whatever you mean by that, should be consulted is pretty hilarious. The idea that the average man on the street is a great source of wisdom for secure communications protocol design is not widely held. Perhaps they would support you. Enought scare stories in the press exaggerating the significance of denial of service due to TKIP countermeasures could easily stampede the public. ... I don't know how long it would take for a network to recover from a bogus disassociate message, but I presume well less than a minute. It is also not clear to me why future standards could not include protection against a disassociate attack. All this has been debated many times in 802.11i
Re: DOS attack on WPA 802.11?
At 10:48 PM -0500 11/29/02, Donald Eastlake 3rd wrote: Arnold, If you want to play with this as in intellectual exercise, be my guest. But the probability of changing the underlying IEEE 802.11i draft standard, which would take a 3/4 majority of the voting members of IEEE 802.11, or of making the WiFi Alliance WPA profiling and subseting of 802.11i incompatible with the standard, are close to zero. Cryptographic standards should be judged on their merits, not on the bureaucratic difficulties in changing them. Specs have been amended before. Even NSA was willing to revise its original secure hash standard. That's why we have SHA1. If I am right and WPA needlessly introduces a significant denial of service vulnerability, then it should be fixed. If I am wrong, no change is needed of course. Check out the President's message for September 202 at the Association of Old Crows web site (Serving the Electronic Warfare and Information Operations Community): http://www.aochq.org/news.htm Arnold Reinhold - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: DOS attack on WPA 802.11?
I'm not saying there might not be a level of error or weakness that would cause a emergency reset of the standards process. I'm saying that this diddle-shit minor DoS attack isn't such an error or weakness. It was fully known about by the 802.11 working group, repeatedly debated at great length, and discounted as being insignificant. Therefore, an improvement which merely eliminated it has only a vanishingly small probability of upsetting the apple-cart. In the academic world, certainly any minor and even currently-impractical-to-exploit weakness is of great interest. In the real world, products have substantial lead times and at some point you have to stop investigating minor improvements and start cranking out code/chips/whatever. Go ahead and design whatever wonderful improvements in TKIP you want. Perhaps you can publish a paper or two. But unless you find something a lot bigger wrong with it, I predict the standard will not be changed, particularly given that TKIP is temporary and within a few years the deployed hardware population will be swamped with newer hardware supporting CCMP mode. Donald On Thu, 5 Dec 2002, Arnold G. Reinhold wrote: Date: Thu, 5 Dec 2002 12:40:18 -0500 From: Arnold G. Reinhold [EMAIL PROTECTED] To: Donald Eastlake 3rd [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: DOS attack on WPA 802.11? At 10:48 PM -0500 11/29/02, Donald Eastlake 3rd wrote: Arnold, If you want to play with this as in intellectual exercise, be my guest. But the probability of changing the underlying IEEE 802.11i draft standard, which would take a 3/4 majority of the voting members of IEEE 802.11, or of making the WiFi Alliance WPA profiling and subseting of 802.11i incompatible with the standard, are close to zero. Cryptographic standards should be judged on their merits, not on the bureaucratic difficulties in changing them. Specs have been amended before. Even NSA was willing to revise its original secure hash standard. That's why we have SHA1. If I am right and WPA needlessly introduces a significant denial of service vulnerability, then it should be fixed. If I am wrong, no change is needed of course. Check out the President's message for September 202 at the Association of Old Crows web site (Serving the Electronic Warfare and Information Operations Community): http://www.aochq.org/news.htm Arnold Reinhold == Donald E. Eastlake 3rd [EMAIL PROTECTED] 155 Beaver Street +1-508-634-2066(h) +1-508-851-8280(w) Milford, MA 01757 USA [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: DOS attack on WPA 802.11?
Arnold G. Reinhold wrote: If I am right and WPA needlessly introduces a significant denial of service vulnerability, then it should be fixed. If I am wrong, no change is needed of course. But TKIP (the part of WPA you're talking about) is only a temporary measure, and will soon be replaced by AES-CCMP. The question is not Should we replace TKIP?, because the answer to that is obvious: Yes, we should, and we will. Th question is: Why bother working on a `fix' to WPA that will likely never be deployed and that will be obsoleted in a few years by the spread of AES-CCMP?. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: DOS attack on WPA 802.11?
The answer is multi-fold. 1) The 802.11i standard wont be finished for a while. 2) There is an apparent Market Requirement for something better than WEP __NOW__. 3) The WPA can only change their requirements once per year, so even if 802.11i were ready in 3 months, it would still take another year until it hit the WPA conformance requirements. But they wanted to make some changes _now_ in order to get better security into next year's product line. In other words, the answer is due to layers 8 and 9, and nothing technical -derek [EMAIL PROTECTED] (David Wagner) writes: Arnold G. Reinhold wrote: If I am right and WPA needlessly introduces a significant denial of service vulnerability, then it should be fixed. If I am wrong, no change is needed of course. But TKIP (the part of WPA you're talking about) is only a temporary measure, and will soon be replaced by AES-CCMP. The question is not Should we replace TKIP?, because the answer to that is obvious: Yes, we should, and we will. Th question is: Why bother working on a `fix' to WPA that will likely never be deployed and that will be obsoleted in a few years by the spread of AES-CCMP?. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] -- Derek Atkins Computer and Internet Security Consultant [EMAIL PROTECTED] www.ihtfp.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: DOS attack on WPA 802.11?
-- Arnold G. Reinhold Cryptographic standards should be judged on their merits, not on the bureaucratic difficulties in changing them. Specs have been amended before. Even NSA was willing to revise its original secure hash standard. That's why we have SHA1. If I am right and WPA needlessly introduces a significant denial of service vulnerability, then it should be fixed. I do not think the DOS is significant, since one can do the same thing with a spark emitter. The person doing the DOS has to bring his equipment up to the target, which makes attacker vulnerable to BBRS (Baseball bat restoration of service) --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG z9usqTFDdak6fIXLvMz4FRjtDX9LwX0psRJRmfeP 4JZ85epzXMA2AbDtWU3mqFXAi8Pu30SKDhyrx2bRN - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: DOS attack on WPA 802.11?
At 4:57 AM +0100 11/19/02, Niels Ferguson wrote: At 21:58 18/11/02 -0500, Arnold G Reinhold wrote: ... Third, a stronger variant of WPA designed for 11a could also run on 11b hardware if there is enough processing power, so modularization is not broken. But there _isn't_ enough processing power to run a super-Michael. If there were, I'd have designed Michael to be stronger. I'm not sure that is true for all existing 802.11b hardware. And vendors of new 802.11b hardware could certainly elect to support the stronger variant of WPA. Maybe you are suggesting is to add yet another cryptographic function; the current Michael for existing hardware and a super-Michael for newer 802.11a hardware. Developing super-Michael would cost a couple of month and a lot of money. I would consider that a waste of effort that should have been spent on the AES-based security protocols. That is where we are going, and we need to get there ASAP. It is perfectly possible to design 802.11a hardware today that will be able to implement the future AES-based security protocols. That is what software updates are for. That is what I am suggesting. If a stronger version of Michael is too expensive to develop, there is still the option of using a standard message authentication function, say an HMAC based on MD5 or an AES solution. I spoke to several 802.11a/g chip-set vendors at Comdex and they seem to be allowing extra processing power to support 11i. Intersel said they were using 20% of available MIPS. ... [regarding my suggestion to rotate the Michael output words in a key dependant way:] [...] Those are standard design questions. I looked at better mixing at the end of the Michael function and decided against it. It would slow things down and the attack that changes the last message word and the MIC value had much the same security bound as the differential attack that does not change the MIC value. There is no point in strengthening one link of the chain if there is another weak link as well. Of course, this isn't how I normally design cryptographic functions, but Michael is a severely performance-limited design. [...] I have responses to your concerns about using SHA and the issue of re-keying, but you point out: It would be easier just to ask for 128 key bits from the key management system. It has a PRF and should be able to do it. That would be fine. You only need ten additional keying bits for arbitrary rotation of the two output words. Maybe an additional bit to optionally swap the words. This only adds a few instructions per packet. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: DOS attack on WPA 802.11?
At 13:53 29/11/02 -0500, Arnold G. Reinhold wrote: But there _isn't_ enough processing power to run a super-Michael. If there were, I'd have designed Michael to be stronger. I'm not sure that is true for all existing 802.11b hardware. And vendors of new 802.11b hardware could certainly elect to support the stronger variant of WPA. No, but a new standard has to work on _all_ (or almost all) existing hardware. Backward compatibility is of primary importance for acceptance of the new standard. If it isn't backwards compatible it won't be used, which is much worse. There will be a stronger variant of WPA: The TGi AES-based protocol. It just isn't finished yet. Cheers! Niels == Niels Ferguson, [EMAIL PROTECTED], phone: +31 20 463 0977 PGP: 3EC2 3304 9B6E 27D9 72E7 E545 C1E0 5D7E - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: DOS attack on WPA 802.11?
Arnold, If you want to play with this as in intellectual exercise, be my guest. But the probability of changing the underlying IEEE 802.11i draft standard, which would take a 3/4 majority of the voting members of IEEE 802.11, or of making the WiFi Alliance WPA profiling and subseting of 802.11i incompatible with the standard, are close to zero. Fri, 29 Nov 2002, Arnold G. Reinhold wrote: Date: Fri, 29 Nov 2002 13:53:41 -0500 From: Arnold G. Reinhold [EMAIL PROTECTED] To: Niels Ferguson [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: DOS attack on WPA 802.11? At 4:57 AM +0100 11/19/02, Niels Ferguson wrote: At 21:58 18/11/02 -0500, Arnold G Reinhold wrote: ... Third, a stronger variant of WPA designed for 11a could also run on 11b hardware if there is enough processing power, so modularization is not broken. But there _isn't_ enough processing power to run a super-Michael. If there were, I'd have designed Michael to be stronger. I'm not sure that is true for all existing 802.11b hardware. And vendors of new 802.11b hardware could certainly elect to support the stronger variant of WPA. Of course it is not true for all existing hardware. TKIP neede to run on more or less the feeblest legacy 802.11b hardware. Vendors of new hardware are intetested in supporting the stronger mandatory parts of 802.11i (which will be know as WPA v2). The only reason I can think of that a vendor might want to support something incompatible is to lock in customers, probably because they had at least a patent pending on it. Maybe you are suggesting is to add yet another cryptographic function; the current Michael for existing hardware and a super-Michael for newer 802.11a hardware. Developing super-Michael would cost a couple of month and a lot of money. I would consider that a waste of effort that should have been spent on the AES-based security protocols. That is where we are going, and we need to get there ASAP. It is perfectly possible to design 802.11a hardware today that will be able to implement the future AES-based security protocols. That is what software updates are for. ... Donald == Donald E. Eastlake 3rd [EMAIL PROTECTED] 155 Beaver Street +1-508-634-2066(h) +1-508-851-8280(w) Milford, MA 01757 USA [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: DOS attack on WPA 802.11?
At 00:55 14/11/02 -0800, Bill Stewart wrote: At 12:03 PM 11/11/2002 -0500, Arnold G. Reinhold wrote: One of the tenets of cryptography is that new security systems deserve to be beaten on mercilessly without deference to their creator. In particular, I'd be interested in finding out if the new stuff has been beaten up by Ian, Nikita, and the other people who did the earlier shreddings of the WEP system - while it certainly needs broader attention than that, it at least needs to get by some of the usual suspects rather than just approval by the same sort of standards people who let the first one out the door. That doesn't mean that it's a solid guarantee, but all this talk of 20-bit MIC codes doesn't strike me as something that could pass the Ian's Lunch Break test, much less the kind of attention that AES got. I would contend that I am not the same sort of standards people that let WEP out the door. Have a look at my website and list of publications (http://niels.ferguson.net/). I've been designing cryptographic systems since 1990. That doesn't mean that I don't make mistakes. I make many of them. Michael is very much an on-the-edge design, due to the harsh requirements. It is quite possible that someone will find a better attack against Michael, but unless I really goofed it will take Ian more than a single lunch break. Cheers! Niels == Niels Ferguson, [EMAIL PROTECTED], phone: +31 20 463 0977 PGP: 3EC2 3304 9B6E 27D9 72E7 E545 C1E0 5D7E - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: DOS attack on WPA 802.11?
[please ignore previous mesage, sent by mistake -- agr] On Sat, 16 Nov 2002, Niels Ferguson wrote: At 18:15 15/11/02 -0500, Arnold G Reinhold wrote: I agree that we have covered most of the issues. One area whre you have not responded is the use of WPa in 802.11a. I see no justification for intoducing a crippled authentication there. From the point of the standard there is little difference between 802.11, 802.11a, and 802.11b. The differences are purely in the PHY layer. That is, the exact radio modulations are different, but the whole MAC layer is identical. It would break modularisation to link a MAC layer feature to a PHY layer feature. The other reason is that 802.11a hardware is already being shipped, and the AES-based cryptographic protocol has not been finalised. Modularization is a poor excuse for shipping a cryptographically weak product. Second in this case the PHY layer does affect a MAC layer feature. 802.11a is much faster than 11b. That makes Michael even more vulnerable to attack. If Michael is subject to one forged packet per year on 11b, it is vulnerable to one every 10 weeks or so in 11a. Third, a stronger variant of WPA designed for 11a could also run on 11b hardware if there is enough processing power, so modularization is not broken. As for shipped hardware, does anyone know that it couldnot run with a stronger version of Michael? And a few shipped units, is far less justification than the 10's of millions of 802.11b units out there. Also here is one more idea for possibly improving Michael. Scramble the output of Michael in a way that depends on the MIC key, K. This could be as simple as rotating each output word a number of bits derived from K. Or you could generate a 8 by 8 permutation from K and apply it to the bytes in the Michael output. you might even be able to use the small cipher that is used to generate the individual packed encryption keys in WPA. This would break up an attack that depends on messing with the bits of the MIC in the message. It does nothing for attacks on parts of the message body. Any additional integrety check on the message would catch that, however. This would provide at most a very marginal security improvement. A differential attack can leave the final MIC value unchanged, and adding an extra encryption would not help. See the Michael security analysis for details. A marginal improvement on a marginal algorithm can be worthwhile. It does break up one attack mode at negligable cost. It might prevent other attacks that have not been envisioned. Rotating the output in a key-dependent way is dangerous. You expose the rotation constants to discovery using a differential attack. If the rotation constants are derived from the MIC key using a strong hash (e.g. SHA1) there is little risk of recovering key bits. Since this only needs to be done when the MIC key changes, the computation time should be afordable. There is a risk that an attacker who is doing an exhaustive key search could use knowledge of the rotation bits to rule out most trial keys with just a hash computation. But even if they could completely test all MIC key candidates with just the hash, that would require 2**63 SHA1 trials to recover the MIC key on average. That is a reasonable level of security compaired to WPA, and with 10 rotation bits we are very far from even that situation. Another cheap varient would be to derive the rotation constants from the hash of the last two MIC keys. This eliminates even this minute risk. Additional integrety checks would require extra cycles, which we could also have spent on a more secure Michael version. I wasn't suggesting they be done by 802.11, but by higher layers. With greetings form Las Vegas, Arnold Reinhold - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: DOS attack on WPA 802.11?
At 11:40 PM +0100 11/11/02, Niels Ferguson wrote: At 12:03 11/11/02 -0500, Arnold G. Reinhold wrote: [...] One of the tenets of cryptography is that new security systems deserve to be beaten on mercilessly without deference to their creator. I quite agree. I hope you won't mind another round then. 2. Refresh the Michael key frequently. This proposal rests on WPA's [...] This has no effect on the best attack we have so far. The attack is a differential attack, and changing the key doesn't change the probabilities. Tell me if I understand this attack correctly. Bob intercepts a packet he knows contains a certain message, even though it is WPA encrypted, say Transfer one hundred dollars from Alice's account to Bob's account. Have a nice day. (Maybe he know what time it was sent, or the length, whatever.) Because WPA uses a stream cipher, Bob can create a message that will decrypt with the same key to Transfer one million dollars from Alice's account to Bob's account. Have a nice day. This was one of the problems with WEP. WPA is designed to prevent this kind of forgery by adding a 64-bit MIC. Even so, I could send lots of packets containing the million dollars message but with random stuff in the MIC field (or in the Have a nice day part that Bob knows nobody reads) and if I do this enough times I will accidently create a packet with a valid MIC. If MIC were really strong, this would take about 2**64 tries, a big enough number not to worry about. But because Michael is puny, you were able to find some clever tricks for picking the randomizing data so that only about 2**29 (aka half a billion) tries are needed. Furthermore, you are worried that there might be a way that requires only 2**20 (about a million) tries. And because we are trying MIC codes at random, the MIC key in use at the moment doesn't matter. Eventually Bob gets lucky and the packet goes through. The logic behind your countermeasure is that forgery attempts are very easy to detect and by shutting down for a minute after 2 forgery attempts within one second, Bob needs an average of half a million minutes to get his packet through, or about one year. And that's an acceptable risk. If I got this right, here are a couple of observations. Assume for a moment WPA as is, but with your time out countermeasure turned off. 1. Bob only gets that one packet through. If he wants another packet he has to start all over with another million or more attempts. So that packet had better be worth the effort. 2. This forgery only affects the 802.11 layer. If the Transfer one million dollars message has an electronic signature or another layer of protection, this attack does nothing to defeat that. 3. The network will get and detect hundreds of thousands of copies of the forged message before a valid one gets through. If Bob is tampering with the MIC code, they will all be identical. If Bob is munging an unimportant section of the message, they will still be highly correlated. So we will have hours, maybe days of warning that someone is attacking our system and exactly what Bob is trying to do. Even if we were asleep and he succeeds, we would know about the attack and what message he was trying to send. 4. Bob has to do a lot of transmitting and we will have hours or days of warning to track him down with direction finding equipment. This is not a very attractive attack from Bob's point of view. He must find a single packet so valuable it is worth all risk and time involved in mounting this attack. He telegraphs his scheme well in advance of its success. He risks being caught in the act and he leaves a trail of evidence that can be used to catch him, say when he cleans out that bank account. It sounds like a Woody Allen movie scenario. (What does this note mean 'I have a bun'? It says 'gun' Hey Charlie does this look like a 'b' or a 'g' to you?) Furthermore, if I got this right, a filter could be turned on that simply blocked the packet Bob is attempting to send when it finally gets a valid MIC. For extra credit, you could do the following: automatically detect forgery attempts and devise a filter for them (say, look for the constant region of the forgeries). When a valid packet comes through that matches the filter, reject it and force a key change. The transport layer will request a retry. If, by chance, the packet was legit, the station that sent it can send it again and the Internet goes on. Bob on the other hand, needs another million tries, after which the same thing will happen. Any security hole is a matter for concern, but if my understanding is correct, I am more convinced that a valid alternative to your time out countermeasure is for WPA to tell us we are under attack and let us log the forgery attempts verbatim, which I suggested in my first message. Regardless of whether my understanding of the differential attack is correct, I think the nub of our disagreement
Re: DOS attack on WPA 802.11?
We've gone through all the main argument here, and I think it is clear we don't agree. I started writing a detailed reply to your last message, but most of it was just argueing that we need authentication on 802.11 packets. TGi had a limited brief: improve the security for 802.11, and that includes providing authentication. Many of your arguments depend on properties of other parts of the system. A few forged packets won't cause too much danger. We can DF the transmitter, and then do something about it. We can catch Bob when he collects the money. We can detect the attack and let the humans respond to it. We can implement alternative countermeasures in the form of a filter. You can't assume that any of these are true. We can't tell our customers something like: Here is the security upgrade for your existing hardware, but you need to buy DF equipment, staff your wireless network security office 24*7, re-design all your applications such that a few forged packets do not do too much harm, buy new APs with enough memory to implement the new filter functions, and establish a world-wide police system to arrest Bob at any bank in the world when he tries to collect the money. Our job is to secure 802.11, nothing more, but certainly nothing less. That means that we have to provide authentication for all packets. The only sensible measure of how well we do that is how much effort it takes an attacker to forge a single message. I will therefore restrict myself to the issue of securing 802.11, and not go into any of the other aspects of the system. [...] Tell me if I understand this attack correctly. Bob intercepts a The 2^-29 probability comes from carefully choosing a particular difference pattern in the message. For certain carefully chosen difference patterns the MIC value does not change. Alternatively, you can use carefully chosen difference patterns in the message and a related chosen difference in the MIC value. The probability here is taken over all possible Michael keys. [...] The logic behind your countermeasure is that forgery attempts are very easy to detect and by shutting down for a minute after 2 forgery attempts within one second, Bob needs an average of half a million minutes to get his packet through, or about one year. And that's an acceptable risk. Yes. That seems more work for Bob than breaking into the office and tapping directly into the Ethernet cables, which is the original security goal of WEP. [...] There are three important differences between the Michael countermeasure DOS attack and the packet canceling attack you described earlier. First, the Michael attack is much easier to program, hence more likely to happen. Second, since it is new and specific to the touted WPA, it will be especially attractive to hackers, while at the same time more damaging to WPA's reputation. We all know it only takes one smart programmer to program it, and then the attack becomes just a tool. My DOS attack is also a super-slick one. You can think up many other ones that are much simpler to program, like disturbing the beacon or sending false beacons. Besides, I don't understand where you want to go with this argument. You argue for a configuration switch to switch of the countermeasures. The basic forgery attack still exists, so now the attacker can do the DOS attack and get the countermeasures switched off. Are you saying that Michael without countermeasures is secure enough? Third, the countermeasure attack is inherently very hard to detect while I believe there are defenses against the packet cancelling attack that force the attacker to make lots of transmissions. As I mentioned, TCP/IP packets can be encapsulated in a layer above 802.11. Also two stations on the same wireless network that also had a wired link could collude to force the attacker into transmitting more. These aren't great defenses, but they could be developed fairly quickly if packet cancelling attacks became a problem. Not if you cancel the ARP packets for new stations. And the attacker would detect these collusing stations and ignore their packets anyway. And I can think of several more DOS attacks against 802.11, but I don't have the time now to work out the details. Then why not have two levels of strength, one what is now proposed and the second with a stronger MIC, perhaps Michael with more rounds as you suggest, and let the user choose? And why not insist that 802.11a use the stronger mode? Because it is just coming out, 802.11a has no installed base and there is less crud on its 5 GHz band. It is also much faster so it will require more powerful processors anyway and any forgery attack will take much less time. I sense a shift in argument here from We had to retrofit existing systems and did the best we could, which I can buy for 802.11b but not in the 802.11a case, to We don't care about DOS attacks, so we won't increase hardware cost a dime to defeat them. That is exactly what
Re: DOS attack on WPA 802.11?
At 12:03 11/11/02 -0500, Arnold G. Reinhold wrote: [...] One of the tenets of cryptography is that new security systems deserve to be beaten on mercilessly without deference to their creator. I quite agree. And I would argue that the Michael countermeasure is no ordinary design tradeoff. It is rather like a doctor prescribing a drug with severe side effects on the theory that it is the only way to save the patient's life, something that should be done only with the greatest caution: Here I disagree. The Michael countermeasures do not introduce any danger that does not already exist in the system. Therefore, removing the countermeasures has no benneficial effects. [...] about it. All they have to do is write some code that sends a couple of bad packets every minute or so to any network it finds. This won't even be noticed by 802.11 nets that aren't using WPA, but those that are will be severely disrupted. Guess what will happen? The network administrators attacked will turn WPA off. As word spreads, other net admins won't even bother turning it on. They are overburdened anyway and installing WPA won't be a picnic. [...] I would argue that the Michael countermeasure DOS attack breaks WPA security as effectively as a cryptographic attack. It's simple, it's practical, it's specific to WPA, and could even be spread by virus. And if such an attack occurs, it will generate as much bad press as a cryptographic attack. How will the WiFi Alliance respond? Issue a press release pointing out that other DOS possibilities exist in ordinary 802.11? And how much credibility will be left when 802.11i is finally ready? As I mentioned before, there are generic DOS attacks against 802.11 that require very few transmissions. These can be used to mount the same attack against WEP, WPA, the future AES-based security protocols, or any other security protocol on top of 802.11. It is thus not specific to Michael or the Michael countermeasures. It is a very valid criticism of the system, just not of Michael. o Second, the doctor should be certain of the diagnosis. Is the patient's life really in danger? In this case that means asking how easy it really is to break Michael. Normally, cryptographers should be extremely conservative in assessing the strength of an algorithm. But when the response to perceived weakness is to add a different vulnerability, I would argue that the test should be what is realistic, not the ultra conservative worst case. The Intel article said the best known attack is a 29-bit differential cryptanalysis. How practical is that? Does it require vast amounts of chosen plain text? That is the currently best-known attack on Michael. It means that an attacker can forge a packet with probability around 2^-29. That is the probability of success for each attempted forgery. If you let him try 1000 packets per second, then we expect the first successful forgery within a week. I only spent a limited amount of time searching for the best possible attack. We have to assume that the attack will be improved somehow. Before you know it you are down to a timescale of hours or seconds. Currently we have a factor of 2^9 between the design strength of Michael and the best known attack. That is a _very_ small factor for a newly invented cryptographic function. We cut it as close as we dared, and much closer than I feel happy with. If there is no practical Michael busting attack on the horizon, than the objection to allowing users to turn the countermeasure off, perhaps with a warning that doing so risks security, seems harder to understand. Attacking Michael without countermeasures is practical right now. Giving the user the option to destroy security is not a good idea. The article you quoted points out that the vast majority of networks are misconfigured. The obvious lesson is _not_ to provide configuration options that result in insecure networks. If you want an insecure network that is not vulnerable to the countermeasures DOS attack, you can switch to WEP or switch of all security. This goes back to the TGi mantra: We have enough efficient insecure protocols. We don't need another one. o Third, the doctor should be certain that no other treatments are available. The question of whether a significantly stronger MIC can be created within the limited computational budget available is still an interesting one. I hope more details about the algorithm and the constraints, both in time and space for object code, will be available very soon, if they are not already. If something markedly better were developed in the next few months, perhaps the WiFi Alliance could be persuaded to drop it in before release. At worst, work in this area could be a useful backup in case AES-based solutions prove too cumbersome to retrofit. I have some preliminary ideas based on what I read in the Intel paper, but I will put them in a separate message. Michael was the best I could come
Re: DOS attack on WPA 802.11?
TGi has NEVER been all that interested in DOS attacks because a number of people argued that all you need to do is turn on a spark gap transmitter. While this is true, I think it is harder (one can argue how much) to get a spark gap transmitter and use it correctly than a laptop, NIC card, and parabolic dish. As a result, the threat class becomes much larger than it should be. And BTW, you can do all sorts of DOS attacks against the base .11 protocol (sending management, EAP, etc. frames willy nilly; see http://802.11ninja.net/ as an example). I think the bigger concern with the Michael countermeasures is: 1. Will the vendors implement them, and 2. Will they be implemented correctly? Ideally, the compliance checking will ensure this...but then again.. TGi had do a delicate balancing act between finding a solution that can be implemented in firmware, and actually makes some improvements. I think they did a reasonable job with WPA1 considering the engineering challenges. On Thursday, Nov 7, 2002, at 21:07 US/Eastern, Niels Ferguson wrote: Yes, the Michael countermeasures allow a DOS attack. This was widely discussed in 802.11-TGi before the countermeasures were accepted. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
DOS attack on WPA 802.11?
The new Wi-Fi Protected Access scheme (WPA), designed to replace the discredited WEP encryption for 802.11b wireless networks, is a major and welcome improvement. However it seems to have a significant vulnerability to denial of service attacks. This vulnerability results from the proposed remedy for the self-admitted weakness of the Michael message integrity check (MIC) algorithm. To be backward compatible with the millions of 802.11b units already in service, any MIC algorithm must operate within a very small computing budget. The algorithm chosen, called Michael, is spec'd as offering only 20 bits of effective security. According to an article by Jesse Walker of Intel http://cedar.intel.com/media/pdf/security/80211_part2.pdf : This level of protection is much too weak to afford much benefit by itself, so TKIP complements Michael with counter-measures. The design goal of the counter-measures is to throttle the utility of forgery attempts, limiting knowledge the attacker gains about the MIC key. If a TKIP implementation detects two failed forgeries in a second, the design assumes it is under active attack. In this case, the station deletes its keys, disassociates, waits a minute, and then reassociates. While this disrupts communications, it is necessary to thwart active attack. The countermeasures thus limits the expected number of undetected forgeries such an adversary might generate to about one per year per station. Unfortunately the countermeasures cure may invite a different disease. It would appear easy to mount a denial of service attack by simply submitting two packets with bad MIC tags in quick succession. The access point then shuts down for a minute or more. When it comes back up, one repeats the attack. All the attacker needs is a laptop or hand held computer with an 802.11b card and a little software. Physically locating the attacker is made much more difficult than for an ordinary RF jammer by the fact that only a couple of packets per minute need be transmitted. Also the equipment required has innocent uses, unlike a jammer, so prosecuting an apprehended suspect would be more difficult. The ability to deny service might be very useful to miscreants in some circumstances. For example, an 802.11b network might be used to coordinate surveillance systems at some facility or event. With 802.11b exploding in popularity, it is impossible to foresee all the mission critical uses it might be put to. Here are a couple of suggestions to improve things, one easier, the other harder. The easier approach is to make the WPA response to detected forgeries more configurable. The amount of time WPA stays down after two forgeries might be a parameter, for example. It should be possible to turn the countermeasures off completely. Some users might find the consequences of forgeries less than that of lost service. For a firm offering for-fee public access, a successful forgery attack might merely allow free riding by the attacker, while denied service could cost much more in lost revenue and reputation. Another way to make WPA's response more configurable would be for the access point to send a standard message to a configurable IP address on the wire side when ever it detects an attack. This could alert security personal to scan the parking lot or switch the access point to be outside the corporate firewall. The message also might quote the forged packets, allowing them to be logged. Knowing the time and content of forged packets could also be useful to automatic radio frequency direction finding equipment. As long as some basic hooks are in place, other responses to forgery attack could be developed without changing the standard. The harder approach is to replace Michael with a suitable but stronger algorithm (Michelle?). I am willing to assume that Michael's designer, Niels Ferguson, did a fine job within the constraints he faced. But absent a proof that what he created is absolutely optimal, improving on it seems a juicy cryptographic problem. How many bits of protection can you get on a tight budget? What if you relaxed the budget a little, so it ran on say 80% of installed access points? A public contest might be in order. Clearly, WPA is needed now and can't wait for investigation and vetting of a new MIC. But if a significantly improved MIC were available in a year or so, it could be included as an addendum or as as part of the 802.11i specification. Some might say that 802.11i's native security will be much better, so why bother? My answer is that 802.11i will not help much unless WPA compatibility is shut off. And with so many millions of 802.11 cards in circulation that are not .11i ready, that won't happen in most places for a long time. On the other hand, an upgraded MIC could be adopted by an organization that wished improved security with modest effort. Backward compatibility could be maintained, with a
Re: DOS attack on WPA 802.11?
On Thu, 7 Nov 2002, Arnold G. Reinhold wrote: Date: Thu, 7 Nov 2002 16:17:48 -0500 From: Arnold G. Reinhold [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: DOS attack on WPA 802.11? The new Wi-Fi Protected Access scheme (WPA), designed to replace the discredited WEP encryption for 802.11b wireless networks, is a major and welcome improvement. However it seems to have a significant vulnerability to denial of service attacks. This vulnerability results from the proposed remedy for the self-admitted weakness of the Michael message integrity check (MIC) algorithm. Needless to say, this has been discussed time and time again in the meetings and on the mailing list of IEEE 802.11i. To be backward compatible with the millions of 802.11b units already in service, any MIC algorithm must operate within a very small computing budget. The algorithm chosen, called Michael, is spec'd as offering only 20 bits of effective security. That's right, there is this TKIP branch of 802.11i to support the 15,000,000+ legacy units out there. If you can come up with a better MIC that almost all of them can support with just a firmware upgrade, you are welcome to submit it but to overcome the current commitment it would need to be substantially better and out pretty quick. According to an article by Jesse Walker of Intel http://cedar.intel.com/media/pdf/security/80211_part2.pdf : This level of protection is much too weak to afford much benefit by itself, so TKIP complements Michael with counter-measures. The design goal of the counter-measures is to throttle the utility of forgery attempts, limiting knowledge the attacker gains about the MIC key. If a TKIP implementation detects two failed forgeries in a second, the design assumes it is under active attack. In this case, the station deletes its keys, disassociates, waits a minute, and then reassociates. While this disrupts communications, it is necessary to thwart active attack. The countermeasures thus limits the expected number of undetected forgeries such an adversary might generate to about one per year per station. Unfortunately the countermeasures cure may invite a different disease. It would appear easy to mount a denial of service attack by simply submitting two packets with bad MIC tags in quick succession. The access point then shuts down for a minute or more. When it comes back up, one repeats the attack. All the attacker needs is a laptop or hand held computer with an 802.11b card and a little software. Physically locating the attacker is made much more difficult than for an ordinary RF jammer by the fact that only a couple of packets per minute need be transmitted. Also the equipment required has innocent uses, unlike a jammer, so prosecuting an apprehended suspect would be more difficult. So throw all your legacy hardware in the trash (or sell it on eBay), get only new hardware, and don't enable TKIP, if you are so worried about this. The ability to deny service might be very useful to miscreants in some circumstances. For example, an 802.11b network might be used to coordinate surveillance systems at some facility or event. With 802.11b exploding in popularity, it is impossible to foresee all the mission critical uses it might be put to. Mission critial uses on an unlicensed band where 802.11b gets to fight it out with blue tooth, cordless phones, diathermy machines, and who knows what else? (at least efforts are underway to coordinate with blue tooth) Here are a couple of suggestions to improve things, one easier, the other harder. The easier approach is to make the WPA response to detected forgeries more configurable. The amount of time WPA stays down after two forgeries might be a parameter, for example. It should be possible to turn the countermeasures off completely. Some users might find the consequences of forgeries less than that of lost service. For a firm offering for-fee public access, a successful forgery attack might merely allow free riding by the attacker, while denied service could cost much more in lost revenue and reputation. I think the feeling was there are lots of ways you can run insecure if you want. Like just using WEP. If you want to be secure with legacy hardware, you need countermeasures. If you don't want to be secure, you don't need any of TKIP or the rest of 802.11i. Another way to make WPA's response more configurable would be for the access point to send a standard message to a configurable IP address on the wire side when ever it detects an attack. This could alert security personal to scan the parking lot or switch the access point to be outside the corporate firewall. The message also might quote the forged packets, allowing them to be logged. Knowing the time and content of forged packets could also be useful to automatic radio frequency direction finding equipment. As long as some basic
