DOS attack on WPA 802.11?

Donald Eastlake 3rd dee3 at torque.pothole.com
Thu Nov 7 22:40:11 EST 2002 

On Thu, 7 Nov 2002, Arnold G. Reinhold wrote:

> Date: Thu, 7 Nov 2002 16:17:48 -0500
> From: Arnold G. Reinhold <reinhold at world.std.com>
> To: cryptography at wasabisystems.com
> Subject: DOS attack on WPA 802.11?
> 
> The new Wi-Fi Protected Access scheme (WPA), designed to replace the 
> discredited WEP encryption for 802.11b wireless networks, is a  major 
> and welcome improvement. However it seems to have a significant 
> vulnerability to denial of service attacks. This vulnerability 
> results from the proposed remedy for the self-admitted weakness of 
> the Michael message integrity check (MIC) algorithm.

Needless to say, this has been discussed time and time again in the 
meetings and on the mailing list of IEEE 802.11i.

> To be backward compatible with the millions of 802.11b units already 
> in service,  any MIC algorithm must operate within a very small 
> computing budget. The algorithm chosen, called Michael,  is spec'd as 
> offering only 20 bits of effective security.

That's right, there is this TKIP branch of 802.11i to support the 
15,000,000+ legacy units out there. If you can come up with a better MIC 
that almost all of them can support with just a firmware upgrade, you 
are welcome to submit it but to overcome the current commitment it would 
need to be substantially better and out pretty quick.

> According to an article by Jesse Walker of Intel 
> http://cedar.intel.com/media/pdf/security/80211_part2.pdf :
> 
> "This level of protection is much too weak to afford much benefit by 
> itself, so TKIP complements Michael with counter-measures. The design 
> goal of the counter-measures is to throttle the utility of forgery 
> attempts, limiting knowledge the attacker gains about the MIC key. If 
> a TKIP implementation detects two failed forgeries in a second, the 
> design assumes it is under active attack. In this case, the station 
> deletes its keys, disassociates, waits a minute, and then 
> reassociates. While this disrupts communications, it is necessary to 
> thwart active attack. The countermeasures thus limits the expected 
> number of undetected forgeries such an adversary might generate to 
> about one per year per station."
> 
> Unfortunately the countermeasures cure may invite a different 
> disease. It would appear easy to mount a denial of service attack by 
> simply submitting two packets with bad MIC tags in quick succession. 
> The access point then shuts down for a minute or more. When it comes 
> back up, one repeats the attack.  All the attacker needs is a laptop 
> or hand held computer with an 802.11b card and a little software. 
> Physically locating the attacker is made much more difficult than for 
> an ordinary RF jammer by the fact that only a couple of packets per 
> minute need be transmitted. Also the equipment required has innocent 
> uses, unlike a jammer, so prosecuting an apprehended suspect would be 
> more difficult.

So throw all your legacy hardware in the trash (or sell it on eBay), get
only new hardware, and don't enable TKIP, if you are so worried about
this.

> The ability to deny service might be very useful to miscreants in 
> some circumstances. For example, an 802.11b network might be used to 
> coordinate surveillance systems at some facility or event.  With 
> 802.11b exploding in popularity, it is impossible to foresee all the 
> mission critical uses it might be put to.

Mission critial uses on an unlicensed band where 802.11b gets to fight
it out with blue tooth, cordless phones, diathermy machines, and who
knows what else? (at least efforts are underway to coordinate with blue
tooth)

> Here are a couple of suggestions to improve things, one easier, the 
> other harder.
> 
> The easier approach is to make the WPA response to detected forgeries 
> more configurable.  The amount of time WPA stays down after two 
> forgeries might be a parameter, for example.  It should be possible 
> to turn the countermeasures off completely. Some users might find the 
> consequences of forgeries less than that of lost service. For a firm 
> offering for-fee public access, a successful forgery attack might 
> merely allow free riding by the attacker, while denied service could 
> cost much more in lost revenue and reputation.

I think the feeling was there are lots of ways you can run insecure if
you want. Like just using WEP. If you want to be secure with legacy
hardware, you need countermeasures. If you don't want to be secure, you 
don't need any of TKIP or the rest of 802.11i.

> Another way to make WPA's response more configurable would be for the 
> access point to send a standard message to a configurable IP address 
> on the wire side when ever it detects an attack. This could alert 
> security personal to scan the parking lot or switch the access point 
> to be outside the corporate firewall. The message also might quote 
> the forged packets, allowing them to be logged.  Knowing the time and 
> content of forged packets could also be useful to automatic radio 
> frequency direction finding equipment. As long as some basic hooks 
> are in place, other responses to forgery attack could be developed 
> without changing the standard.

There is verbage about logging and alerting. Any implementor could add
the specific mechanism you suggest if they wanted.

> The harder approach is to replace Michael with a suitable but 
> stronger algorithm (Michelle?).  I am willing to assume that 
> Michael's designer, Niels Ferguson, did a fine job within the 
> constraints he faced. But absent a proof that what he created is 
> absolutely optimal, improving on it seems a juicy cryptographic 
> problem. How many bits of protection can you get on a tight budget? 
> What if you relaxed the budget a little, so it ran on say 80% of 
> installed access points? A public contest might be in order.

I believe the thinking in 802.11i was that TKIP should run on
essentiallly 100% of the firmware upgradable legacy hardware that
vendors were willing to talk to 802.11i about.

> Clearly, WPA is needed now and can't wait for investigation and 
> vetting of a new MIC. But if a significantly improved MIC were 
> available in a year or so, it could be included as an addendum or as 
> as part of the 802.11i specification.  Some might say that 802.11i's 
> native security will be much better, so why bother? My answer is that 
> 802.11i will not help much unless WPA compatibility is shut off.  And 
> with so many millions of 802.11 cards in circulation that are not 
> ".11i" ready, that won't happen in most places for a long time. On 
> the other hand, an upgraded MIC could  be adopted by an organization 
> that wished improved security with modest effort. Backward 
> compatibility could be maintained, with a countermeasure that simply 
> turned off access by Michael-based cards when a forgery was detected.

In a year, full 802.11i hardware will be shipping (aka WPA v2). Given
that rapid growth in 802.11 is projected to continue at least through
2007, the world will soon be dominated by new hardware.

> Arnold Reinhold

Donald
======================================================================
 Donald E. Eastlake 3rd                       dee3 at torque.pothole.com
 155 Beaver Street              +1-508-634-2066(h) +1-508-851-8280(w)
 Milford, MA 01757 USA                   Donald.Eastlake at motorola.com



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list