DOS attack on WPA 802.11?
Arnold G. Reinhold
reinhold at world.std.com
Mon Nov 11 12:03:31 EST 2002
I appreciate Niels Ferguson responding to my concerns in such detail.
I don't want to give the impression that I object to WPA on the
whole. That is why I said "major and welcome improvement" in my
opening sentence. I am particularly mollified by Niels' statement
that "most existing cards will be useable with 802.11i by putting a
lot of the cryptographic processing onto the laptop." If AES based
solutions are available in a year or two that do not require selling
all our old hardware on eBay, then WPA is indeed good news.
Still, I feel additional discussion is in order. One of the tenets
of cryptography is that new security systems deserve to be beaten on
mercilessly without deference to their creator. And I would argue
that the Michael countermeasure is no ordinary design tradeoff. It is
rather like a doctor prescribing a drug with severe side effects on
the theory that it is the only way to save the patient's life,
something that should be done only with the greatest caution:
o First, the doctor should be sure that the side effects aren't as
bad as the disease.
There is a community of "wardrivers," people who look for 802.11b
networks they can access. Even assuming most of them are ethical
hacker types, who will good naturedly find something else to do when
WPA starts to spread, there might be a few who are less sporting
about it. All they have to do is write some code that sends a couple
of bad packets every minute or so to any network it finds. This
won't even be noticed by 802.11 nets that aren't using WPA, but those
that are will be severely disrupted. Guess what will happen? The
network administrators attacked will turn WPA off. As word spreads,
other net admins won't even bother turning it on. They are
overburdened anyway and installing WPA won't be a picnic.
Here is a story from today's Security Wire Digest:
At 2:00 AM -0600 11/11/02, Security_Wire_Digest at bdcimail.com wrote:
>*STILL AN INSECURE WIRELESS WORLD
>By Michael Fitzgerald
>The results of the second World War Drive are in, and they don't look good
>for wireless security.
>
>Of the almost 25,000 wireless access points surveyed, only 35 percent used
>Service Set Identifier (SSID), a default security feature in the 802.11b
>protocol. Only 28 percent had Wired Equivalent Privacy (WEP) enabled. Of
>those using SSID, less than 4 percent also use WEP. The issue comes down
>to management information system (MIS) staffing, says Pete Shipley, an
>independent security consultant.
>
>"It's a key distribution problem," Shipley says. "When you're in the
>corporate environment with a large number of laptops deploying wireless,
>without encryption you pretty much hand out a wireless card and it works.
>With WEP, you have to configure the system."
>
>While not difficult, the effort requires time, and MIS staffs typically
>have more pressing issues than wireless security. Shipley thinks that as
>security becomes more important to companies, they will revisit their
>wireless security setup.
>...
>http://www.worldwidewardrive.org
I would argue that the Michael countermeasure DOS attack breaks WPA
security as effectively as a cryptographic attack. It's simple, it's
practical, it's specific to WPA, and could even be spread by virus.
And if such an attack occurs, it will generate as much bad press as a
cryptographic attack. How will the WiFi Alliance respond? Issue a
press release pointing out that other DOS possibilities exist in
ordinary 802.11? And how much credibility will be left when 802.11i
is finally ready?
o Second, the doctor should be certain of the diagnosis.
Is the patient's life really in danger? In this case that means
asking how easy it really is to break Michael. Normally,
cryptographers should be extremely conservative in assessing the
strength of an algorithm. But when the response to perceived
weakness is to add a different vulnerability, I would argue that the
test should be what is realistic, not the ultra conservative worst
case. The Intel article said the best known attack is a 29-bit
differential cryptanalysis. How practical is that? Does it require
vast amounts of chosen plain text?
If there is no practical Michael busting attack on the horizon, than
the objection to allowing users to turn the countermeasure off,
perhaps with a warning that doing so risks security, seems harder to
understand.
o Third, the doctor should be certain that no other treatments are available.
The question of whether a significantly stronger MIC can be created
within the limited computational budget available is still an
interesting one. I hope more details about the algorithm and the
constraints, both in time and space for object code, will be
available very soon, if they are not already. If something markedly
better were developed in the next few months, perhaps the WiFi
Alliance could be persuaded to drop it in before release. At worst,
work in this area could be a useful backup in case AES-based
solutions prove too cumbersome to retrofit. I have some preliminary
ideas based on what I read in the Intel paper, but I will put them in
a separate message.
o Then there is the notion (which is never supposed to cross a
doctor's mind) that the patient's job isn't vital so why worry?
I take issue with is the proposition that users can be expected to
avoid 802.11 for mission critical applications. One of the main
reasons for the explosive growth of this technology is that it
enables non-technically trained people to build networks in a simple
plug-and-play way. These people expect stuff they buy to work and
will use this systems in ways we never imagine.
And why shouldn't they? The marketing for WiFi is very aggressive.
The WPA press release uses the word "robust" three times in two
paragraphs. I could find nothing on the WiFi Alliance page
http://www.wi-fi.org that cautions users against mission critical
applications. Yes, there is that little FCC Part 15.19 notice on the
box that says you are subject to interference, but every product
comes festooned with warning labels these days.
The economics of WiFi mass adoption mean that other solutions will
become too expensive, if any are available at all. Even if a system
designer wants to avoid the risks of using 802.11, his boss may axe
the extra cost. Then there is the question of the third world, where
often no hard wired infrastructure exists. In many impoverished
regions, wireless solutions are providing the first and only Internet
connectivity. You can be sure mission critical applications will use
it.
o Some doctors might justify a risky drug because the patient has
several other diseases that could be fatal.
The argument that wireless solutions don't have to worry about DOS
attacks because there are so many of them smacks of this. WiFi is a
huge success and with that success comes a responsibility to keep
improving the product and eliminate known risks.
Take the packet cancelling attack Niels described. There may well be
defenses that could be developed against packet cancelling. The
higher level attacks he described could be dealt with by
encapsulating over-the-air TCP/IP packets in encrypted envelopes,
perhaps padded to standard lengths. Even the low level packet
canceling technique itself might be defeated if the receiver cards
can be persuaded to report all bad packets. If we are using
military-strength crypto, why not use military strength antijam?
There is a lot of AJ technology developed for military use that could
be employed. Indeed the spread spectrum underpinnings for 802.11 come
from that world. In my opinion, this attack ought to be on the
agenda for 801.11i. And in any case, the packet cancelling attack is
a lot more complex than the Michael countermeasure attack I posited.
The legal obstacles to pursuing DOS attackers also are a poor excuse.
I am not a lawyer, but as I understand things, the problem arises in
the U.S. because WiFi is authorized under FCC Part 15 rules, and
those rules state that users of Part 15 devices have to accept
interference from other users. Still, if the interference is
intentional, there may be bases for actions under a variety of
federal laws. For example, 47 USC 333 :
"No person shall willfully or maliciously interfere with or cause
interference to any radio communications of any station licensed or
authorized by or under this chapter or operated by the United States
Government." (1 year in jail per 47 USC 501). If the network is used
by a US Government site or someone doing defense work, 18 USC 1362
would kick in, with 10 year sentences.
Active attacks, such as the Michael countermeasure DOS attack or
packet canceling, would seem to come under the anti-hacking law 18
USC 1030a5A: "knowingly causes the transmission of a program,
information, code, or command, and as a result of such conduct,
intentionally causes damage without authorization, to a protected
computer" (5 years). The recent anti-terrorism law broadened the
definition of "damage."
The law in other countries is probably less finicky. And the U.S.
Congress seems generally willing to expand the anti-hacking laws to
cover new problems. The notion that a large part of the national
data communication infrastructure will enjoy no protection from
malicious attack is simple untenable long term. What is going to
happen when hospitals start buying computers with Bluetooth
peripherals?
o I'm aware of the old adage "the best is the enemy of the good."
WPA is good and reflects a lot of hard work but the Michael
countermeasure makes me uncomfortable. I suspect there are ways to
fix it, even in the short time available.
Arnold Reinhold
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list