DOS attack on WPA 802.11?

Arnold G. Reinhold reinhold at world.std.com
Mon Nov 11 12:03:31 EST 2002 

I appreciate Niels Ferguson responding to my concerns in such detail. 
I don't want to give the impression that I object to WPA on the 
whole. That is why I said "major and welcome improvement" in my 
opening sentence. I am particularly mollified by Niels' statement 
that "most existing cards will be useable with 802.11i by putting a 
lot of the cryptographic processing onto the laptop."  If AES based 
solutions are available in a year or two that do not require selling 
all our old hardware on eBay, then WPA is indeed good news.

Still, I feel additional discussion is in order.  One of the tenets 
of cryptography is that new security systems deserve to be beaten on 
mercilessly without deference to their creator.  And I would argue 
that the Michael countermeasure is no ordinary design tradeoff. It is 
rather like a doctor prescribing a drug with severe side effects on 
the theory that it is the only way to save the patient's life, 
something that should be done only with the greatest caution:

o First, the doctor should be sure that the side effects aren't as 
bad as the disease.
There is a community of "wardrivers," people who look for 802.11b 
networks they can access. Even assuming most of them are ethical 
hacker types, who will good naturedly find something else to do when 
WPA starts to spread, there might be a few who are less sporting 
about it.  All they have to do is write some code that sends a couple 
of bad packets every minute or so to any network it finds.  This 
won't even be noticed by 802.11 nets that aren't using WPA, but those 
that are will be severely disrupted. Guess what will happen? The 
network administrators attacked will turn WPA off.  As word spreads, 
other net admins won't even bother turning it on.  They are 
overburdened anyway and installing WPA won't be a picnic.

Here is a story from today's Security Wire Digest:

At 2:00 AM -0600 11/11/02, Security_Wire_Digest at bdcimail.com wrote:
>*STILL AN INSECURE WIRELESS WORLD
>By Michael Fitzgerald
>The results of the second World War Drive are in, and they don't look good
>for wireless security.
>
>Of the almost 25,000 wireless access points surveyed, only 35 percent used
>Service Set Identifier (SSID), a default security feature in the 802.11b
>protocol. Only 28 percent had Wired Equivalent Privacy (WEP) enabled. Of
>those using SSID, less than 4 percent also use WEP. The issue comes down
>to management information system (MIS) staffing, says Pete Shipley, an
>independent security consultant.
>
>"It's a key distribution problem," Shipley says. "When you're in the
>corporate environment with a large number of laptops deploying wireless,
>without encryption you pretty much hand out a wireless card and it works.
>With WEP, you have to configure the system."
>
>While not difficult, the effort requires time, and MIS staffs typically
>have more pressing issues than wireless security. Shipley thinks that as
>security becomes more important to companies, they will revisit their
>wireless security setup.
>...
>http://www.worldwidewardrive.org

I would argue that the Michael countermeasure DOS attack breaks WPA 
security as effectively as a cryptographic attack. It's simple, it's 
practical, it's specific to WPA, and could even be spread by virus. 
And if such an attack occurs, it will generate as much bad press as a 
cryptographic attack. How will the WiFi Alliance respond? Issue a 
press release pointing out that other DOS possibilities exist in 
ordinary 802.11? And how much credibility will be left when 802.11i 
is finally ready?


o Second, the doctor should be certain of the diagnosis.
Is the patient's life really in danger? In this case that means 
asking how easy it really is to break Michael. Normally, 
cryptographers should be extremely conservative in assessing the 
strength of an algorithm.  But when the response to perceived 
weakness is to add a different vulnerability,  I would argue that the 
test should be what is realistic, not the ultra conservative worst 
case.  The Intel article said the best known attack is a 29-bit 
differential cryptanalysis. How practical is that? Does it require 
vast amounts of chosen plain text?

If there is no practical Michael busting attack on the horizon, than 
the objection to allowing users to turn the countermeasure off, 
perhaps with a warning that doing so risks security, seems harder to 
understand.


o Third, the doctor should be certain that no other treatments are available.
The question of whether a significantly stronger MIC can be created 
within the limited computational budget available is still an 
interesting one. I hope more details about the algorithm and the 
constraints, both in time and space for object code, will be 
available very soon, if they are not already.  If something markedly 
better were developed in the next few months, perhaps the WiFi 
Alliance could be persuaded to drop it in before release.  At worst, 
work in this area could be a useful backup in case AES-based 
solutions prove too cumbersome to retrofit.  I have some preliminary 
ideas based on what I read in the Intel paper, but I will put them in 
a separate message.


o Then there is the notion (which is never supposed to cross a 
doctor's mind) that the patient's job isn't vital so why worry?
I take issue with is the proposition that users can be expected to 
avoid 802.11 for mission critical applications.  One of the main 
reasons for the explosive growth of this technology is that it 
enables non-technically trained people to build networks in a  simple 
plug-and-play way. These people expect stuff they buy to work and 
will use this systems in ways we never imagine.

And why shouldn't they? The marketing for WiFi is very aggressive. 
The WPA press release uses the word "robust" three times in two 
paragraphs. I could find nothing on the WiFi Alliance page 
http://www.wi-fi.org that cautions users against mission critical 
applications. Yes, there is that little FCC Part 15.19 notice on the 
box that says you are subject to interference, but every product 
comes festooned with warning labels these days.

The economics of WiFi mass adoption mean that other solutions will 
become too expensive, if any are available at all. Even if a system 
designer wants to avoid the risks of using 802.11, his boss may axe 
the extra cost. Then there is the question of the third world, where 
often no hard wired infrastructure exists. In many impoverished 
regions, wireless solutions are providing the first and only Internet 
connectivity. You can be sure mission critical applications will use 
it.


o Some doctors might justify a risky drug because the patient has 
several other diseases that could be fatal. 
The argument that wireless solutions don't have to worry about DOS 
attacks because there are so many of them smacks of this. WiFi is a 
huge success and with that success comes a responsibility to keep 
improving the product and eliminate known risks.

Take the packet cancelling attack Niels described.  There may well be 
defenses that could be developed against packet cancelling. The 
higher level attacks he described could be dealt with by 
encapsulating over-the-air TCP/IP packets in encrypted envelopes, 
perhaps padded to standard lengths. Even the low level packet 
canceling technique itself might be defeated if the receiver cards 
can be persuaded to report all bad packets.  If we are using 
military-strength crypto, why not use military strength antijam? 
There is a lot of AJ technology developed for military use that could 
be employed. Indeed the spread spectrum underpinnings for 802.11 come 
from that world.  In my opinion, this attack ought to be on the 
agenda for 801.11i. And in any case, the packet cancelling attack is 
a lot more complex than the Michael countermeasure attack I posited.

The legal obstacles to pursuing DOS attackers also are a poor excuse. 
I am not a lawyer, but as I understand things, the problem arises in 
the U.S. because WiFi is authorized under FCC Part 15 rules, and 
those rules state that users of Part 15 devices have to accept 
interference from other users.  Still, if the interference is 
intentional, there may be bases for actions under a variety of 
federal laws.  For example, 47 USC 333 :

"No person shall willfully or maliciously interfere with or cause 
interference to any radio communications of any station licensed or 
authorized by or under this chapter or operated by the United States 
Government." (1 year in jail per 47 USC 501). If the network is used 
by a US Government site or someone doing defense work, 18 USC 1362 
would kick in, with 10 year sentences.

Active attacks, such as the Michael countermeasure DOS attack or 
packet canceling, would seem to come under the anti-hacking law 18 
USC 1030a5A:  "knowingly causes the transmission of a program, 
information, code, or command, and as a result of such conduct, 
intentionally causes damage without authorization, to a protected 
computer"  (5 years). The recent anti-terrorism law broadened the 
definition of "damage."

The law in other countries is probably less finicky.  And the U.S. 
Congress seems generally willing to expand the anti-hacking laws to 
cover new problems.  The notion that a large part of the national 
data communication infrastructure will enjoy no protection from 
malicious attack is simple untenable long term. What is going to 
happen when hospitals start buying computers with Bluetooth 
peripherals?


o I'm aware of the old adage "the best is the enemy of the good." 
WPA is good and reflects a lot of hard work but the Michael 
countermeasure makes me uncomfortable. I suspect there are ways to 
fix it, even in the short time available.


Arnold Reinhold



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list