DOS attack on WPA 802.11?

Donald Eastlake 3rd dee3 at torque.pothole.com
Tue Dec 17 20:29:52 EST 2002 

On Fri, 13 Dec 2002, Arnold G. Reinhold wrote:

> Date: Fri, 13 Dec 2002 15:52:01 -0500
> From: Arnold G. Reinhold <reinhold at world.std.com>
> To: cryptography at wasabisystems.com
> Cc: David Wagner <daw at mozart.cs.berkeley.edu>,
>      Donald Eastlake 3rd <dee3 at torque.pothole.com>,
>      William Arbaugh <waa at cs.umd.edu>
> Subject: Re: DOS attack on WPA 802.11?
> 
> >...
> 
> The differential attack on Michael, which prompted the addition of 
> the DoS-enabling time-out, involves sending half a billion forged 
> packets for every one packet that gets through.  Why isn't that 
> considered [by the 802.11i Task Group] a "minor and even 
> currently-impractical-to-exploit weakness"?

You can answer this question just as easily as I can. All you have to do 
is read the mind of all the voting members of 802.11.

> >...
> 
> There are 15 million or more 802.11b units out there. The rate at 
> which people are replacing computer hardware has dropped 
> substantially.  It will be a long time before system administrators 
> can simply stop supporting them.  And system administrators are busy 
> folk. Once they install WPA, they will be in no rush to upgrade it.

All predictions I've seen show exponential growth in 802.11 equipment
through 2007. There is trenendous growth in new 802.11 installations and
upgrades to existing implementations. There are corporations that really
care about security and are today forcing everyone using their corporate
net to get wireless cards (and use them even for PCs with built in
wireless) that use proprietary stuff now and are guaranteed upgradable
to the 802.11I stadard when it comes out.

> >...
> 
> Why wait a few years when it can be fixed now? 802.11a is a new 
> system. Why introduce a weak MIC on 802.11a when it is completely 
> unnecessary? Replacing Michael with an accepted cryptographic 
> algorithm on 802.11a is a zero risk solution. As for 802.11b, I am 
> simply proposing that the time-out be configurable.  How big a deal 
> is that?

802.11a hardware has been shipping for some time. No one has to build
802.11a systems supporting TKIP if they don't want to. But it would have
been silly to try to somehow restrict TKIP to 802.11b given what a
massive improvement it is over WEP, even though it is not as strong as
CCMP. For 802.11i to spend cycles on a TKIPa for 802.11a would just slow
down getting CCMP out.

> Exactly. The WPA time-out creates a DoS opportunity that is very 
> attacker friendly, only two packets per minute are needed to bring a 
> network down. Triangulating on such an attacker is very difficult.

OK, if you think it is so trivial, please outline the exact steps needed 
to execute this Denial of Service attack. I don't think you begin to 
understand how hard it would be.

> 802.11 is exploding in popularity and is being used for applications 
> of increasing economic importance.  Network availability is as much a 
> part of security as authentication.  The military systems that 802.11 
> derives from were designed to operate in hostile environments.  There 
> is technology that could be transferred to the commercial world.

Network availability goes to zero with many cordless phone systems or 
any microwave oven operating at the right frequence range if you remove 
the shielding from the microwave (it is not recommended that you be too 
close to the microwave when it is operating in that mode unless you 
cause its output to be directed away from you).

> Has the IEEE committee discussed its decision to ignore DoS with 
> other WiFi constituencies? Have those constituencies agreed that DoS 
> is not something to worry about? Has this been disclosed to the 
> public? The WiFi home page http://www.wi-fi.org has a tab on security 
> with a long discussing touting WPA. I saw nothing mentioned about 
> DoS, not even the FCC Part 15.19 notice.

The WiFi Alliance is a marketing and interoperability organization, not 
a standards or techncial organization.

The IEEE process is document at exhaustive length in IEEE documents and
has been followed. Any person interested can participate. Anyone can
propose to 802.11 that a liaison be set up with any orther organization.
At this time, over 2/3rds of all IEEE 802 members are in 802.11 making
it the most widely representative of all 802 working groups with
attendance commonly over 300 persons.

Your idea that the "public", whatever you mean by that, should be
consulted is pretty hilarious. The idea that the average man on the 
street is a great source of wisdom for secure communications protocol 
design is not widely held.

Perhaps they would support you. Enought scare stories in the press
exaggerating the significance of denial of service due to TKIP
countermeasures could easily stampede the public.

> >...
> 
> I don't know how long it would take for a network to recover from a 
> bogus disassociate message, but I presume well less than a minute. It 
> is also not clear to me why future standards could not include 
> protection against a disassociate attack.

All this has been debated many times in 802.11i. Securing management
messages would certainly cause a considerable increase in the complexity
of the protocol. Think about all the weird conditions that can occur
with loss of state and or messages on one side or the other, either
after set up or, even worse, during set up when, perhaps, one side has
keys but the other doesn't... You generally end up with states where you
have to do a lengthy time out and then assume the association has been
broken, because the other side doesn't have keys to authenticate its
attempts to disassociate. And the additional complexity isn't going to
help your reliability any.

> The difference between a DoS attack that requires transmissions every 
> minute versus one that requires transmission ever second or so (or 
> continuously as with the spark gap threat) is very significant. 
> Frequent transmissions allow triangulation and subject the attacker 
> to the risk of apprehension and whatever consequences may ensue.

Come on. How many facilities are going to have equipment sophisticated
enough to do trianguation? And if they do, I'm it would probably be
modern stuff quite capable of triangulating a packet a minute. There is
no practical difference.

> Arnold Reinhold

Donald
======================================================================
 Donald E. Eastlake 3rd                       dee3 at torque.pothole.com
 155 Beaver Street              +1-508-634-2066(h) +1-508-851-8280(w)
 Milford, MA 01757 USA                   Donald.Eastlake at motorola.com




---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list