DOS attack on WPA 802.11?

Arnold G. Reinhold reinhold at world.std.com
Thu Nov 7 16:17:48 EST 2002 

The new Wi-Fi Protected Access scheme (WPA), designed to replace the 
discredited WEP encryption for 802.11b wireless networks, is a  major 
and welcome improvement. However it seems to have a significant 
vulnerability to denial of service attacks. This vulnerability 
results from the proposed remedy for the self-admitted weakness of 
the Michael message integrity check (MIC) algorithm.

To be backward compatible with the millions of 802.11b units already 
in service,  any MIC algorithm must operate within a very small 
computing budget. The algorithm chosen, called Michael,  is spec'd as 
offering only 20 bits of effective security.

According to an article by Jesse Walker of Intel 
http://cedar.intel.com/media/pdf/security/80211_part2.pdf :

"This level of protection is much too weak to afford much benefit by 
itself, so TKIP complements Michael with counter-measures. The design 
goal of the counter-measures is to throttle the utility of forgery 
attempts, limiting knowledge the attacker gains about the MIC key. If 
a TKIP implementation detects two failed forgeries in a second, the 
design assumes it is under active attack. In this case, the station 
deletes its keys, disassociates, waits a minute, and then 
reassociates. While this disrupts communications, it is necessary to 
thwart active attack. The countermeasures thus limits the expected 
number of undetected forgeries such an adversary might generate to 
about one per year per station."

Unfortunately the countermeasures cure may invite a different 
disease. It would appear easy to mount a denial of service attack by 
simply submitting two packets with bad MIC tags in quick succession. 
The access point then shuts down for a minute or more. When it comes 
back up, one repeats the attack.  All the attacker needs is a laptop 
or hand held computer with an 802.11b card and a little software. 
Physically locating the attacker is made much more difficult than for 
an ordinary RF jammer by the fact that only a couple of packets per 
minute need be transmitted. Also the equipment required has innocent 
uses, unlike a jammer, so prosecuting an apprehended suspect would be 
more difficult.

The ability to deny service might be very useful to miscreants in 
some circumstances. For example, an 802.11b network might be used to 
coordinate surveillance systems at some facility or event.  With 
802.11b exploding in popularity, it is impossible to foresee all the 
mission critical uses it might be put to.

Here are a couple of suggestions to improve things, one easier, the 
other harder.

The easier approach is to make the WPA response to detected forgeries 
more configurable.  The amount of time WPA stays down after two 
forgeries might be a parameter, for example.  It should be possible 
to turn the countermeasures off completely. Some users might find the 
consequences of forgeries less than that of lost service. For a firm 
offering for-fee public access, a successful forgery attack might 
merely allow free riding by the attacker, while denied service could 
cost much more in lost revenue and reputation.

Another way to make WPA's response more configurable would be for the 
access point to send a standard message to a configurable IP address 
on the wire side when ever it detects an attack. This could alert 
security personal to scan the parking lot or switch the access point 
to be outside the corporate firewall. The message also might quote 
the forged packets, allowing them to be logged.  Knowing the time and 
content of forged packets could also be useful to automatic radio 
frequency direction finding equipment. As long as some basic hooks 
are in place, other responses to forgery attack could be developed 
without changing the standard.

The harder approach is to replace Michael with a suitable but 
stronger algorithm (Michelle?).  I am willing to assume that 
Michael's designer, Niels Ferguson, did a fine job within the 
constraints he faced. But absent a proof that what he created is 
absolutely optimal, improving on it seems a juicy cryptographic 
problem. How many bits of protection can you get on a tight budget? 
What if you relaxed the budget a little, so it ran on say 80% of 
installed access points? A public contest might be in order.

Clearly, WPA is needed now and can't wait for investigation and 
vetting of a new MIC. But if a significantly improved MIC were 
available in a year or so, it could be included as an addendum or as 
as part of the 802.11i specification.  Some might say that 802.11i's 
native security will be much better, so why bother? My answer is that 
802.11i will not help much unless WPA compatibility is shut off.  And 
with so many millions of 802.11 cards in circulation that are not 
".11i" ready, that won't happen in most places for a long time. On 
the other hand, an upgraded MIC could  be adopted by an organization 
that wished improved security with modest effort. Backward 
compatibility could be maintained, with a countermeasure that simply 
turned off access by Michael-based cards when a forgery was detected.


Arnold Reinhold

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list