Possible fixes for 802.11 WPA message authentication
Niels Ferguson
niels at ferguson.net
Mon Nov 11 17:46:46 EST 2002
At 12:06 11/11/02 -0500, Arnold G. Reinhold wrote:
[...]
>1. Shuffle the order of the message words stirred into Michael. For
[...]
I can't go into details here due to NDA considerations, but this idea
cannot be efficiently implemented on some of the existing hardware.
>2. Refresh the Michael key frequently. This proposal rests on WPA's
[...]
This has no effect on the best attack we have so far. The attack is a
differential attack, and changing the key doesn't change the probabilities.
>3. Do MIC chaining. Xor (or add) the MIC output block from the
>previous packet to K (or to the previous sub-key) to form the Michael
>sub-key for the current packet. This costs very little and makes it
>much more difficult to figure out K without breaking the WPA
>encryption.
Just like idea 2, this doesn't affect the best known attack as that attack
never tries to recover the Michael key.
Cheers!
Niels
==============================================================
Niels Ferguson, niels at ferguson.net, phone: +31 20 463 0977
PGP: 3EC2 3304 9B6E 27D9 72E7 E545 C1E0 5D7E
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list