DOS attack on WPA 802.11?
Arnold G. Reinhold
reinhold at world.std.com
Tue Nov 12 23:54:25 EST 2002
At 11:40 PM +0100 11/11/02, Niels Ferguson wrote:
>At 12:03 11/11/02 -0500, Arnold G. Reinhold wrote:
>[...]
>>One of the tenets
>>of cryptography is that new security systems deserve to be beaten on
>>mercilessly without deference to their creator.
>
>I quite agree.
I hope you won't mind another round then.
> >2. Refresh the Michael key frequently. This proposal rests on WPA's
>[...]
>
>This has no effect on the best attack we have so far. The attack is a
>differential attack, and changing the key doesn't change the probabilities.
Tell me if I understand this attack correctly. Bob intercepts a
packet he knows contains a certain message, even though it is WPA
encrypted, say "Transfer one hundred dollars from Alice's account to
Bob's account. Have a nice day." (Maybe he know what time it was
sent, or the length, whatever.) Because WPA uses a stream cipher, Bob
can create a message that will decrypt with the same key to "Transfer
one million dollars from Alice's account to Bob's account. Have a
nice day." This was one of the problems with WEP.
WPA is designed to prevent this kind of forgery by adding a 64-bit
MIC. Even so, I could send lots of packets containing the million
dollars message but with random stuff in the MIC field (or in the
"Have a nice day" part that Bob knows nobody reads) and if I do this
enough times I will accidently create a packet with a valid MIC. If
MIC were really strong, this would take about 2**64 tries, a big
enough number not to worry about. But because Michael is puny, you
were able to find some clever tricks for picking the randomizing data
so that only about 2**29 (aka half a billion) tries are needed.
Furthermore, you are worried that there might be a way that requires
only 2**20 (about a million) tries. And because we are trying MIC
codes at random, the MIC key in use at the moment doesn't matter.
Eventually Bob gets lucky and the packet goes through.
The logic behind your countermeasure is that forgery attempts are
very easy to detect and by shutting down for a minute after 2 forgery
attempts within one second, Bob needs an average of half a million
minutes to get his packet through, or about one year. And that's an
acceptable risk.
If I got this right, here are a couple of observations. Assume for a
moment WPA as is, but with your time out countermeasure turned off.
1. Bob only gets that one packet through. If he wants another packet
he has to start all over with another million or more attempts. So
that packet had better be worth the effort.
2. This forgery only affects the 802.11 layer. If the "Transfer one
million dollars" message has an electronic signature or another layer
of protection, this attack does nothing to defeat that.
3. The network will get and detect hundreds of thousands of copies of
the forged message before a valid one gets through. If Bob is
tampering with the MIC code, they will all be identical. If Bob is
munging an unimportant section of the message, they will still be
highly correlated. So we will have hours, maybe days of warning that
someone is attacking our system and exactly what Bob is trying to do.
Even if we were asleep and he succeeds, we would know about the
attack and what message he was trying to send.
4. Bob has to do a lot of transmitting and we will have hours or days
of warning to track him down with direction finding equipment.
This is not a very attractive attack from Bob's point of view. He
must find a single packet so valuable it is worth all risk and time
involved in mounting this attack. He telegraphs his scheme well in
advance of its success. He risks being caught in the act and he
leaves a trail of evidence that can be used to catch him, say when he
cleans out that bank account. It sounds like a Woody Allen movie
scenario. ("What does this note mean 'I have a bun'?" "It says 'gun'"
"Hey Charlie does this look like a 'b' or a 'g' to you?")
Furthermore, if I got this right, a filter could be turned on that
simply blocked the packet Bob is attempting to send when it finally
gets a valid MIC. For extra credit, you could do the following:
automatically detect forgery attempts and devise a filter for them
(say, look for the constant region of the forgeries). When a valid
packet comes through that matches the filter, reject it and force a
key change. The transport layer will request a retry. If, by chance,
the packet was legit, the station that sent it can send it again and
the Internet goes on. Bob on the other hand, needs another million
tries, after which the same thing will happen.
Any security hole is a matter for concern, but if my understanding is
correct, I am more convinced that a valid alternative to your time
out countermeasure is for WPA to tell us we are under attack and let
us log the forgery attempts verbatim, which I suggested in my first
message.
Regardless of whether my understanding of the differential attack is
correct, I think the nub of our disagreement rests in three areas.
First, you don't seem to think the Michael countermeasure DOS attack
is worth worrying about. Second, you object to configuration options
that would allow alternatives to the time out countermeasure, or
stronger MICs for those who can use it. Third you seem to believe
that there are few legal consequences to attacking 802.11, so
forensic countermeasures have no value.
As to the first, you say:
>Here I disagree. The Michael countermeasures do not introduce any danger
>that does not already exist in the system. Therefore, removing the
>countermeasures has no benneficial effects.
>
>...
>As I mentioned before, there are generic DOS attacks against 802.11 that
>require very few transmissions. These can be used to mount the same attack
>against WEP, WPA, the future AES-based security protocols, or any other
>security protocol on top of 802.11. It is thus not specific to Michael or
>the Michael countermeasures. It is a very valid criticism of the system,
>just not of Michael.
There are three important differences between the Michael
countermeasure DOS attack and the packet canceling attack you
described earlier. First, the Michael attack is much easier to
program, hence more likely to happen. Second, since it is new and
specific to the touted WPA, it will be especially attractive to
hackers, while at the same time more damaging to WPA's reputation.
Third, the countermeasure attack is inherently very hard to detect
while I believe there are defenses against the packet cancelling
attack that force the attacker to make lots of transmissions. As I
mentioned, TCP/IP packets can be encapsulated in a layer above
802.11. Also two stations on the same wireless network that also had
a wired link could collude to force the attacker into transmitting
more. These aren't great defenses, but they could be developed
fairly quickly if packet cancelling attacks became a problem.
Absent the ability to alter the time out, there is no defense against
the Michael countermeasure DOS attack nor any way to make it less
stealthy. That makes it unique among the attacks I have heard about
so far.
>...
>
>I only spent a limited amount of time searching for the best possible
>attack. We have to assume that the attack will be improved somehow. Before
>you know it you are down to a timescale of hours or seconds. Currently we
>have a factor of 2^9 between the design strength of Michael and the best
>known attack. That is a _very_ small factor for a newly invented
>cryptographic function. We cut it as close as we dared, and much closer
>than I feel happy with.
Then why not have two levels of strength, one what is now proposed
and the second with a stronger MIC, perhaps Michael with more rounds
as you suggest, and let the user choose? And why not insist that
802.11a use the stronger mode? Because it is just coming out, 802.11a
has no installed base and there is less crud on its 5 GHz band. It is
also much faster so it will require more powerful processors anyway
and any forgery attack will take much less time.
I sense a shift in argument here from "We had to retrofit existing
systems and did the best we could," which I can buy for 802.11b but
not in the 802.11a case, to "We don't care about DOS attacks, so we
won't increase hardware cost a dime to defeat them."
As for configurability,
>... Giving
>the user the option to destroy security is not a good idea. The article you
>quoted points out that the vast majority of networks are misconfigured. The
>obvious lesson is _not_ to provide configuration options that result in
>insecure networks.
I think the lesson is that the majority of networks use the default
settings. Giving the site administrator an option, with suitable
warnings, to choose to disable the Michael time out countermeasure
and/or to log forged packet attempts does not make it likely that
systems will be poorly configured. Admins without a reason to do so
won't change the settings. But it does give flexibility to deal with
DOS attacks should they become prevalent and allow for third parties
to develop other protections.
The two extremes in designing a software system are having a bunch of
security options,initially turned off, that the user is supposed to
select correctly and having no options at all on the assumption that
all the tradeoffs were figured out correctly. In my opinion, both
extremes are unwise.
>If you want an insecure network that is not vulnerable
>to the countermeasures DOS attack, you can switch to WEP or switch of all
>security. This goes back to the TGi mantra: "We have enough efficient
>insecure protocols. We don't need another one."
I think a spec that says "Probability of undetected forged packet
less than 10**-6. Forgery attempts are optionally logged. Mean time
for successful forged packet with default-enabled time out is greater
than one year." would meet expectations. And at least apply the
mantra to 802.11a. Why launch that product with a weak MIC?
Finally, the legal stuff:
>...
>
>
>>The legal obstacles to pursuing DOS attackers also are a poor excuse.
>>I am not a lawyer, but as I understand things, the problem arises in
>>the U.S. because WiFi is authorized under FCC Part 15 rules, and
>>those rules state that users of Part 15 devices have to accept
>>interference from other users. Still, if the interference is
>>intentional, there may be bases for actions under a variety of
>>federal laws. For example, 47 USC 333 :
>>
>>"No person shall willfully or maliciously interfere with or cause
>>interference to any radio communications of any station licensed or
>>authorized by or under this chapter or operated by the United States
>>Government." (1 year in jail per 47 USC 501). If the network is used
>>by a US Government site or someone doing defense work, 18 USC 1362
>>would kick in, with 10 year sentences.
>
>No, the problem is that the 2.4 GHz band in which 802.11 operates is an
>unlicensed band. Anyone is allowed to transmit 100 mW in it, I believe.
>Standard microwave ovens work on this frequency and can cause interference
>with 802.11 networks. As far as I know it isn't illegal to interfere with
>an 802.11 network as long as you don't transmit more than 100 mW. Maybe you
>need a half-lame excuse for your transmissions, but that could be as simple
>as doing your own experiments on microwave communication protocols. (Note:
>I'm not an expert on these things, but this is what I've picked up so far.)
>
>
>>Active attacks, such as the Michael countermeasure DOS attack or
>>packet canceling, would seem to come under the anti-hacking law 18
>>USC 1030a5A: "knowingly causes the transmission of a program,
>>information, code, or command, and as a result of such conduct,
>>intentionally causes damage without authorization, to a protected
>>computer" (5 years). The recent anti-terrorism law broadened the
>>definition of "damage."
>
>That's not how I read it. The DOS attacks do not _cause_ the transmission
>of a program or command. They _prevent_ it.
I don't think that logic will work in court. An active DOS attack
(not an RF jammer) involves sending carefully crafted and timed
signals, e.g. false ACK packets. I believe that is well covered under
this language.
> And it isn't clear that
>stopping a computer from doing its work causes damage to the computer.
Here is the new definition:
"the term `loss' means any reasonable cost to any
victim, including the cost of responding to an offense,
conducting a damage assessment, and restoring the data,
program, system, or information to its condition prior to the
offense, and any revenue lost, cost incurred, or other
consequential damages incurred because of interruption of
service;
>Anyway, I believe this gets well outside the scope of Michael and should be
left to the lawyers.
agreed, but my concern is that misconceptions about the extent to
which active attacks on an 802.11 can be prosecuted may be distorting
the engineering tradeoffs. Obviously my opinion on what the laws
means isn't worth much, but I do think these questions are important.
The wardriving community was able to get a letter from the FBI
indicating what they thought might be prosecutable. I don't see any
reason why the WiFi Alliance cannot do likewise. Just having it
would reduce the hacker threat somewhat, especially if the notion
that you can do anything you want to an 802.11 net is commonplace.
And if the FBI won't agree that this sort of thing is illegal, then
that is something the WiFi people can take to Congress and try to get
fixed.
There are also other countries in the world and I suspect most would
be able to deal with active attacks on computer through their legal
systems.
Arnold Reinhold
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list