DOS attack on WPA 802.11?

Niels Ferguson niels at ferguson.net
Sat Nov 16 09:16:55 EST 2002 

At 18:15 15/11/02 -0500, Arnold G Reinhold wrote:
>I agree that we have covered most of the issues. One area whre you have
>not responded is the use of WPa in 802.11a. I see no justification for
>intoducing a crippled authentication there.

>From the point of the standard there is little difference between 802.11,
802.11a, and 802.11b. The differences are purely in the PHY layer. That is,
the exact radio modulations are different, but the whole MAC layer is
identical. It would break modularisation to link a MAC layer feature to a
PHY layer feature.

The other reason is that 802.11a hardware is already being shipped, and the
AES-based cryptographic protocol has not been finalised. 


>Also here is one more idea for possibly improving Michael.
>
>Scramble the output of Michael in a way that depends on the MIC key, K.
>This could be as simple as rotating each output word a number of bits
>derived from K. Or you could generate a 8 by 8 permutation from K and
>apply it to the bytes in the Michael output. you might even be able to use
the
>small cipher that is used to generate the individual packed encryption
>keys in WPA.
>
>This would break up an attack that depends on messing with the bits of the
>MIC in the message. It does nothing for attacks on parts of the message
>body. Any additional integrety check on the message would catch that,
>however.

This would provide at most a very marginal security improvement. A
differential attack can leave the final MIC value unchanged, and adding an
extra encryption would not help. See the Michael security analysis for
details.

Rotating the output in a key-dependent way is dangerous. You expose the
rotation constants to discovery using a differential attack.

Additional integrety checks would require extra cycles, which we could also
have spent on a more secure Michael version.



Cheers!

Niels
==============================================================
Niels Ferguson, niels at ferguson.net, phone: +31 20 463 0977
PGP: 3EC2 3304 9B6E 27D9  72E7 E545 C1E0 5D7E

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list