DOS attack on WPA 802.11?

Mon Nov 18 21:58:25 EST 2002

[please ignore previous mesage, sent by mistake -- agr]
On Sat, 16 Nov 2002, Niels Ferguson wrote:

> At 18:15 15/11/02 -0500, Arnold G Reinhold wrote:
> >I agree that we have covered most of the issues. One area whre you have
> >not responded is the use of WPa in 802.11a. I see no justification for
> >intoducing a crippled authentication there.
>
> >From the point of the standard there is little difference between 802.11,
> 802.11a, and 802.11b. The differences are purely in the PHY layer. That is,
> the exact radio modulations are different, but the whole MAC layer is
> identical. It would break modularisation to link a MAC layer feature to a
> PHY layer feature.
>
> The other reason is that 802.11a hardware is already being shipped, and the
> AES-based cryptographic protocol has not been finalised.
>

Modularization is a poor excuse for shipping a cryptographically weak
product. Second in this case the PHY layer does affect a MAC layer
feature. 802.11a is much faster than 11b. That makes Michael
even more vulnerable to attack.  If Michael is subject to one forged
packet per year on 11b, it is vulnerable to one every 10 weeks or so in
11a. Third, a stronger variant of WPA designed for 11a could also run on
11b hardware if  there is enough processing power, so modularization is
not broken.

As for shipped hardware, does anyone know that it couldnot run with a
stronger version of Michael? And a few shipped units, is far less
justification than the 10's of millions of 802.11b units out there.

>
> >Also here is one more idea for possibly improving Michael.
> >
> >Scramble the output of Michael in a way that depends on the MIC key, K.
> >This could be as simple as rotating each output word a number of bits
> >derived from K. Or you could generate a 8 by 8 permutation from K and
> >apply it to the bytes in the Michael output. you might even be able to use
> the
> >small cipher that is used to generate the individual packed encryption
> >keys in WPA.
> >
> >This would break up an attack that depends on messing with the bits of the
> >MIC in the message. It does nothing for attacks on parts of the message
> >body. Any additional integrety check on the message would catch that,
> >however.
>
> This would provide at most a very marginal security improvement. A
> differential attack can leave the final MIC value unchanged, and adding an
> extra encryption would not help. See the Michael security analysis for
> details.
>

A marginal improvement on a marginal algorithm can be worthwhile. It does
break up one attack mode at negligable cost. It might prevent other
attacks that have not been envisioned.

> Rotating the output in a key-dependent way is dangerous. You expose the
> rotation constants to discovery using a differential attack.

If the rotation constants are derived from the MIC key using a strong hash
(e.g. SHA1) there is little risk of recovering key bits. Since this only
needs to be done when the MIC key changes, the computation time should be
afordable.

There is a risk that an attacker who is doing an exhaustive key search
could use knowledge of the rotation bits to rule out most trial keys with
just a hash computation. But even if they could completely test all MIC
key candidates with just the hash, that would require 2**63 SHA1 trials to
recover the MIC key on average. That is a reasonable level of security
compaired to WPA, and with 10 rotation bits we are very far from even that
situation.

Another cheap varient would be to derive the rotation constants from the
hash of the last two MIC keys. This eliminates even this minute risk.

 >
> Additional integrety checks would require extra cycles, which we could also
> have spent on a more secure Michael version.
>

I wasn't suggesting they be done by 802.11, but by  higher layers.

With greetings form Las Vegas,

Arnold Reinhold

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com