DOS attack on WPA 802.11?

Arnold G. Reinhold reinhold at world.std.com
Fri Nov 29 13:53:41 EST 2002 

At 4:57 AM +0100 11/19/02, Niels Ferguson wrote:
>At 21:58 18/11/02 -0500, Arnold G Reinhold wrote:
...

>
>>Third, a stronger variant of WPA designed for 11a could also run on
>>11b hardware if  there is enough processing power, so modularization is
>>not broken.
>
>But there _isn't_ enough processing power to run a super-Michael. If there
>were, I'd have designed Michael to be stronger.

I'm not sure that is true for all existing 802.11b hardware. And 
vendors of new 802.11b hardware could certainly elect to support the 
stronger variant of WPA.

>
>Maybe you are suggesting is to add yet another cryptographic function; the
>current Michael for existing hardware and a super-Michael for newer 802.11a
>hardware. Developing super-Michael would cost a couple of month and a lot
>of money. I would consider that a waste of effort that should have been
>spent on the AES-based security protocols. That is where we are going, and
>we need to get there ASAP. It is perfectly possible to design 802.11a
>hardware today that will be able to implement the future AES-based security
>protocols. That is what software updates are for.

That is what I am suggesting. If a stronger version of Michael is too 
expensive to develop, there is still the option of using a standard 
message authentication function, say an HMAC based on MD5 or an AES 
solution. I spoke to several 802.11a/g chip-set vendors at Comdex and 
they seem to be allowing extra processing power to support 11i. 
Intersel said they were using 20% of available MIPS.

...

[regarding my suggestion to rotate the Michael output words in a key 
dependant way:]

>
>
>[...]
>
>
>Those are standard design questions. I looked at better mixing at the end
>of the Michael function and decided against it. It would slow things down
>and the attack that changes the last message word and the MIC value had
>much the same security bound as the differential attack that does not
>change the MIC value. There is no point in strengthening one link of the
>chain if there is another weak link as well. Of course, this isn't how I
>normally design cryptographic functions, but Michael is a severely
>performance-limited design.
>
>[...]

I have responses to your concerns about using SHA and the issue of 
re-keying, but you point out:

>It would be easier just to ask
>for 128 key bits from the key management system. It has a PRF and should be
>able to do it.

That would be fine. You only need ten additional keying bits for 
arbitrary rotation of the two output words. Maybe an additional bit 
to optionally swap the words. This only adds a few instructions per 
packet.


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list