The new Wi-Fi Protected Access scheme (WPA), designed to replace the
discredited WEP encryption for 802.11b wireless networks, is a major
and welcome improvement. However it seems to have a significant
vulnerability to denial of service attacks. This vulnerability
results from the proposed remedy for the self-admitted weakness of
the Michael message integrity check (MIC) algorithm.
To be backward compatible with the millions of 802.11b units already
in service, any MIC algorithm must operate within a very small
computing budget. The algorithm chosen, called Michael, is spec'd as
offering only 20 bits of effective security.
According to an article by Jesse Walker of Intel
http://cedar.intel.com/media/pdf/security/80211_part2.pdf :
"This level of protection is much too weak to afford much benefit by
itself, so TKIP complements Michael with counter-measures. The design
goal of the counter-measures is to throttle the utility of forgery
attempts, limiting knowledge the attacker gains about the MIC key. If
a TKIP implementation detects two failed forgeries in a second, the
design assumes it is under active attack. In this case, the station
deletes its keys, disassociates, waits a minute, and then
reassociates. While this disrupts communications, it is necessary to
thwart active attack. The countermeasures thus limits the expected
number of undetected forgeries such an adversary might generate to
about one per year per station."
Unfortunately the countermeasures cure may invite a different
disease. It would appear easy to mount a denial of service attack by
simply submitting two packets with bad MIC tags in quick succession.
The access point then shuts down for a minute or more. When it comes
back up, one repeats the attack. All the attacker needs is a laptop
or hand held computer with an 802.11b card and a little software.
Physically locating the attacker is made much more difficult than for
an ordinary RF jammer by the fact that only a couple of packets per
minute need be transmitted. Also the equipment required has innocent
uses, unlike a jammer, so prosecuting an apprehended suspect would be
more difficult.
The ability to deny service might be very useful to miscreants in
some circumstances. For example, an 802.11b network might be used to
coordinate surveillance systems at some facility or event. With
802.11b exploding in popularity, it is impossible to foresee all the
mission critical uses it might be put to.
Here are a couple of suggestions to improve things, one easier, the
other harder.
The easier approach is to make the WPA response to detected forgeries
more configurable. The amount of time WPA stays down after two
forgeries might be a parameter, for example. It should be possible
to turn the countermeasures off completely. Some users might find the
consequences of forgeries less than that of lost service. For a firm
offering for-fee public access, a successful forgery attack might
merely allow free riding by the attacker, while denied service could
cost much more in lost revenue and reputation.
Another way to make WPA's response more configurable would be for the
access point to send a standard message to a configurable IP address
on the wire side when ever it detects an attack. This could alert
security personal to scan the parking lot or switch the access point
to be outside the corporate firewall. The message also might quote
the forged packets, allowing them to be logged. Knowing the time and
content of forged packets could also be useful to automatic radio
frequency direction finding equipment. As long as some basic hooks
are in place, other responses to forgery attack could be developed
without changing the standard.
The harder approach is to replace Michael with a suitable but
stronger algorithm (Michelle?). I am willing to assume that
Michael's designer, Niels Ferguson, did a fine job within the
constraints he faced. But absent a proof that what he created is
absolutely optimal, improving on it seems a juicy cryptographic
problem. How many bits of protection can you get on a tight budget?
What if you relaxed the budget a little, so it ran on say 80% of
installed access points? A public contest might be in order.
Clearly, WPA is needed now and can't wait for investigation and
vetting of a new MIC. But if a significantly improved MIC were
available in a year or so, it could be included as an addendum or as
as part of the 802.11i specification. Some might say that 802.11i's
native security will be much better, so why bother? My answer is that
802.11i will not help much unless WPA compatibility is shut off. And
with so many millions of 802.11 cards in circulation that are not
".11i" ready, that won't happen in most places for a long time. On
the other hand, an upgraded MIC could be adopted by an organization
that wished improved security with modest effort. Backward
compatibility could be maintained, with a countermeasure that simply
turned off access by Michael-based cards when a forgery was detected.
Arnold Reinhold
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
- Re: DOS attack on WPA 802.11? Arnold G. Reinhold
- Re: DOS attack on WPA 802.11? Niels Ferguson
- Re: DOS attack on WPA 802.11? William Arbaugh
- Re: DOS attack on WPA 802.11? Arnold G. Reinhold
- Re: DOS attack on WPA 802.11? Niels Ferguson
- Re: DOS attack on WPA 802.11? Arnold G. Reinhold
- Re: DOS attack on WPA 802.11? Niels Ferguson
- Re: DOS attack on WPA 802.11? Arnold G Reinhold
- Re: DOS attack on WPA 802... Niels Ferguson
- Re: DOS attack on WPA 802... Arnold G Reinhold
- Re: DOS attack on WPA 802... Niels Ferguson
