Re: DOS attack on WPA 802.11?

[Arnold G. Reinhold]

At 11:40 PM +0100 11/11/02, Niels Ferguson wrote:

At 12:03 11/11/02 -0500, Arnold G. Reinhold wrote:
[...]

One of the tenets
of cryptography is that new security systems deserve to be beaten on
mercilessly without deference to their creator.

I quite agree.

I hope you won't mind another round then.

>2. Refresh the Michael key frequently. This proposal rests on WPA's
[...]

This has no effect on the best attack we have so far. The attack is a
differential attack, and changing the key doesn't change the probabilities.

Tell me if I understand this attack correctly. Bob intercepts a packet he knows contains a certain message, even though it is WPA encrypted, say "Transfer one hundred dollars from Alice's account to Bob's account. Have a nice day." (Maybe he know what time it was sent, or the length, whatever.) Because WPA uses a stream cipher, Bob can create a message that will decrypt with the same key to "Transfer one million dollars from Alice's account to Bob's account. Have a nice day." This was one of the problems with WEP.

WPA is designed to prevent this kind of forgery by adding a 64-bit MIC. Even so, I could send lots of packets containing the million dollars message but with random stuff in the MIC field (or in the "Have a nice day" part that Bob knows nobody reads) and if I do this enough times I will accidently create a packet with a valid MIC. If MIC were really strong, this would take about 2**64 tries, a big enough number not to worry about. But because Michael is puny, you were able to find some clever tricks for picking the randomizing data so that only about 2**29 (aka half a billion) tries are needed. Furthermore, you are worried that there might be a way that requires only 2**20 (about a million) tries. And because we are trying MIC codes at random, the MIC key in use at the moment doesn't matter. Eventually Bob gets lucky and the packet goes through.

The logic behind your countermeasure is that forgery attempts are very easy to detect and by shutting down for a minute after 2 forgery attempts within one second, Bob needs an average of half a million minutes to get his packet through, or about one year. And that's an acceptable risk.

If I got this right, here are a couple of observations. Assume for a moment WPA as is, but with your time out countermeasure turned off.

1. Bob only gets that one packet through. If he wants another packet he has to start all over with another million or more attempts. So that packet had better be worth the effort.

2. This forgery only affects the 802.11 layer. If the "Transfer one million dollars" message has an electronic signature or another layer of protection, this attack does nothing to defeat that.

3. The network will get and detect hundreds of thousands of copies of the forged message before a valid one gets through. If Bob is tampering with the MIC code, they will all be identical. If Bob is munging an unimportant section of the message, they will still be highly correlated. So we will have hours, maybe days of warning that someone is attacking our system and exactly what Bob is trying to do. Even if we were asleep and he succeeds, we would know about the attack and what message he was trying to send.

4. Bob has to do a lot of transmitting and we will have hours or days of warning to track him down with direction finding equipment.


This is not a very attractive attack from Bob's point of view. He must find a single packet so valuable it is worth all risk and time involved in mounting this attack. He telegraphs his scheme well in advance of its success. He risks being caught in the act and he leaves a trail of evidence that can be used to catch him, say when he cleans out that bank account. It sounds like a Woody Allen movie scenario. ("What does this note mean 'I have a bun'?" "It says 'gun'" "Hey Charlie does this look like a 'b' or a 'g' to you?")

Furthermore, if I got this right, a filter could be turned on that simply blocked the packet Bob is attempting to send when it finally gets a valid MIC. For extra credit, you could do the following: automatically detect forgery attempts and devise a filter for them (say, look for the constant region of the forgeries). When a valid packet comes through that matches the filter, reject it and force a key change. The transport layer will request a retry. If, by chance, the packet was legit, the station that sent it can send it again and the Internet goes on. Bob on the other hand, needs another million tries, after which the same thing will happen.

Any security hole is a matter for concern, but if my understanding is correct, I am more convinced that a valid alternative to your time out countermeasure is for WPA to tell us we are under attack and let us log the forgery attempts verbatim, which I suggested in my first message.


Regardless of whether my understanding of the differential attack is correct, I think the nub of our disagreement rests in three areas. First, you don't seem to think the Michael countermeasure DOS attack is worth worrying about. Second, you object to configuration options that would allow alternatives to the time out countermeasure, or stronger MICs for those who can use it. Third you seem to believe that there are few legal consequences to attacking 802.11, so forensic countermeasures have no value.

As to the first, you say:

Here I disagree. The Michael countermeasures do not introduce any danger
that does not already exist in the system. Therefore, removing the
countermeasures has no benneficial effects.

...
As I mentioned before, there are generic DOS attacks against 802.11 that
require very few transmissions. These can be used to mount the same attack
against WEP, WPA, the future AES-based security protocols, or any other
security protocol on top of 802.11. It is thus not specific to Michael or
the Michael countermeasures. It is a very valid criticism of the system,
just not of Michael.

There are three important differences between the Michael countermeasure DOS attack and the packet canceling attack you described earlier. First, the Michael attack is much easier to program, hence more likely to happen. Second, since it is new and specific to the touted WPA, it will be especially attractive to hackers, while at the same time more damaging to WPA's reputation.

Third, the countermeasure attack is inherently very hard to detect while I believe there are defenses against the packet cancelling attack that force the attacker to make lots of transmissions. As I mentioned, TCP/IP packets can be encapsulated in a layer above 802.11. Also two stations on the same wireless network that also had a wired link could collude to force the attacker into transmitting more. These aren't great defenses, but they could be developed fairly quickly if packet cancelling attacks became a problem.

Absent the ability to alter the time out, there is no defense against the Michael countermeasure DOS attack nor any way to make it less stealthy. That makes it unique among the attacks I have heard about so far.

...

I only spent a limited amount of time searching for the best possible
attack. We have to assume that the attack will be improved somehow. Before
you know it you are down to a timescale of hours or seconds. Currently we
have a factor of 2^9 between the design strength of Michael and the best
known attack. That is a _very_ small factor for a newly invented
cryptographic function. We cut it as close as we dared, and much closer
than I feel happy with.

Then why not have two levels of strength, one what is now proposed and the second with a stronger MIC, perhaps Michael with more rounds as you suggest, and let the user choose? And why not insist that 802.11a use the stronger mode? Because it is just coming out, 802.11a has no installed base and there is less crud on its 5 GHz band. It is also much faster so it will require more powerful processors anyway and any forgery attack will take much less time.

I sense a shift in argument here from "We had to retrofit existing systems and did the best we could," which I can buy for 802.11b but not in the 802.11a case, to "We don't care about DOS attacks, so we won't increase hardware cost a dime to defeat them."

As for configurability,

... Giving
the user the option to destroy security is not a good idea. The article you
quoted points out that the vast majority of networks are misconfigured. The
obvious lesson is _not_ to provide configuration options that result in
insecure networks.

I think the lesson is that the majority of networks use the default settings. Giving the site administrator an option, with suitable warnings, to choose to disable the Michael time out countermeasure and/or to log forged packet attempts does not make it likely that systems will be poorly configured. Admins without a reason to do so won't change the settings. But it does give flexibility to deal with DOS attacks should they become prevalent and allow for third parties to develop other protections.

The two extremes in designing a software system are having a bunch of security options,initially turned off, that the user is supposed to select correctly and having no options at all on the assumption that all the tradeoffs were figured out correctly. In my opinion, both extremes are unwise.

If you want an insecure network that is not vulnerable
to the countermeasures DOS attack, you can switch to WEP or switch of all
security. This goes back to the TGi mantra: "We have enough efficient
insecure protocols. We don't need another one."

I think a spec that says "Probability of undetected forged packet less than 10**-6. Forgery attempts are optionally logged. Mean time for successful forged packet with default-enabled time out is greater than one year." would meet expectations. And at least apply the mantra to 802.11a. Why launch that product with a weak MIC?

Finally, the legal stuff:

...

The legal obstacles to pursuing DOS attackers also are a poor excuse.
I am not a lawyer, but as I understand things, the problem arises in
the U.S. because WiFi is authorized under FCC Part 15 rules, and
those rules state that users of Part 15 devices have to accept
interference from other users.  Still, if the interference is
intentional, there may be bases for actions under a variety of
federal laws.  For example, 47 USC 333 :

"No person shall willfully or maliciously interfere with or cause
interference to any radio communications of any station licensed or
authorized by or under this chapter or operated by the United States
Government." (1 year in jail per 47 USC 501). If the network is used
by a US Government site or someone doing defense work, 18 USC 1362
would kick in, with 10 year sentences.

No, the problem is that the 2.4 GHz band in which 802.11 operates is an
unlicensed band. Anyone is allowed to transmit 100 mW in it, I believe.
Standard microwave ovens work on this frequency and can cause interference
with 802.11 networks. As far as I know it isn't illegal to interfere with
an 802.11 network as long as you don't transmit more than 100 mW. Maybe you
need a half-lame excuse for your transmissions, but that could be as simple
as doing your own experiments on microwave communication protocols. (Note:
I'm not an expert on these things, but this is what I've picked up so far.)

Active attacks, such as the Michael countermeasure DOS attack or
packet canceling, would seem to come under the anti-hacking law 18
USC 1030a5A:  "knowingly causes the transmission of a program,
information, code, or command, and as a result of such conduct,
intentionally causes damage without authorization, to a protected
computer"  (5 years). The recent anti-terrorism law broadened the
definition of "damage."

That's not how I read it. The DOS attacks do not _cause_ the transmission
of a program or command. They _prevent_ it.

I don't think that logic will work in court. An active DOS attack (not an RF jammer) involves sending carefully crafted and timed signals, e.g. false ACK packets. I believe that is well covered under this language.

And it isn't clear that
stopping a computer from doing its work causes damage to the computer.

Here is the new definition:
    "the term `loss' means any reasonable cost to any
     victim, including the cost of responding to an offense,
     conducting a damage assessment, and restoring the data,
     program, system, or information to its condition prior to the
     offense, and any revenue lost, cost incurred, or other
     consequential damages incurred because of interruption of
     service;

Anyway, I believe this gets well outside the scope of Michael and should be

left to the lawyers.

agreed, but my concern is that misconceptions about the extent to which active attacks on an 802.11 can be prosecuted may be distorting the engineering tradeoffs. Obviously my opinion on what the laws means isn't worth much, but I do think these questions are important. The wardriving community was able to get a letter from the FBI indicating what they thought might be prosecutable. I don't see any reason why the WiFi Alliance cannot do likewise. Just having it would reduce the hacker threat somewhat, especially if the notion that you can do anything you want to an 802.11 net is commonplace. And if the FBI won't agree that this sort of thing is illegal, then that is something the WiFi people can take to Congress and try to get fixed.

There are also other countries in the world and I suspect most would be able to deal with active attacks on computer through their legal systems.


Arnold Reinhold

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]