[12038] in cryptography@c2.net mail archive
Re: DOS attack on WPA 802.11?
daemon@ATHENA.MIT.EDU (Arnold G. Reinhold)
Mon Nov 11 14:42:49 2002
In-Reply-To: <3.0.3.32.20021108030722.0091a7a0@pop.xs4all.nl>
Date: Mon, 11 Nov 2002 12:03:31 -0500
To: Niels Ferguson <niels@ferguson.net>,
cryptography@wasabisystems.com
From: "Arnold G. Reinhold" <reinhold@world.std.com>
I appreciate Niels Ferguson responding to my concerns in such detail.=20
I don't want to give the impression that I object to WPA on the=20
whole. That is why I said "major and welcome improvement" in my=20
opening sentence. I am particularly mollified by Niels' statement=20
that "most existing cards will be useable with 802.11i by putting a=20
lot of the cryptographic processing onto the laptop." If AES based=20
solutions are available in a year or two that do not require selling=20
all our old hardware on eBay, then WPA is indeed good news.
Still, I feel additional discussion is in order. One of the tenets=20
of cryptography is that new security systems deserve to be beaten on=20
mercilessly without deference to their creator. And I would argue=20
that the Michael countermeasure is no ordinary design tradeoff. It is=20
rather like a doctor prescribing a drug with severe side effects on=20
the theory that it is the only way to save the patient's life,=20
something that should be done only with the greatest caution:
o First, the doctor should be sure that the side effects aren't as=20
bad as the disease.
There is a community of "wardrivers," people who look for 802.11b=20
networks they can access. Even assuming most of them are ethical=20
hacker types, who will good naturedly find something else to do when=20
WPA starts to spread, there might be a few who are less sporting=20
about it. All they have to do is write some code that sends a couple=20
of bad packets every minute or so to any network it finds. This=20
won't even be noticed by 802.11 nets that aren't using WPA, but those=20
that are will be severely disrupted. Guess what will happen? The=20
network administrators attacked will turn WPA off. As word spreads,=20
other net admins won't even bother turning it on. They are=20
overburdened anyway and installing WPA won't be a picnic.
Here is a story from today's Security Wire Digest:
At 2:00 AM -0600 11/11/02, Security_Wire_Digest@bdcimail.com wrote:
>*STILL AN INSECURE WIRELESS WORLD
>By Michael Fitzgerald
>The results of the second World War Drive are in, and they don't look good
>for wireless security.
>
>Of the almost 25,000 wireless access points surveyed, only 35 percent used
>Service Set Identifier (SSID), a default security feature in the 802.11b
>protocol. Only 28 percent had Wired Equivalent Privacy (WEP) enabled. Of
>those using SSID, less than 4 percent also use WEP. The issue comes down
>to management information system (MIS) staffing, says Pete Shipley, an
>independent security consultant.
>
>"It's a key distribution problem," Shipley says. "When you're in the
>corporate environment with a large number of laptops deploying wireless,
>without encryption you pretty much hand out a wireless card and it works.
>With WEP, you have to configure the system."
>
>While not difficult, the effort requires time, and MIS staffs typically
>have more pressing issues than wireless security. Shipley thinks that as
>security becomes more important to companies, they will revisit their
>wireless security setup.
>...
>http://www.worldwidewardrive.org
I would argue that the Michael countermeasure DOS attack breaks WPA=20
security as effectively as a cryptographic attack. It's simple, it's=20
practical, it's specific to WPA, and could even be spread by virus.=20
And if such an attack occurs, it will generate as much bad press as a=20
cryptographic attack. How will the WiFi Alliance respond? Issue a=20
press release pointing out that other DOS possibilities exist in=20
ordinary 802.11? And how much credibility will be left when 802.11i=20
is finally ready?
o Second, the doctor should be certain of the diagnosis.
Is the patient's life really in danger? In this case that means=20
asking how easy it really is to break Michael. Normally,=20
cryptographers should be extremely conservative in assessing the=20
strength of an algorithm. But when the response to perceived=20
weakness is to add a different vulnerability, I would argue that the=20
test should be what is realistic, not the ultra conservative worst=20
case. The Intel article said the best known attack is a 29-bit=20
differential cryptanalysis. How practical is that? Does it require=20
vast amounts of chosen plain text?
If there is no practical Michael busting attack on the horizon, than=20
the objection to allowing users to turn the countermeasure off,=20
perhaps with a warning that doing so risks security, seems harder to=20
understand.
o Third, the doctor should be certain that no other treatments are available=
=2E
The question of whether a significantly stronger MIC can be created=20
within the limited computational budget available is still an=20
interesting one. I hope more details about the algorithm and the=20
constraints, both in time and space for object code, will be=20
available very soon, if they are not already. If something markedly=20
better were developed in the next few months, perhaps the WiFi=20
Alliance could be persuaded to drop it in before release. At worst,=20
work in this area could be a useful backup in case AES-based=20
solutions prove too cumbersome to retrofit. I have some preliminary=20
ideas based on what I read in the Intel paper, but I will put them in=20
a separate message.
o Then there is the notion (which is never supposed to cross a=20
doctor's mind) that the patient's job isn't vital so why worry?
I take issue with is the proposition that users can be expected to=20
avoid 802.11 for mission critical applications. One of the main=20
reasons for the explosive growth of this technology is that it=20
enables non-technically trained people to build networks in a simple=20
plug-and-play way. These people expect stuff they buy to work and=20
will use this systems in ways we never imagine.
And why shouldn't they? The marketing for WiFi is very aggressive.=20
The WPA press release uses the word "robust" three times in two=20
paragraphs. I could find nothing on the WiFi Alliance page=20
http://www.wi-fi.org that cautions users against mission critical=20
applications. Yes, there is that little FCC Part 15.19 notice on the=20
box that says you are subject to interference, but every product=20
comes festooned with warning labels these days.
The economics of WiFi mass adoption mean that other solutions will=20
become too expensive, if any are available at all. Even if a system=20
designer wants to avoid the risks of using 802.11, his boss may axe=20
the extra cost. Then there is the question of the third world, where=20
often no hard wired infrastructure exists. In many impoverished=20
regions, wireless solutions are providing the first and only Internet=20
connectivity. You can be sure mission critical applications will use=20
it.
o Some doctors might justify a risky drug because the patient has=20
several other diseases that could be fatal.=A0
The argument that wireless solutions don't have to worry about DOS=20
attacks because there are so many of them smacks of this. WiFi is a=20
huge success and with that success comes a responsibility to keep=20
improving the product and eliminate known risks.
Take the packet cancelling attack Niels described. There may well be=20
defenses that could be developed against packet cancelling. The=20
higher level attacks he described could be dealt with by=20
encapsulating over-the-air TCP/IP packets in encrypted envelopes,=20
perhaps padded to standard lengths. Even the low level packet=20
canceling technique itself might be defeated if the receiver cards=20
can be persuaded to report all bad packets. If we are using=20
military-strength crypto, why not use military strength antijam?=20
There is a lot of AJ technology developed for military use that could=20
be employed. Indeed the spread spectrum underpinnings for 802.11 come=20
from that world. In my opinion, this attack ought to be on the=20
agenda for 801.11i. And in any case, the packet cancelling attack is=20
a lot more complex than the Michael countermeasure attack I posited.
The legal obstacles to pursuing DOS attackers also are a poor excuse.=20
I am not a lawyer, but as I understand things, the problem arises in=20
the U.S. because WiFi is authorized under FCC Part 15 rules, and=20
those rules state that users of Part 15 devices have to accept=20
interference from other users. Still, if the interference is=20
intentional, there may be bases for actions under a variety of=20
federal laws. For example, 47 USC 333 :
"No person shall willfully or maliciously interfere with or cause=20
interference to any radio communications of any station licensed or=20
authorized by or under this chapter or operated by the United States=20
Government." (1 year in jail per 47 USC 501). If the network is used=20
by a US Government site or someone doing defense work, 18 USC 1362=20
would kick in, with 10 year sentences.
Active attacks, such as the Michael countermeasure DOS attack or=20
packet canceling, would seem to come under the anti-hacking law 18=20
USC 1030a5A: "knowingly causes the transmission of a program,=20
information, code, or command, and as a result of such conduct,=20
intentionally causes damage without authorization, to a protected=20
computer" (5 years). The recent anti-terrorism law broadened the=20
definition of "damage."
The law in other countries is probably less finicky. And the U.S.=20
Congress seems generally willing to expand the anti-hacking laws to=20
cover new problems. The notion that a large part of the national=20
data communication infrastructure will enjoy no protection from=20
malicious attack is simple untenable long term. What is going to=20
happen when hospitals start buying computers with Bluetooth=20
peripherals?
o I'm aware of the old adage "the best is the enemy of the good."=20
WPA is good and reflects a lot of hard work but the Michael=20
countermeasure makes me uncomfortable. I suspect there are ways to=20
fix it, even in the short time available.
Arnold Reinhold
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
