Doc.: IEEE 802.11-03/211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 1 Attacks against Michael and.

Slides:



Advertisements
Similar presentations
Doc.: IEEE /0836r2 Submission July 2008 Dan Harkins, Aruba NetworksSlide 1 Changes to SAE State Machine Date: Authors:
Advertisements

Doc.: IEEE /0283r0 Submission March 2009 Dan Harkins, Aruba NetworksSlide 1 Suggested Changes to the Abbreviated Handshake Date: Authors:
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Cryptography and Network Security
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.
Message Authentication and Hash functions
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
Cryptography and Network Security, resuming some notes Dr. M. Sakalli.
Intercepting Mobiles Communications: The Insecurity of Danny Bickson ACNS Course, IDC Spring 2007.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Temporal Key Integrity Protocol (TKIP) Presented By: Laxmi Nissanka Rao Kim Sang Soo.
IPv6 Mobility David Bush. Correspondent Node Operation DEF: Correspondent node is any node that is trying to communicate with a mobile node. This node.
Foundations of Network and Computer Security J J ohn Black Lecture #3 Aug 28 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.
15 November Wireless Security Issues Cheyenne Hollow Horn SFS Presentation 2004.
1 Message Authentication and Hash Functions Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of.
WLAN What is WLAN? Physical vs. Wireless LAN
Lecture 3: Cryptographic Tools modified from slides of Lawrie Brown.
Cryptanalysis. The Speaker  Chuck Easttom  
J.H.Saltzer, D.P.Reed, C.C.Clark End-to-End Arguments in System Design Reading Group 19/11/03 Torsten Ackemann.
Linear Fault Analysis of Block Ciphers Zhiqiang Liu 1, Dawu Gu 1, Ya Liu 1, Wei Li 2 1. Shanghai Jiao Tong University 2. Donghua University ACNS 2012 June.
Doc.: IEEE /031 Submission March 2000 S. Watanabe Seiko Epson Corp. Slide 1 Proposal to use KPS to Enhance WLAN Security Shinicihro Watanabe,
Message Authentication  message authentication is concerned with: protecting the integrity of a message protecting the integrity of a message validating.
Message Authentication Requirements Disclosure Release of message contents to any person or process not possessing the appropriate cryptographic key Traffic.
Dan Johnson. What is a hashing function? Fingerprint for a given piece of data Typically generated by a mathematical algorithm Produces a fixed length.
Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference.
Fall 2002CS 395: Computer Security1 Chapter 11: Message Authentication and Hash Functions.
Based on Bruce Schneier Chapter 7: Key Length Dulal C. Kar.
WEP Protocol Weaknesses and Vulnerabilities
WEP AND WPA by Kunmun Garabadu. Wireless LAN Hot Spot : Hotspot is a readily available wireless connection.  Access Point : It serves as the communication.
Doc.: IEEE /0374r0 Submission March 2010 Dan Harkins, Aruba NetworksSlide 1 Clarifying the Behavior of PMK Caching Date: Authors:
WEP, WPA, and EAP Drew Kalina. Overview  Wired Equivalent Privacy (WEP)  Wi-Fi Protected Access (WPA)  Extensible Authentication Protocol (EAP)
11.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 11 Message Integrity and Message Authentication.
Chapter 2 Advanced Cryptography (Part C)
Attacks on PRNGs - By Nupura Neurgaonkar CS-265 (Prof. Mark Stamp)
Chapter 11 Message Authentication and Hash Functions.
Doc.: IEEE /684r0 Submission November 2002 Martin Lefkowitz, Trapeze NetworksSlide 1 Extended Keymap ID Martin Lefkowitz Trapeze Networks.
Doc.: IEEE /1077r0 Submission September 2010 Dan Harkins, Aruba NetworksSlide 1 Galois/Counter Mode (GCM) Date: Authors:
Doc.: IEEE /0123r0 Submission January 2009 Dan Harkins, Aruba NetworksSlide 1 Secure Authentication Using Only A Password Date:
Information Integrity and Message Digests CSCI 5857: Encoding and Encryption.
Doc.: IEEE /1063r0 Submission Nov 2005 Jon Edney, NokiaSlide 1 The Lock-out Problem - an Analysis Notice: This document has been prepared to assist.
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Authentication Protocols (I): Secure Handshake.
Cryptography and Network Security (CS435) Part Nine (Message Authentication)
DES Analysis and Attacks CSCI 5857: Encoding and Encryption.
Linear Cryptanalysis of DES
NTRU Key Exchange based on a posting of Lars Luthman on the Cryptography mailinglist on 05/17/2014 The search for a Post-Quantum Diffie-Hellman replacement.
CS519, © A.SelcukDifferential & Linear Cryptanalysis1 CS 519 Cryptography and Network Security Instructor: Ali Aydin Selcuk.
Presentation for CDA6938 Network Security, Spring 2006 Timing Analysis of Keystrokes and Timing Attacks on SSH Authors: Dawn Xiaodong Song, David Wagner,
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Linear Cryptanalysis of DES M. Matsui. 1.Linear Cryptanalysis Method for DES Cipher. EUROCRYPT 93, 1994.Linear Cryptanalysis Method for DES Cipher 2.The.
Hashes Lesson Introduction ●The birthday paradox and length of hash ●Secure hash function ●HMAC.
Wired Equivalent Privacy (WEP) Chris Overcash. Contents What is WEP? What is WEP? How is it implemented? How is it implemented? Why is it insecure? Why.
Doc.: IEEE /230 Submission May 2001 William Arbaugh, University of MarylandSlide 1 An Inductive Chosen Plaintext Attack against WEP/WEP2 William.
International Conference Security in Pervasive Computing(SPC’06) MMC Lab. 임동혁.
1 4.1 Hash Functions and Data Integrity A cryptographic hash function can provide assurance of data integrity. ex: Bob can verify if y = h K (x) h is a.
 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.
Doc.: IEEE /0899r2 Submission July2010 Dan Harkins, Aruba NetworksSlide 1 Secure PSK Authentication Date: Authors:
@Yuan Xue CS 285 Network Security Block Cipher Principle Fall 2012 Yuan Xue.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
Secure PSK Authentication
Secure PSK Authentication
An Inductive Chosen Plaintext Attack against WEP/WEP2
TKIP.
Hash Function Requirements
CRYPTOGRAPHY & NETWORK SECURITY
Stream Cipher Structure
By: Anthony Gervasi & Adam Dickinson
Presentation transcript:

doc.: IEEE /211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 1 Attacks against Michael and Their Countermeasures Dan Harkins Trapeze Networks

doc.: IEEE /211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 2 Michael MIC is weak Forgery is possible by different attacks Countermeasures are specified to keep the time necessary to mount an attack at a reasonable level. Countermeasures assume attack against Michael is O(2 20 ), countermeasures are therefore very draconian– shut the BSS down for 60 seconds! Notation: D = MIC(M)

doc.: IEEE /211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 3 Dumb Brute Force Attack Each forgery attempt is essentially sending garbage and hoping it passes. Each attempt has a probability of success, P, of P after n attempts = 1 – ((2 64 – 1)/2 64 ) n After 2 64 attempts P = 1 – 1/e, approximately 0.63 Requires no storage, no intelligence but takes a very long time. –100,000 attempts/second still takes 5.8 million years We will not worry about this attack.

doc.: IEEE /211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 4 Birthday Attack Attacker keeps a D, M pair: D 1 = MIC(M 1 ) Looks at other pairs: D i = MIC(M i ) When D i = D 1 (and i != 1) attack is successful Probability of success after 2 32 attempts If D 1 and D i were MICd with different keys the successful attack will result in a forgery of garbage (an undecryptable packet)

doc.: IEEE /211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 5 Differential Cryptanalytic Attack  M = M i xor M j and  D = D i xor D j Analysis of Michael results in special characteristic differences where a difference in input is highly likely to produce a corresponding difference in output. Attacker looks for different inputs which have characteristic differences. The best attack assumes that inputs have same length!

doc.: IEEE /211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 6 Differential Cryptanalytic Attack Attacker must store lots of data to compute the various  M and  D n pairs of inputs means n! comparisons possible. After finding characteristic differentials it is possible to start attacking the MIC to learn bits of the key. Probability of success after 2 30 attempts. Not a trivial attack, storage and compute intensive.

doc.: IEEE /211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 7 Differential Cryptanalytic Attack An O(2 29 ) attack is possible Requires that the messages only differ in the last byte In TKIP M is encrypted (and so is D). It would be very difficult to acquire these special messages. This is an attack against raw Michael

doc.: IEEE /211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 8 Differential Cryptanalytic Attack The bits of the key do not influence the characteristic differentials. That is because the same key was involved in both data sets and cancels itself out in the differential! But that means that a rekey will thwart the attack. The difference cannot be characteristic if Di and Dj were produced with different keys.

doc.: IEEE /211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 9 What does this mean? The 2 30 attack requires quite a bit of storage and processing (and an assumption that may increase the number of inputs necessary to compare) The 2 32 attack is a classic script kiddie attack Strength of Michael is more like 2 30 not 2 20 The countermeasures should be re-evaluated

doc.: IEEE /211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 10 Countermeasures We want the attack to take, on average, once per year –1 year is seconds –2 30 attempts is – attempts in seconds implies approximately 34 attempts per second. –Limiting to one guess per 30ms achieves the goal. 30ms is quite a bit better than 60 seconds!

doc.: IEEE /211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 11 Countermeasures Rekeying the security association under attack will thwart the differential cryptanalytic attack If the birthday attack is done against digests produced with different keys the resulting forgery is (ideally) indistinguishable from random noise. –Chances of that looking like a valid ethernet protocol: slim –Chances of that looking like a valid ethernet protocol and a valid IP protocol with a valid IP checksum: none

doc.: IEEE /211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 12 Countermeasures In addition, the birthday attack is not affected by shutting down the entire BSS or just the STA under attack The attacker passively searches for digests that match his target. By the time a match is found the forgery will be successful and countermeasures will not take effect!

doc.: IEEE /211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 13 Recommendations Cease communication for 100ms not 60s –30ms would cause the differential cryptanalytic attack to take, on average, one year. –Differential cryptanalytic attack is experimental so increasing the delay to 100ms should give a comfortable cushion Only cease communication with the security association under attack not the entire BSS –There is no need to shut down the entire BSS.

doc.: IEEE /211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 14 Recommendations Alternatively we could: –Rekey a security association after n MIC failures (choose a “comfortable” value for n) –Do not cease communication between failures This is because rekeying the security association thwarts the attack the countermeasures are designed to deal with.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.