Download presentation
Presentation is loading. Please wait.
Published byGiles Stephens Modified over 9 years ago
1
doc.: IEEE 802.11-03/211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 1 Attacks against Michael and Their Countermeasures Dan Harkins Trapeze Networks
2
doc.: IEEE 802.11-03/211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 2 Michael MIC is weak Forgery is possible by different attacks Countermeasures are specified to keep the time necessary to mount an attack at a reasonable level. Countermeasures assume attack against Michael is O(2 20 ), countermeasures are therefore very draconian– shut the BSS down for 60 seconds! Notation: D = MIC(M)
3
doc.: IEEE 802.11-03/211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 3 Dumb Brute Force Attack Each forgery attempt is essentially sending garbage and hoping it passes. Each attempt has a probability of success, P, of 0.0000000000000000000542 P after n attempts = 1 – ((2 64 – 1)/2 64 ) n After 2 64 attempts P = 1 – 1/e, approximately 0.63 Requires no storage, no intelligence but takes a very long time. –100,000 attempts/second still takes 5.8 million years We will not worry about this attack.
4
doc.: IEEE 802.11-03/211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 4 Birthday Attack Attacker keeps a D, M pair: D 1 = MIC(M 1 ) Looks at other pairs: D i = MIC(M i ) When D i = D 1 (and i != 1) attack is successful Probability of success after 2 32 attempts If D 1 and D i were MICd with different keys the successful attack will result in a forgery of garbage (an undecryptable packet)
5
doc.: IEEE 802.11-03/211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 5 Differential Cryptanalytic Attack M = M i xor M j and D = D i xor D j Analysis of Michael results in special characteristic differences where a difference in input is highly likely to produce a corresponding difference in output. Attacker looks for different inputs which have characteristic differences. The best attack assumes that inputs have same length!
6
doc.: IEEE 802.11-03/211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 6 Differential Cryptanalytic Attack Attacker must store lots of data to compute the various M and D n pairs of inputs means n! comparisons possible. After finding characteristic differentials it is possible to start attacking the MIC to learn bits of the key. Probability of success after 2 30 attempts. Not a trivial attack, storage and compute intensive.
7
doc.: IEEE 802.11-03/211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 7 Differential Cryptanalytic Attack An O(2 29 ) attack is possible Requires that the messages only differ in the last byte In TKIP M is encrypted (and so is D). It would be very difficult to acquire these special messages. This is an attack against raw Michael
8
doc.: IEEE 802.11-03/211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 8 Differential Cryptanalytic Attack The bits of the key do not influence the characteristic differentials. That is because the same key was involved in both data sets and cancels itself out in the differential! But that means that a rekey will thwart the attack. The difference cannot be characteristic if Di and Dj were produced with different keys.
9
doc.: IEEE 802.11-03/211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 9 What does this mean? The 2 30 attack requires quite a bit of storage and processing (and an assumption that may increase the number of inputs necessary to compare) The 2 32 attack is a classic script kiddie attack Strength of Michael is more like 2 30 not 2 20 The countermeasures should be re-evaluated
10
doc.: IEEE 802.11-03/211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 10 Countermeasures We want the attack to take, on average, once per year –1 year is 31536000 seconds –2 30 attempts is 1073741824 –1073741824 attempts in 31536000 seconds implies approximately 34 attempts per second. –Limiting to one guess per 30ms achieves the goal. 30ms is quite a bit better than 60 seconds!
11
doc.: IEEE 802.11-03/211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 11 Countermeasures Rekeying the security association under attack will thwart the differential cryptanalytic attack If the birthday attack is done against digests produced with different keys the resulting forgery is (ideally) indistinguishable from random noise. –Chances of that looking like a valid ethernet protocol: slim –Chances of that looking like a valid ethernet protocol and a valid IP protocol with a valid IP checksum: none
12
doc.: IEEE 802.11-03/211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 12 Countermeasures In addition, the birthday attack is not affected by shutting down the entire BSS or just the STA under attack The attacker passively searches for digests that match his target. By the time a match is found the forgery will be successful and countermeasures will not take effect!
13
doc.: IEEE 802.11-03/211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 13 Recommendations Cease communication for 100ms not 60s –30ms would cause the differential cryptanalytic attack to take, on average, one year. –Differential cryptanalytic attack is experimental so increasing the delay to 100ms should give a comfortable cushion Only cease communication with the security association under attack not the entire BSS –There is no need to shut down the entire BSS.
14
doc.: IEEE 802.11-03/211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 14 Recommendations Alternatively we could: –Rekey a security association after n MIC failures (choose a “comfortable” value for n) –Do not cease communication between failures This is because rekeying the security association thwarts the attack the countermeasures are designed to deal with.
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.