1 / 14

Attacks against Michael and Their Countermeasures

Attacks against Michael and Their Countermeasures. Dan Harkins Trapeze Networks. Michael. MIC is weak Forgery is possible by different attacks Countermeasures are specified to keep the time necessary to mount an attack at a reasonable level.

tirza
Download Presentation

Attacks against Michael and Their Countermeasures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Attacks against Michael and Their Countermeasures Dan Harkins TrapezeNetworks Dan Harkins, Trapeze Networks.

  2. Michael • MIC is weak • Forgery is possible by different attacks • Countermeasures are specified to keep the time necessary to mount an attack at a reasonable level. • Countermeasures assume attack against Michael is O(220), countermeasures are therefore very draconian– shut the BSS down for 60 seconds! • Notation: D = MIC(M) Dan Harkins, Trapeze Networks.

  3. Dumb Brute Force Attack • Each forgery attempt is essentially sending garbage and hoping it passes. • Each attempt has a probability of success, P, of 0.0000000000000000000542 • P after n attempts = 1 – ((264 – 1)/264)n • After 264 attempts P = 1 – 1/e, approximately 0.63 • Requires no storage, no intelligence but takes a very long time. • 100,000 attempts/second still takes 5.8 million years • We will not worry about this attack. Dan Harkins, Trapeze Networks.

  4. Birthday Attack • Attacker keeps a D, M pair: D1 = MIC(M1) • Looks at other pairs: Di = MIC(Mi) • When Di = D1 (and i != 1) attack is successful • Probability of success after 232 attempts • If D1 and Di were MICd with different keys the successful attack will result in a forgery of garbage (an undecryptable packet) Dan Harkins, Trapeze Networks.

  5. Differential Cryptanalytic Attack • M = Mi xor Mj and D = Di xor Dj • Analysis of Michael results in special characteristicdifferences where a difference in input is highly likely to produce a corresponding difference in output. • Attacker looks for different inputs which have characteristic differences. • The best attack assumes that inputs have same length! Dan Harkins, Trapeze Networks.

  6. Differential Cryptanalytic Attack • Attacker must store lots of data to compute the various M and D • n pairs of inputs means n! comparisons possible. • After finding characteristic differentials it is possible to start attacking the MIC to learn bits of the key. • Probability of success after 230 attempts. • Not a trivial attack, storage and compute intensive. Dan Harkins, Trapeze Networks.

  7. Differential Cryptanalytic Attack • An O(229) attack is possible • Requires that the messages only differ in the last byte • In TKIP M is encrypted (and so is D). It would be very difficult to acquire these special messages. • This is an attack against raw Michael Dan Harkins, Trapeze Networks.

  8. Differential Cryptanalytic Attack • The bits of the key do not influence the characteristicdifferentials. • That is because the same key was involved in both data sets and cancels itself out in the differential! • But that means that a rekey will thwart the attack. • The difference cannot be characteristic if Di and Dj were produced with different keys. Dan Harkins, Trapeze Networks.

  9. What does this mean? • The 230 attack requires quite a bit of storage and processing (and an assumption that may increase the number of inputs necessary to compare) • The 232 attack is a classic script kiddie attack • Strength of Michael is more like 230 not 220 • The countermeasures should be re-evaluated Dan Harkins, Trapeze Networks.

  10. Countermeasures • We want the attack to take, on average, once per year • 1 year is 31536000 seconds • 230 attempts is 1073741824 • 1073741824 attempts in 31536000 seconds implies approximately 34 attempts per second. • Limiting to one guess per 30ms achieves the goal. • 30ms is quite a bit better than 60 seconds! Dan Harkins, Trapeze Networks.

  11. Countermeasures • Rekeying the security association under attack will thwart the differential cryptanalytic attack • If the birthday attack is done against digests produced with different keys the resulting forgery is (ideally) indistinguishable from random noise. • Chances of that looking like a valid ethernet protocol: slim • Chances of that looking like a valid ethernet protocol and a valid IP protocol with a valid IP checksum: none Dan Harkins, Trapeze Networks.

  12. Countermeasures • In addition, the birthday attack is not affected by shutting down the entire BSS or just the STA under attack • The attacker passively searches for digests that match his target. • By the time a match is found the forgery will be successful and countermeasures will not take effect! Dan Harkins, Trapeze Networks.

  13. Recommendations • Cease communication for 100ms not 60s • 30ms would cause the differential cryptanalytic attack to take, on average, one year. • Differential cryptanalytic attack is experimental so increasing the delay to 100ms should give a comfortable cushion • Only cease communication with the security association under attack not the entire BSS • There is no need to shut down the entire BSS. Dan Harkins, Trapeze Networks.

  14. Recommendations • Alternatively we could: • Rekey a security association after n MIC failures (choose a “comfortable” value for n) • Do not cease communication between failures • This is because rekeying the security association thwarts the attack the countermeasures are designed to deal with. Dan Harkins, Trapeze Networks.

More Related