Presentation is loading. Please wait.

Presentation is loading. Please wait.

Doc.: IEEE 802.11-03/211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 1 Attacks against Michael and.

Published byGiles Stephens Modified over 8 years ago

Similar presentations

Presentation on theme: "Doc.: IEEE 802.11-03/211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 1 Attacks against Michael and."— Presentation transcript:

1 doc.: IEEE 802.11-03/211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 1 Attacks against Michael and Their Countermeasures Dan Harkins Trapeze Networks

2 doc.: IEEE 802.11-03/211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 2 Michael MIC is weak Forgery is possible by different attacks Countermeasures are specified to keep the time necessary to mount an attack at a reasonable level. Countermeasures assume attack against Michael is O(2 20 ), countermeasures are therefore very draconian– shut the BSS down for 60 seconds! Notation: D = MIC(M)

3 doc.: IEEE 802.11-03/211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 3 Dumb Brute Force Attack Each forgery attempt is essentially sending garbage and hoping it passes. Each attempt has a probability of success, P, of 0.0000000000000000000542 P after n attempts = 1 – ((2 64 – 1)/2 64 ) n After 2 64 attempts P = 1 – 1/e, approximately 0.63 Requires no storage, no intelligence but takes a very long time. –100,000 attempts/second still takes 5.8 million years We will not worry about this attack.

4 doc.: IEEE 802.11-03/211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 4 Birthday Attack Attacker keeps a D, M pair: D 1 = MIC(M 1 ) Looks at other pairs: D i = MIC(M i ) When D i = D 1 (and i != 1) attack is successful Probability of success after 2 32 attempts If D 1 and D i were MICd with different keys the successful attack will result in a forgery of garbage (an undecryptable packet)

5 doc.: IEEE 802.11-03/211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 5 Differential Cryptanalytic Attack  M = M i xor M j and  D = D i xor D j Analysis of Michael results in special characteristic differences where a difference in input is highly likely to produce a corresponding difference in output. Attacker looks for different inputs which have characteristic differences. The best attack assumes that inputs have same length!

6 doc.: IEEE 802.11-03/211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 6 Differential Cryptanalytic Attack Attacker must store lots of data to compute the various  M and  D n pairs of inputs means n! comparisons possible. After finding characteristic differentials it is possible to start attacking the MIC to learn bits of the key. Probability of success after 2 30 attempts. Not a trivial attack, storage and compute intensive.

7 doc.: IEEE 802.11-03/211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 7 Differential Cryptanalytic Attack An O(2 29 ) attack is possible Requires that the messages only differ in the last byte In TKIP M is encrypted (and so is D). It would be very difficult to acquire these special messages. This is an attack against raw Michael

8 doc.: IEEE 802.11-03/211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 8 Differential Cryptanalytic Attack The bits of the key do not influence the characteristic differentials. That is because the same key was involved in both data sets and cancels itself out in the differential! But that means that a rekey will thwart the attack. The difference cannot be characteristic if Di and Dj were produced with different keys.

9 doc.: IEEE 802.11-03/211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 9 What does this mean? The 2 30 attack requires quite a bit of storage and processing (and an assumption that may increase the number of inputs necessary to compare) The 2 32 attack is a classic script kiddie attack Strength of Michael is more like 2 30 not 2 20 The countermeasures should be re-evaluated

10 doc.: IEEE 802.11-03/211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 10 Countermeasures We want the attack to take, on average, once per year –1 year is 31536000 seconds –2 30 attempts is 1073741824 –1073741824 attempts in 31536000 seconds implies approximately 34 attempts per second. –Limiting to one guess per 30ms achieves the goal. 30ms is quite a bit better than 60 seconds!

11 doc.: IEEE 802.11-03/211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 11 Countermeasures Rekeying the security association under attack will thwart the differential cryptanalytic attack If the birthday attack is done against digests produced with different keys the resulting forgery is (ideally) indistinguishable from random noise. –Chances of that looking like a valid ethernet protocol: slim –Chances of that looking like a valid ethernet protocol and a valid IP protocol with a valid IP checksum: none

12 doc.: IEEE 802.11-03/211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 12 Countermeasures In addition, the birthday attack is not affected by shutting down the entire BSS or just the STA under attack The attacker passively searches for digests that match his target. By the time a match is found the forgery will be successful and countermeasures will not take effect!

13 doc.: IEEE 802.11-03/211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 13 Recommendations Cease communication for 100ms not 60s –30ms would cause the differential cryptanalytic attack to take, on average, one year. –Differential cryptanalytic attack is experimental so increasing the delay to 100ms should give a comfortable cushion Only cease communication with the security association under attack not the entire BSS –There is no need to shut down the entire BSS.

14 doc.: IEEE 802.11-03/211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 14 Recommendations Alternatively we could: –Rekey a security association after n MIC failures (choose a “comfortable” value for n) –Do not cease communication between failures This is because rekeying the security association thwarts the attack the countermeasures are designed to deal with.

Download ppt "Doc.: IEEE 802.11-03/211r0-Michael-Attacks-And-Countermeasures Submission March 2003 Dan Harkins, Trapeze Networks.Slide 1 Attacks against Michael and."

Similar presentations

Doc.: IEEE 802.11-08/0836r2 Submission July 2008 Dan Harkins, Aruba NetworksSlide 1 Changes to SAE State Machine Date: 2008-07-13 Authors:

Doc.: IEEE /0836r2 Submission July 2008 Dan Harkins, Aruba NetworksSlide 1 Changes to SAE State Machine Date: Authors:
Doc.: IEEE 802.11-09/0283r0 Submission March 2009 Dan Harkins, Aruba NetworksSlide 1 Suggested Changes to the Abbreviated Handshake Date: 2009-03-08 Authors:

Doc.: IEEE /0283r0 Submission March 2009 Dan Harkins, Aruba NetworksSlide 1 Suggested Changes to the Abbreviated Handshake Date: Authors:
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Cryptography and Network Security

Cryptography and Network Security
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.

Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.
Message Authentication and Hash functions

Message Authentication and Hash functions
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel:03-5742968, Fax : 886-3-572-3694.

1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
Cryptography and Network Security, resuming some notes Dr. M. Sakalli.

Cryptography and Network Security, resuming some notes Dr. M. Sakalli.
Intercepting Mobiles Communications: The Insecurity of 802.11 Danny Bickson ACNS Course, IDC Spring 2007.

Intercepting Mobiles Communications: The Insecurity of Danny Bickson ACNS Course, IDC Spring 2007.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Temporal Key Integrity Protocol (TKIP) Presented By: Laxmi Nissanka Rao Kim Sang Soo.

Temporal Key Integrity Protocol (TKIP) Presented By: Laxmi Nissanka Rao Kim Sang Soo.
IPv6 Mobility David Bush. Correspondent Node Operation DEF: Correspondent node is any node that is trying to communicate with a mobile node. This node.

IPv6 Mobility David Bush. Correspondent Node Operation DEF: Correspondent node is any node that is trying to communicate with a mobile node. This node.
Foundations of Network and Computer Security J J ohn Black Lecture #3 Aug 28 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #3 Aug 28 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.

Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.
15 November 2004 1 Wireless Security Issues Cheyenne Hollow Horn SFS Presentation 2004.

15 November Wireless Security Issues Cheyenne Hollow Horn SFS Presentation 2004.
1 Message Authentication and Hash Functions Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of.

1 Message Authentication and Hash Functions Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of.
WLAN What is WLAN? Physical vs. Wireless LAN

WLAN What is WLAN? Physical vs. Wireless LAN
Lecture 3: Cryptographic Tools modified from slides of Lawrie Brown.

Lecture 3: Cryptographic Tools modified from slides of Lawrie Brown.

Similar presentations

Ads by Google