论文信息 - Security Analysis of Michael: The IEEE 802.11i Message Integrity Code

Security Analysis of Michael: The IEEE 802.11i Message Integrity Code

The latest IEEE 802.11i uses a keyed hash function, called Michael, as the message integrity code. This paper describes some properties and weaknesses of Michael. We provide a necessary and sufficient condition for finding collisions of Michael. Our observation reveals that the collision status of Michael only depends on the second last block message and the output of the block function in the third last round. We show that Michael is not collision-free by providing a method to find collisions of this keyed hash function. Moreover, we develop a method to find fixed points of Michael. If the output of the block function in any round is equal to any of these fixed points, a packet forgery attack could be mounted against Michael. Since the Michael value is encrypted by RC4, the proposed packet forgery attack does not endanger the security of the whole TKIP system.

Jennifer Seberry | Willy Susilo | Jianyong Huang | Martin W. Bunder

[1] John Ioannidis,et al. Using the Fluhrer, Mantin, and Shamir Attack to Break WEP , 2002, NDSS.

[2] David A. Wagner,et al. Intercepting mobile communications: the insecurity of 802.11 , 2001, MobiCom '01.

[3] Adi Shamir,et al. Weaknesses in the Key Scheduling Algorithm of RC4 , 2001, Selected Areas in Cryptography.

[4] William A. Arbaugh,et al. Your 80211 wireless network has no clothes , 2002, IEEE Wirel. Commun..

[5] Avishai Wool,et al. A note on the fragility of the "Michael" message integrity code , 2004, IEEE Transactions on Wireless Communications.

[6] Richard A. Johnson. Miller & Freund's Probability and Statistics for Engineers , 1993 .

[7] William A. Arbaugh,et al. YOUR 802.11 WIRELESS NETWORK HAS NO CLOTHES , 2001 .