Thread Links Date Links
Thread Prev Thread Next Thread Index Date Prev Date Next Date Index

[STDS-802-11] REVme: Protected BA - addressing new vulnerabilities



--- This message came from the IEEE 802.11 Working Group Reflector ---

 

Hi All,

 

Thank you for the discussion during today’s REVme call.

 

I am starting this email conversation so that we can converge on how to address the following two vulnerabilities:

1.      Injection of a fake Data frame: Attacker injects a Data frame with an arbitrary SN. The attack won’t be detected until decryption/integrity check. But by then, the scoreboard context (and possibly WinStartR) will get updated.

2.      Replay a genuine Data frame with a modified SN: Attacker records a genuine (A)MPDU and replays it with modified SN(s) [note, SN is not protected]. Since it is a replayed frame, it will pass decryption and integrity check. The attack goes unnoticed until PN-based replay check is performed (which comes later in the processing chain). By this time, the scoreboard context (and possibly WinStartR) will get updated. It also makes a fake entry in the reorder buffer (and possibly updates WinStartB).

 

A summary of the proposed fix (as described in doc 11-22/0082r3) was as follows:

1.      If an MPDU does not pass decryption or integrity check and

·        If the recipient STA maintains full state, then the recipient STA shall not update the value of WinStartR and shall clear the BA scoreboard context for that MPDU.

·        If the recipient STA maintains partial state, then the recipient STA shall clear the BA scoreboard context.

2.      If replay check fails for an MPDU that was successfully decrypted and passed integrity check and 

·        If the recipient STA maintains full state, then the recipient STA shall not update the value of WinStartB and WinStartR, shall clear the scoreboard context for that MPDU, and shall clear the entry for that MPDU from the reorder buffer.

·        If the recipient STA maintains partial state, then the recipient STA shall not update the value of WinStartB, shall clear the scoreboard context, and shall clear the entry for that MPDU from the reorder buffer.

We discussed the proposal during today’s (January 20th) REVme call but could not come to an agreement.

 

I’d like to hear opinions on the proposal and alternative suggestions to address these vulnerabilities.

 

Regards,

Abhi


To unsubscribe from the STDS-802-11 list, click the following link: https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11&A=1