Temporal Key Temporal Key Integrity Integrity

Protocol (TKIP)Protocol (TKIP)Presented By:Presented By:

Laxmi Nissanka RaoLaxmi Nissanka RaoKim Sang SooKim Sang Soo

AgendaAgenda Disadvantages of WEPDisadvantages of WEP Design ConstraintsDesign Constraints Components of TKIPComponents of TKIP Putting the pieces togetherPutting the pieces together QuestionsQuestions

Disadvantages of WEPDisadvantages of WEP WEP provides no forgery protectionWEP provides no forgery protection No protection against Message ReplaysNo protection against Message Replays WEP misuses the RC4 encryption WEP misuses the RC4 encryption

algorithm in a way that exposes the algorithm in a way that exposes the protocol to weak key attacksprotocol to weak key attacks

By reusing initialization vectors, WEP By reusing initialization vectors, WEP enables an attacker to decrypt the enables an attacker to decrypt the encrypted data without ever learning encrypted data without ever learning the encryption key the encryption key

Design ConstraintsDesign Constraints WEP-patches, on the already WEP-patches, on the already

deployed hardware, have to depend deployed hardware, have to depend entirely on software upgrades.entirely on software upgrades.

The paucity of the CPU cycles.The paucity of the CPU cycles. The hardwiring of the encryption The hardwiring of the encryption

algorithm. algorithm.

TKIPTKIP Temporal Key Integrity Protocol Temporal Key Integrity Protocol

(TKIP) is the TaskGroupi’s solution (TKIP) is the TaskGroupi’s solution for the security loop holes present in for the security loop holes present in the already deployed 802.11 the already deployed 802.11 hardware hardware

It is a set of algorithms that wrap It is a set of algorithms that wrap WEP to give the best possible WEP to give the best possible solution given all the above solution given all the above mentioned design constraints. mentioned design constraints.

Components of TKIPComponents of TKIP A cryptographic message integrity code, or A cryptographic message integrity code, or

MIC, called Michael: to defeat forgeries; MIC, called Michael: to defeat forgeries; A new IV sequencing discipline: to remove A new IV sequencing discipline: to remove

replay attacks from the attacker’s arsenal; replay attacks from the attacker’s arsenal; A per-packet key mixing function: to de-A per-packet key mixing function: to de-

correlate the public IVs from weak keys correlate the public IVs from weak keys A re-keying mechanism: to provide fresh A re-keying mechanism: to provide fresh

encryption and integrity keys, undoing the encryption and integrity keys, undoing the threat of attacks stemming from key reuse. threat of attacks stemming from key reuse.

Defeating Forgeries: Defeating Forgeries: MichaelMichael

Every MIC has three components: a Every MIC has three components: a secret authentication key K (shared secret authentication key K (shared only between the sender and only between the sender and receiver), a tagging function, and a receiver), a tagging function, and a verification predicate. verification predicate.

Designed by Niels Ferguson. Designed by Niels Ferguson.

Michael (contd.)Michael (contd.) 64-bit Michael key: represented as two 32-bit words 64-bit Michael key: represented as two 32-bit words

(K0,K1).(K0,K1). The tagging function first pads a message with the

hex value 0x5a and enough zero pad to bring the total message length to a multiple of 32-bits, then partitions the result into a sequence of 32-bit words M1 M2 … Mn.

(L,R) ← (K0,K1) (L,R) ← (K0,K1) do i from 1 to n do i from 1 to n

L ← L ^ Mi L ← L ^ Mi (L,R) ← b (L,R) (L,R) ← b (L,R)

return (L,R) as the tag return (L,R) as the tag

Where b is a function built up from rotates, little-Where b is a function built up from rotates, little-Endean additions, and bit swaps. Endean additions, and bit swaps.

Michael: Tagging Michael: Tagging FunctionFunction

Michael Tagging Function

MIC Key

SA + DA +PlainTextMSDU

SA + DA + PlaintextMSDU + MIC

Michael: Verification Michael: Verification PredicatePredicate

MIC’

MSDU with failed TKIP

MIC

MIC =MIC’?

MIC

Michael

MIC Key

SA + DA + Plaintext MSDU

Counter Measures

PlaintextMSDU

Michael (contd.)Michael (contd.) The design goal of the counter-The design goal of the counter-

measures is to throttle the utility of measures is to throttle the utility of forgery attempts.forgery attempts.

If a TKIP implementation detects If a TKIP implementation detects two failed forgeries in a second, the two failed forgeries in a second, the design assumes it is under active design assumes it is under active attack. The station deletes its keys, attack. The station deletes its keys, disassociates, waits for a minute, disassociates, waits for a minute, and then re-associates. and then re-associates.

Defeating replays: IV Defeating replays: IV sequence enforcement sequence enforcement

TKIP reuses the WEP IV field as a TKIP reuses the WEP IV field as a packet sequence number. packet sequence number.

Both transmitter and receiver Both transmitter and receiver initialize the packet sequence space initialize the packet sequence space to zero whenever new TKIP keys are to zero whenever new TKIP keys are set, and the transmitter increments set, and the transmitter increments the sequence number with each the sequence number with each packet it sends. packet it sends.

IV sequence enforcement IV sequence enforcement (contd.)(contd.)

TKIP defines a packet as out-of-TKIP defines a packet as out-of-sequence if its IV is the same or sequence if its IV is the same or smaller than a previous correctly smaller than a previous correctly received MPDU associated with the received MPDU associated with the same encryption key. same encryption key.

If an MPDU arrives out of order, If an MPDU arrives out of order, then it is considered to be a replay, then it is considered to be a replay, and the receiver discards it and and the receiver discards it and increments a replay counter. increments a replay counter.

Per-Packet Key MixingPer-Packet Key Mixing WEPWEP constructs a per-packet key by constructs a per-packet key by

simply concatenating a base-key and simply concatenating a base-key and the IVthe IV

TKIPTKIP constructs a per-packet key by constructs a per-packet key by going through 2 key mixing phasesgoing through 2 key mixing phases The mixing phases make difficult for an The mixing phases make difficult for an

attacker to correlate IVs and per-packet attacker to correlate IVs and per-packet keykey

Per-Packet Key Mixing: 1Per-Packet Key Mixing: 1stst PhasePhase

XORs the XORs the MAC addressMAC address of the station and of the station and the the temporal keytemporal key to produce an to produce an intermediate keyintermediate key

Mixing MAC and the temporary key in this Mixing MAC and the temporary key in this way causes different stations and APs to way causes different stations and APs to generate different generate different intermediate keys,intermediate keys, even even if they have the same temporal keyif they have the same temporal key

For performance optimizationFor performance optimization, , intermediate keyintermediate key is computed only when is computed only when the temporal key is changed (and most of the temporal key is changed (and most of the time its value is saved on memory)the time its value is saved on memory)

Per-Packet Key Mixing: 2nd Per-Packet Key Mixing: 2nd PhasePhase

Takes the packet sequence number and Takes the packet sequence number and encrypts it using the encrypts it using the intermediate keyintermediate key from from the first phase, producing finally a 128-bit the first phase, producing finally a 128-bit per-packet keyper-packet key

In actuality, the first 3 bytes (24 bits) of Phase 2 output corresponds exactly to the WEP IV, and the last 13 bytes to the WEP base key.

Now we can use the existing WEP hardware Now we can use the existing WEP hardware to do the encryption using the per-packet keyto do the encryption using the per-packet key

Per-Packet Key Mixing: Per-Packet Key Mixing: DiagramDiagram

Phase 1

Phase 2

Temporal Key

MAC Addr

Intermediate Key

Sequence Number

Per-packet key

ReKey MechanismReKey Mechanism Refers to a process of delivering fresh Refers to a process of delivering fresh

encryption and integrity keys (MIC Keys) encryption and integrity keys (MIC Keys) to the stations and APsto the stations and APs

Accomplished by employing IEEE Accomplished by employing IEEE 802.1X802.1X

Defines an authentication server that Defines an authentication server that distributes keysdistributes keys

TKIP uses three distinct keysTKIP uses three distinct keys1.1. Temporal keysTemporal keys2.2. key encryption keyskey encryption keys3.3. master keysmaster keys

Temporal KeysTemporal Keys Two Temporal Key types:Two Temporal Key types:

128-bit encryption key128-bit encryption key 64-bit Michael key64-bit Michael key

Used by stations and APs for normal Used by stations and APs for normal TKIP communicationTKIP communication

Key Encryption KeysKey Encryption Keys As the name suggests, a temporal key is As the name suggests, a temporal key is

“temporal” and needs to be updated “temporal” and needs to be updated frequentlyfrequently

Key Encryption KeysKey Encryption Keys encrypt the encrypt the information regarding the key distribution. information regarding the key distribution. They protect the Temporal Keys.They protect the Temporal Keys.

Requires two distinct key encryption keysRequires two distinct key encryption keys1.1. To encrypt the distributed Keying materialTo encrypt the distributed Keying material2.2. To protect the re-key messages from forgeryTo protect the re-key messages from forgery

Master KeyMaster Key Used to secure the distribution of Used to secure the distribution of

the key encryption keysthe key encryption keys Also related to TKIP’s support of Also related to TKIP’s support of

user authentication:user authentication: A station gets a master key after it is A station gets a master key after it is

“authenticated”“authenticated”

ReKey SummaryReKey Summary

Master KeyMaster Key encrypts Key Encryption KeysKey Encryption Keys

Key Encryption KeysKey Encryption Keys encrypt Temporal KeysTemporal Keys

Temporal KeysTemporal Keys encrypt User DataUser Data

Authentication Server generates a Master KeyMaster Key

Station is Authenticated

TKIP Encryption ProcessTKIP Encryption Process

Phase 2Key

Mixing

Michael Fragment(s)

WEPEncapsulation

TKIP Sequence Counter(s)

MIC Key

SA + DA +PlainText

MSDUPlaintextMPDU(s)

PlaintextMSDU + MIC

CiphertextMPDU(s)

WEP seed(s)Represented

as WEP IV + RC4 KeyPhase 1

KeyMixingMAC

Address

Temporal Key

Intermediate Key

TKIP Decryption ProcessTKIP Decryption Process

Phase IIKey

MixingMichael

WEPDecapsulation

TKIP Sequence Counter

MIC KeyCiphertext

PlaintextMPDU

WEP seedPhase 1

KeyMixing

MACAddress

Intermediate Key

Unmix IV

Reassemble

MPDU

WEP IV

Out of Sequence

MPDU

In Sequence

MPDU

SA + DA + Plaintext MSDU

MSDU with failed TKIP MIC

MIC =MIC’?

MIC

Counter Measures

MIC’

PlaintextMSDU

Temporal Key

Q&AQ&A

ReferencesReferences http://www.tech-faq.com/wireless-nehttp://www.tech-faq.com/wireless-ne

tworks/tkip-temporal-key-integrity-prtworks/tkip-temporal-key-integrity-protocol.shtmlotocol.shtml

http://www.tech-faq.com/wireless-nehttp://www.tech-faq.com/wireless-networks/tkip-temporal-key-integrity-prtworks/tkip-temporal-key-integrity-protocol.shtmlotocol.shtml

http://cache-www.intel.com/cd/http://cache-www.intel.com/cd/00/00/01/77/17769_80211_part2.pdf00/00/01/77/17769_80211_part2.pdf