CRYPTOGRAPHY & COMPUTER SECURITY CS265 Project Report By Laxmi Nissanka Rao Sang Soo Kim Date: 03/25/2005 TKIP (Temporal Key Integrity Protocol) 1. Introduction WEP (Wired Equivalent Privacy) is a security mechanism specified by the original IEEE 802.11 standard and is widely used in many WLAN networks. However, recent discoveries of effective cryptanalytic attacks on WEP indicate that the level of security provided by WEP is insufficient. In order to prevent all the known attacks in WEP and to make WLAN more secure, IEEE 802.11i defined a new security standard. IEEE 802.11i specifies two protocols: TKIP (Temporal Key Integrity Protocol) and CCMP (Counter mode with CBC-MAC Protocol). We will focus our discussion on TKIP. 2. Design Constraints One of the design goals of TKIP is to be backward-compatible with existing WEP products. That is, a simple software upgrade can be applied to WEP hardware systems to make work in TKIP mode. Since we have installed TKIP on the same hardware architecture, TKIP must use the inherent RC4 encryption/decryption chips on the system. Furthermore, it must also assume that the available computing processor is old and not fast, therefore, the TKIP algorithm must be efficient and simple. 3. TKIP Description TKIP adds the following new components to WEP: A Message Integrity Code (MIC); also called Micheal. A per-packet key mixing algorithm Key Management Michael: WEP uses CRC-32 for message integrity check. Since CRC is not designed exclusively for message integrity check but for detecting transmission errors, CRC is weak. TKIP employs a new message integrity mechanism called, Michael. The Message Integrity Code, also called Micheal, consists of three components: the secret key K, shared only between the sending and the receiving parties, the tagging function and the verification function. The tagging function takes the key K and the message M as the inputs and generates a tag T that is sent along with the encrypted message M’. The receiving party, on receiving the encrypted message M’ along with the tag T, calls the verification function with M’, T and key K as inputs. The verification function returns ‘false’ if the received tag T does not match the computed tag implying that the message has been modified. If the verification function returns ‘true’, the message is presumed to be un-tampered. The tagging function used by Micheal is designed by Neils Fergusan. The key used is 64 bit long and is represented as two 32-bit blocks (K0, K1). The Micheal tagging function first appends a hexadecimal of 0x5A and then enough zero pads to the message to make the length of the message M a multiple of 32-bit blocks. These blocks are represented as M1, M2, ..., Mn and the tag is computed as follows: (L, K) (K0,K1) for i = 1 to n L L ^ Mi (L, R) f(L, R) end loop return (L, R) where function f is a combination of rotates, additions and bit swaps. The verification function re-computes the tag over the decrypted message M and returns a true if the computed tag matches the received tag. One interesting aspect of Michael is that the algorithm is not secure due to its simple design. As I mentioned before, the designers of TKIP wanted algorithms to be simple and efficient. Because the hardware environment is presumed to be the old and slow WEP system, they did not want to use some famous Hash Function such as MD5 and suffer performance degradation. In order to make the Michael more secure, TKIP encrypts the hash value along with other fields. Furthermore, the Michael Key is updated every one minute. With this design, “the maximum expected number of message integrity error is one per year” [1]. Key Mixing Algorithm: TKIP fixes the small initialization vector (IV) and short encryption key problems with WEP by using longer key. It uses a 128-bit encryption key, a 48-bit IV, and a 64-bit authentication key. In addition to increased key length, TKIP also guarantees a unique key to be used for each packet. There is a mixing function that creates a new per-packet WEP key by taking the 1) base key(128-bit encryption key), 2)transmitter MAC address, and 3)packet sequence number as inputs. (See the diagram below) Transmit MAC Address TKIP Sequence Number (48 bits) Encryption Key Per-Packet Key Mixing Ciphertext MPDU(s) Per-Packet WEP Key WEP Fragment Michael Key Plaintext MPDU(s) Michael PlainText MSDU Plaintext MPDU + MIC TKIP message process Courtesy [1] The TKIP Sequence Number is an extended feature on WEP. It is a 48-bit value identifying the packet as it traverses across the network. It is similar to sequence number field in TCP protocol. This added feature prevents replay attacks, in which the attacker resends a previously captured packet, tampering with data integrity. Key Management: The Key Management is not supported in WEP, and all the network stations use the same key. It is also troublesome to change the key often. TKIP adopted IEEE 802.1X, which provides both authentication and key management capabilities. Using IEEE 802.1X, TKIP generates per-user, per-session keys. Therefore, TKIP can authenticate users and distribute different keys among the users. For example, we have mentioned above that the Michael Key gets periodically changed for increased message integrity security. 4. After TKIP: CCMP TKIP is a quick, short-term solution to the problems of WEP. Since TKIP was initially designed to work on the existing WEP hardware, it had limited design choices. For example, RC4 is used since it is already implemented on the hardware. On the other hand, CCMP, unlike TKIP, is designed from scratch. Even though CCMP is another security protocol specified in IEEE 802.11i, CCMP uses 128-bit advanced encryption standard (AES) rather than RC4. Furthermore, there is no assumption of using low computing processors as in TKIP and that use of simple and efficient algorithm, is not a big concern anymore. The following table compares the three WLAN security protocols. Key Size Per-packet key generation Integrity of Packet Header WEP RC4 40 or 104-bit encryption 24-bit wrapping IV Concatenate IV to base key None Packet Data Replay detection CRC-32 None Key Management None TKIP RC4 128-bit encryption 64-bit authentication 48-bit IV TKIP key mixing function Source and destination addresses protected by Micheal Micheal Enforse IV sequencing IEEE 802.1x Comparison of WEP vs IEEE 802.11i Courtesy [1] CCMP AES 128 48-bit IV Not needed CCM CCM Enforse IV sequencing IEEE 802.1x List of References: [1] Nancy Cam-Winget, Russ Housley, Davis Wagner, and Jesse Walker, “Security flaws in 802.11 data link protocols”, Communications of the ACM Vol 46, Number 5, 2003 http://libaccess.sjsu.edu:2225/10.1145/770000/769823/p35-cam_winget.pdf [2] Karen Hanley, “Wi-Fi Protected Access”, Wi-Fi Alliance http://www.wifi.org/OpenSection/pdf/Wi-Fi_Protected_Access_Overview.pdf [3] Bruce Potter, “Wireless Security’s Future”, IEEE Security & Privacy, July/August 2003 http://libaccess.sjsu.edu:2084/iel5/8013/27399/01219074.pdf [4] Avishai Wool, “A note on the fragility of the Michael message integrity code” http://libaccess.sjsu.edu:2209/iel5/7693/29589/01343878.pdf [5] Jesse Walker, 802.11 “Security Series, Part II: The Temporal Key Integrity Protocol (TKIP)” http://cache-www.intel.com/cd/00/00/01/77/17769_80211_part2.pdf