CRYPTOGRAPHY & COMPUTER SECURITY

advertisement
CRYPTOGRAPHY & COMPUTER SECURITY
CS265
Project Report
By
Laxmi Nissanka Rao
Sang Soo Kim
Date:
03/25/2005
TKIP (Temporal Key Integrity Protocol)
1. Introduction
WEP (Wired Equivalent Privacy) is a security mechanism specified by the original
IEEE 802.11 standard and is widely used in many WLAN networks. However, recent
discoveries of effective cryptanalytic attacks on WEP indicate that the level of security
provided by WEP is insufficient. In order to prevent all the known attacks in WEP and to
make WLAN more secure, IEEE 802.11i defined a new security standard. IEEE 802.11i
specifies two protocols: TKIP (Temporal Key Integrity Protocol) and CCMP (Counter
mode with CBC-MAC Protocol). We will focus our discussion on TKIP.
2. Design Constraints
One of the design goals of TKIP is to be backward-compatible with existing WEP
products. That is, a simple software upgrade can be applied to WEP hardware systems to
make work in TKIP mode. Since we have installed TKIP on the same hardware
architecture, TKIP must use the inherent RC4 encryption/decryption chips on the system.
Furthermore, it must also assume that the available computing processor is old and not
fast, therefore, the TKIP algorithm must be efficient and simple.
3. TKIP Description
TKIP adds the following new components to WEP:



A Message Integrity Code (MIC); also called Micheal.
A per-packet key mixing algorithm
Key Management
Michael:
WEP uses CRC-32 for message integrity check. Since CRC is not designed
exclusively for message integrity check but for detecting transmission errors, CRC is
weak. TKIP employs a new message integrity mechanism called, Michael.
The Message Integrity Code, also called Micheal, consists of three components: the
secret key K, shared only between the sending and the receiving parties, the tagging
function and the verification function. The tagging function takes the key K and the
message M as the inputs and generates a tag T that is sent along with the encrypted
message M’. The receiving party, on receiving the encrypted message M’ along with the
tag T, calls the verification function with M’, T and key K as inputs. The verification
function returns ‘false’ if the received tag T does not match the computed tag implying
that the message has been modified. If the verification function returns ‘true’, the
message is presumed to be un-tampered.
The tagging function used by Micheal is designed by Neils Fergusan. The key used is 64
bit long and is represented as two 32-bit blocks (K0, K1).
The Micheal tagging function first appends a hexadecimal of 0x5A and then enough zero
pads to the message to make the length of the message M a multiple of 32-bit blocks.
These blocks are represented as M1, M2, ..., Mn and the tag is computed as follows:
(L, K)  (K0,K1)
for i = 1 to n
L  L ^ Mi
(L, R)  f(L, R)
end loop
return (L, R)
where function f is a combination of rotates, additions and bit swaps.
The verification function re-computes the tag over the decrypted message M and
returns a true if the computed tag matches the received tag.
One interesting aspect of Michael is that the algorithm is not secure due to its simple
design. As I mentioned before, the designers of TKIP wanted algorithms to be simple
and efficient. Because the hardware environment is presumed to be the old and slow
WEP system, they did not want to use some famous Hash Function such as MD5 and
suffer performance degradation.
In order to make the Michael more secure, TKIP encrypts the hash value along with other
fields. Furthermore, the Michael Key is updated every one minute. With this design,
“the maximum expected number of message integrity error is one per year” [1].
Key Mixing Algorithm:
TKIP fixes the small initialization vector (IV) and short encryption key problems
with WEP by using longer key. It uses a 128-bit encryption key, a 48-bit IV, and a 64-bit
authentication key.
In addition to increased key length, TKIP also guarantees a unique key to be used for
each packet. There is a mixing function that creates a new per-packet WEP key by taking
the 1) base key(128-bit encryption key), 2)transmitter MAC address, and 3)packet
sequence number as inputs. (See the diagram below)
Transmit
MAC
Address
TKIP
Sequence
Number
(48 bits)
Encryption
Key
Per-Packet
Key
Mixing
Ciphertext
MPDU(s)
Per-Packet WEP Key
WEP
Fragment
Michael
Key
Plaintext
MPDU(s)
Michael
PlainText
MSDU
Plaintext
MPDU + MIC
TKIP message process
Courtesy [1]
The TKIP Sequence Number is an extended feature on WEP. It is a 48-bit value
identifying the packet as it traverses across the network. It is similar to sequence number
field in TCP protocol. This added feature prevents replay attacks, in which the attacker
resends a previously captured packet, tampering with data integrity.
Key Management:
The Key Management is not supported in WEP, and all the network stations use
the same key. It is also troublesome to change the key often. TKIP adopted IEEE
802.1X, which provides both authentication and key management capabilities. Using
IEEE 802.1X, TKIP generates per-user, per-session keys. Therefore, TKIP can
authenticate users and distribute different keys among the users. For example, we have
mentioned above that the Michael Key gets periodically changed for increased message
integrity security.
4. After TKIP: CCMP
TKIP is a quick, short-term solution to the problems of WEP. Since TKIP was
initially designed to work on the existing WEP hardware, it had limited design choices.
For example, RC4 is used since it is already implemented on the hardware. On the other
hand, CCMP, unlike TKIP, is designed from scratch. Even though CCMP is another
security protocol specified in IEEE 802.11i, CCMP uses 128-bit advanced encryption
standard (AES) rather than RC4. Furthermore, there is no assumption of using low
computing processors as in TKIP and that use of simple and efficient algorithm, is not a
big concern anymore.
The following table compares the three WLAN security protocols.
Key Size
Per-packet key
generation
Integrity of
Packet Header
WEP
RC4
40 or 104-bit
encryption
24-bit wrapping IV
Concatenate IV to
base key
None
Packet Data
Replay detection
CRC-32
None
Key Management
None
TKIP
RC4
128-bit encryption
64-bit authentication
48-bit IV
TKIP key mixing
function
Source and
destination
addresses protected
by Micheal
Micheal
Enforse IV
sequencing
IEEE 802.1x
Comparison of WEP vs IEEE 802.11i
Courtesy [1]
CCMP
AES
128
48-bit IV
Not needed
CCM
CCM
Enforse IV
sequencing
IEEE 802.1x
List of References:
[1] Nancy Cam-Winget, Russ Housley, Davis Wagner, and Jesse Walker, “Security flaws
in 802.11 data link protocols”, Communications of the ACM Vol 46, Number 5, 2003
http://libaccess.sjsu.edu:2225/10.1145/770000/769823/p35-cam_winget.pdf
[2] Karen Hanley, “Wi-Fi Protected Access”, Wi-Fi Alliance http://www.wifi.org/OpenSection/pdf/Wi-Fi_Protected_Access_Overview.pdf
[3] Bruce Potter, “Wireless Security’s Future”, IEEE Security & Privacy, July/August
2003 http://libaccess.sjsu.edu:2084/iel5/8013/27399/01219074.pdf
[4] Avishai Wool, “A note on the fragility of the Michael message integrity code”
http://libaccess.sjsu.edu:2209/iel5/7693/29589/01343878.pdf
[5] Jesse Walker, 802.11 “Security Series, Part II: The Temporal Key Integrity Protocol
(TKIP)” http://cache-www.intel.com/cd/00/00/01/77/17769_80211_part2.pdf
Download