CRYPTOGRAPHY & COMPUTER SECURITYCS265Project ReportByLaxmi Nissanka RaoSang Soo KimDate:03/25/2005TKIP (Temporal Key Integrity Protocol)1. IntroductionWEP (Wired Equivalent Privacy) is a security mechanism specified by the original IEEE 802.11 standard and is widely used in many WLAN networks. However, recent discoveries of effective cryptanalytic attacks on WEP indicate that the level of security provided by WEP is insufficient. In order to prevent all the known attacks in WEP and tomake WLAN more secure, IEEE 802.11i defined a new security standard. IEEE 802.11i specifies two protocols: TKIP (Temporal Key Integrity Protocol) and CCMP (Counter mode with CBC-MAC Protocol). We will focus our discussion on TKIP.2. Design ConstraintsOne of the design goals of TKIP is to be backward-compatible with existing WEP products. That is, a simple software upgrade can be applied to WEP hardware systems to make work in TKIP mode. Since we have installed TKIP on the same hardware architecture, TKIP must use the inherent RC4 encryption/decryption chips on the system. Furthermore, it must also assume that the available computing processor is old and not fast, therefore, the TKIP algorithm must be efficient and simple. 3. TKIP DescriptionTKIP adds the following new components to WEP:- A Message Integrity Code (MIC); also called Micheal.- A per-packet key mixing algorithm- Key ManagementMichael:WEP uses CRC-32 for message integrity check. Since CRC is not designed exclusively for message integrity check but for detecting transmission errors, CRC is weak. TKIP employs a new message integrity mechanism called, Michael. The Message Integrity Code, also called Micheal, consists of three components: the secret key K, shared only between the sending and the receiving parties, the tagging function and the verification function. The tagging function takes the key K and themessage M as the inputs and generates a tag T that is sent along with the encrypted message M’. The receiving party, on receiving the encrypted message M’ along with the tag T, calls the verification function with M’, T and key K as inputs. The verification function returns ‘false’ if the received tag T does not match the computed tag implying that the message has been modified. If the verification function returns ‘true’, the message is presumed to be un-tampered.The tagging function used by Micheal is designed by Neils Fergusan. The key used is 64 bit long and is represented as two 32-bit blocks (K0, K1).The Micheal tagging function first appends a hexadecimal of 0x5A and then enough zero pads to the message to make the length of the message M a multiple of 32-bit blocks. These blocks are represented as M1, M2, ..., Mn and the tag is computed as follows:(L, K) (K0,K1)for i = 1 to nL L ^ Mi (L, R) f(L, R)end loopreturn (L, R)where function f is a combination of rotates, additions and bit swaps.The verification function re-computes the tag over the decrypted message M and returns a true if the computed tag matches the received tag.One interesting aspect of Michael is that the algorithm is not secure due to its simple design. As I mentioned before, the designers of TKIP wanted algorithms to be simple and efficient. Because the hardware environment is presumed to be the old and slow WEP system, they did not want to use some famous Hash Function such as MD5 and suffer performance degradation. In order to make the Michael more secure, TKIP encrypts the hash value along with otherfields. Furthermore, the Michael Key is updated every one minute. With this design, “the maximum expected number of message integrity error is one per year” [1].Key Mixing Algorithm:TKIP fixes the small initialization vector (IV) and short encryption key problems with WEP by using longer key. It uses a 128-bit encryption key, a 48-bit IV, and a 64-bit authentication key.In addition to increased key length, TKIP also guarantees a unique key to be used for each packet. There is a mixing function that creates a new per-packet WEP key by takingthe 1) base key(128-bit encryption key), 2)transmitter MAC address, and 3)packet sequence number as inputs. (See the diagram below)TKIP message process Courtesy [1]The TKIP Sequence Number is an extended feature on WEP. It is a 48-bit value identifying the packet as it traverses across the network. It is similar to sequence number field in TCP protocol. This added feature prevents replay attacks, in which the attacker resends a previously captured packet, tampering with data integrity.Key Management:The Key Management is not supported in WEP, and all the network stations use the same key. It is also troublesome to change the key often. TKIP adopted IEEE 802.1X, which provides both authentication and key management capabilities. Using IEEE 802.1X, TKIP generates per-user, per-session keys. Therefore, TKIP can authenticate users and distribute different keys among the users. For example, we have mentioned above that the Michael Key gets periodically changed for increased message integrity security.4. After TKIP: CCMPTKIP is a quick, short-term solution to the problems of WEP. Since TKIP was initially designed to work on the existing WEP hardware, it had limited design choices. For example, RC4 is used since it is already implemented on the hardware. On the other hand, CCMP, unlike TKIP, is designed from scratch. Even though CCMP is another security protocol specified in IEEE 802.11i, CCMP uses 128-bit advanced encryption standard (AES) rather than RC4. Furthermore, there is no assumption of using low computing processors as in TKIP and that use of simple and efficient algorithm, is not a big concern anymore. The following table compares the three WLAN security protocols.WEP TKIP CCMPKey Size RC440 or 104-bit encryptionRC4128-bit encryption64-bit authenticationAES128Per-packet key generation24-bit wrapping IVConcatenate IV to base key48-bit IVTKIP key mixing function48-bit IVNot neededIntegrity ofPacket HeaderNone Source and destination addresses protected by MichealCCMPacket Data Replay detectionCRC-32NoneMichealEnforse IV sequencingCCMEnforse IV sequencingKey Management None IEEE 802.1x IEEE 802.1xComparison of WEP vs IEEE 802.11i Courtesy [1]List of References:[1] Nancy Cam-Winget, Russ Housley, Davis Wagner, and Jesse Walker, “Security flaws in 802.11 data link protocols”, Communications of the ACM Vol 46, Number 5, 2003
View Full Document
Unlocking...