tkip.pdf

IEEE 802.11i

Robust Security Networks

TKIP

WEP Cryptographic Operations

• Confidentiality and integrity are handled simultaneously in WEP

•

802.1X addresses two of the major flaws in WEP

1. authentication

2. key management

•

The major remaining flaw to be addressed

–

Lack of confidentiality

•

idea to overcome this problem

802.11i ?

•

802.11i defines 2 protocols for link layer protection

1. Temporal Key Integrity Protocol (TKIP)

•

First new link layer encryption technique.

•

upgraded the security of WEP-based hardware

•

Retains the basic architecture and operations of

WEP.

•

Initially called “WEP2”

The Temporal Key Integrity Protocol (TKIP)

1. Key hierarchy and automatic key management

–

Use of master keys for deriving key for frame encryption.

–

key management operations automatically refreshes key.

2. Per-frame keying

–

Every frame has a unique RC4 key from the master key.

–

This process is called

key mixing

Differences from WEP

The Temporal Key Integrity Protocol (TKIP)

3. Sequence counter

Use:

1. out-of-order frames can be flagged,

2. mitigating against replay attacks

4. New message integrity check

–

CRC replaced with Michael integrity check

–

more robust cryptographic Algorithm

–

easier to detect frame forgeries

The Temporal Key Integrity Protocol (TKIP)

5. Countermeasures on message integrity check failures – Michael can be compromised in an active attack – so TKIP includes countermeasures

The Temporal Key Integrity Protocol (TKIP)

•

Doubles the length of the IV from 24 to 48 bits.

•

This made attackers difficult to predict the keys

•

key mixing

–

RC4 key unique to each frame

–

key mixing calculation is done by including

temporal key+transmitter address+ sequence

counter .

The Temporal Key Integrity Protocol (TKIP)

•

TKIP IV also serves as a sequence counter.

•

When a new master key is installed it sets sequence counter to 1 and

increments as the frames are transmitted.

•

following are the steps to defend replay attacks:

– TKIP maintains the most recent sequence counter

– The sequence counter is checked against the most recently received sequence counter

– If it is larger than any previous value, the frame is accepted – If smaller, it is rejected.

– If equal, duplicate frame for error.

– Duplicate sequence numbers may represent an error.

The Temporal Key Integrity Protocol (TKIP)

•

WEP uses CRC which proved un suitable.

•

Major challenge of TKIP is to strengthen integrity check and

also able to run on a low power processor

–

Michael is implemented entirely with bitwise operations

–

Can run on any processor without harming performance

–

MIC

better than CRC , but fails against a sustained and

determined attack

•

countermeasures detect the active attack and shut

down the network and refresh the keys

TKIP Data Processing and Operation

•

Like WEP, TKIP provides confidentiality and integrity together.

TKIP Data Processing and Operation

TKIP Inputs

1. The frame

2. A temporal key

3. A MIC key

4. The transmitter

address

TKIP data transmission

1. The 802.11 frame is queued for transmission.

2. The Message Integrity Check (MIC) is computed.

3. Sequence numbers are assigned to fragments.

4. Each frame is encrypted with a unique per-frame WEP key.

5. The frame plus Michael message integrity check value from

1. When a frame is received by the wireless interface and passes

the frame check sequence .

2. The first step TKIP takes is to check the sequence number to

prevent replay attacks.

3. The WEP seed used to encrypt the packet is recovered.

4. With the WEP seed in hand, the outer WEP layer around the

frame can be removed and the contents recovered.

5. If fragmentation was applied, it may be necessary to wait for

further frames to arrive before reassembling a complete

payload.

6. Once the frame is reassembled, Michael is calculated over the

contents of the frame.

The Michael Integrity Check

•

Michael operates on frames passed down to it at the MAC

service layer from higher-layer protocols

•

Michael is not a secure cryptographic protocol and it does not

protect individual 802.11 frames

•

It protects the reassembled data unit given to 802.11 for

transmission

•

Several attacks on WEP served as the motivation for Michael.

•

Message integrity check (MIC) value calculated on data,

Michael data processing

 Operates on 32-bit blocks of data.

 Padding is used , if required, and only for the computation of the MIC, but not transmitted.

 MIC is added on to the tail of the data frame

 The data-plus-MIC is given to 802.11 for transmission

Michael countermeasures

If an attacker is able to bypass replay protection and the WEP integrity check, it would be possible to mount a brute-force attack on the Michael integrity check. When a station detects a MIC failure

1. The MIC failure is noted and logged. Before the MIC is validated, the frame must pass through the replay protection hurdle as well as the legacy WEP integrity check. Getting a frame to Michael for validation is not a trivial

undertaking. Therefore, any MIC validation error is likely to be an extremely security-relevant matter that should be investigated by system

administrators.

2. If the failure is the second one within a 60-second window, countermeasures dictate shutting down communications for a further 60 seconds. When the second MIC failure within 60 seconds is detected, all TKIP communication is disabled for 60 seconds. Instituting a communication blackout makes it

impossible for an attacker to mount a sustained attack quickly.

3. Keys are refreshed. Stations delete their copies of the master keys and

Counter Mode with CBC-MAC Protocol

(CCMP)

So far interpretation ?? –TKIP is better than WEP

Still Problem ?? – TKIP relies on WEP encryption

technique which is again proved insecure.

What is the solution ?? – IEEE began working with AES

technique for encryption.

Counter Mode with CBC-MAC Protocol

(CCMP)

CCMP is basically a combination of counter(CTR) mode privacy and Cipher Block Chaining(CBC) message authentication with AES technique.

The CCM mode combines CTR for confidentiality and CBC-MAC for authentication and integrity.

Basically AES is flexible to use with any key size and block size. But all AES processing used within CCMP mandates AES with a 128 bit key and a 128 bit block size.

Like TKIP, CCMP uses a fresh temporal key (TK) for every session.

CCMP Data

Processing-encryption(Transmission)

CCMP Inputs

•

The frame

•

A temporal key

•

A key identifier

CCMP data transmission.

1. 802.11 frame is queued for transmission MAC header + payload. 2. A 48 bit packet number is assigned:

3. The Additional Authentication Data (AAD) field is constructed using MAC header of the frame:

4. Construct CCMP Nonce block : Packet number + sender address 5. CCMP Header is constructed: Packet number + key id

6. Run CCM encryption using the temporal key (TK), AAD, Nonce and data to form the ciphertext and Message Integrity Check (MIC):

7. The Encrypted frame is formed by concatenating the original MAC Header, the CCMP header, the Encrypted Data and the MIC.

CCMP reception

It’s the reverse of encryption and transmission process

1. When a frame is received by the wireless interface and checks Frame check sequence and if valid passes to CCMP.

2. The additional authentication data (AAD) is recovered from the received frame.

3. The CCMP nonce is also recovered from the frame. 4. The receiver decrypts the ciphertext.

5. The integrity check is calculated over the plaintext data and the additional authentication data.

Data Transfer Summary

WEP

TKIP

CCMP

Cipher

RC4

RC4

AES

Key Size

40 or 104 bits

128 bits

128 bits

encryption,

64 bit auth

Key Life

24-bit IV, wrap 48-bit IV

48-bit IV

Packet Key

Concat.

Mixing Fnc Not Needed

Integrity

Data

CRC-32

Michael

CCM

Header

None

Michael

CCM

Replay

None

Use IV

Use IV

•

These are the standard operations that will set

the procedure for key derivation and

distribution.

•

Defines two keys :

1. Pairwise keys

2. Group keys

Robust Security Network (RSN) Operations

•

802.11i pairwise Key Hierarchy

• Group key hierarchy

(for broadcast and multicast transmissions)

802.11i Key Derivation and Distribution

•

This section explains the technique of key

derivation and distribution securely- pairwise

key and group key

•

The process is often called

key exchange

process

.

802.11i Key Derivation and Distribution

Updating pairwise keys: the four-way handshake

Step1:

i. Authenticator sends nonce(random value) to the supplicant. Nonce prevents the replay attack

ii. After receiving this supplicant expands pairwise master key .

Expansion = MAC address supplicant + MAC address MAC address of Authenticator + PMK + two nonces.

Step 2:

i. Supplicant sends supplicant nonce and a copy of security parameters from initial association with network. Whole message is authenticated by EAPOL KCK.

ii. Authenticator extracts supplicant nonce which allows authenticator to derive full pairwise key through this. Authenticator validates the

Updating pairwise keys: the four-way handshake

Step3:

i. At this point keys are in place both sides but requires confirmation.

ii. Authenticator sends supplicant a message indicating sequence number+ GTK which is encrypted using KEK and entire message is authenticated using KCK

Step 4:

i. Supplicant sends a final confirmation message that it has received the keying messages so that authenticator can start using the keys

1. The authenticator sends the supplicant a nonce, which is a random value that prevents replay attacks. There is no authentication of the message, but there is no danger from tampering. If the message is altered, the handshake fails and will be rerun.

At this point, the supplicant can expand the pairwise master key into the full pairwise key hierarchy. Expansion requires the MAC addresses of the

supplicant and authenticator, the pairwise master key, and the two nonces.

2. The supplicant sends a message that has the supplicant nonce and a copy of the security parameters from the initial association with the network. The whole message is authenticated by an integrity check code calculated using the EAPOL Key Confirmation Key.

The authenticator receives the message and extracts the supplicant nonce, which allows the authenticator to derive the full pairwise key hierarchy. Part of the key hierarchy is the key used to "sign" the message. If the

authenticator cannot validate the message, the handshake fails.

3. Keys are now in place on both sides of the handshake, but need to be confirmed. The Authenticator sends the supplicant a message indicating the sequence number for which the pairwise key will be added. It also includes the current group transient key to enable update of the group key. The group transient key is encrypted using the EAPOL Key Encryption Key, and the entire message is authenticated using the Key Confirmation Key.

4. The supplicant sends a final confirmation message to the authenticator to indicate that it has received the keying messages and the authenticator may start using the keys. The message is authenticated using the Key Confirmation Key.

Updating group keys: the group key handshake

Because the group transient key is encrypted with the Key

Encryption Key from the pairwise hierarchy, the group key

handshake requires that a successful four-way handshake has

already occurred.

1. The authenticator sends the group transient key (GTK),

encrypted with the Key Encryption Key from the pairwise key

hierarchy. The message is also authenticated with a code

calculated with the Key Confirmation Key.

2. The supplicant sends an acknowledgment message,

Improved 802.11i Architecture

Stage 2: 802.1X Authentication

(mutual authentication, shared secret, cipher suite)

Stage 3: Secure Association (management frames protected)

Stage 4: 4-Way Handshake

(PMK confirmation, PTK derivation, and GTK distribution)

Stage 5: Group Key Handshake

Stage 6: Secure Data Communications

Michael MIC Failure or Other Security Failures

State 1 Unauthenticated , Unassociated State 2 Authenticated, Unassociated State 3 Authenticated, and Associated Successful MAC layer Authentication Successful Association or Reassociation Disassociation Notification DeAuthentication Notification Deauthentica tion notification Class 1 Frames

Class 1 & 2 Frames

Class 1, 2 & 3 Frames

State 1 Unauthenticated, Unassociated State 2 Authenticated, Unassociated State 3 Authenticated, and Associated Successful MAC layer Authentication Successful Association or Reassociation Disassociation Notification DeAuthentication Notification Deauthentication notification

Class 1 Frames + ESN Class 2 frames

Class 1 & 2 Frames

Class 1, 2 & 3 Frames

802.11i State Machine

State 4 ESN Associated

ESN Association or Reassociation ESN Disassociation Notification Successful upper layer Authentication

802.11i Fast Handoff

STA

AP_old AP_new

Associate-Request Associate-Response ACK DS Notified Reassociate-Request (Authenticated) Reassociate-Response (Authenticated) ACK DS Notified Disassociate (Authenticated)

Transition Period ~ RTT_STA-AP

802.1X/Identity Request

EAP-Success 802.1X/Identity Response

EAP-Request EAP-Response

Transition Period ~ nRTT_STA-AP