1. Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 17)
Security – TKIP
Shambhu Upadhyaya
Wireless Network Security
CSE 566 (Lecture 17)

2. TKIP Temporal Key Integrity Protocol Designed as a wrapper around WEP
Can be implemented in software
Reuses existing WEP hardware
Runs WEP as a sub-component
Quick-fix to the existing WEP problem
New “procedures” around Legacy WEP
Components
Cryptographic message integrity code
Packet sequencing
Per-packet key mixing
Re-keying mechanism

3. TKIP Introduction
Never use the same IV value more than once for any particular session key
Prevents key-stream reuse by a system
Receivers discard any packets whose IV value is less or equal to the last successfully received packet encrypted with the same key
Prevents replay attacks
Regularly generate a new random session key before the IV counter overflows
Prevents key-stream reuse
Provide a more thorough mixing of the IV value and the session key to derive the packet's RC4 key
To “fix” the RC4 Key scheduling issues with WEP

4. Weaknesses of WEP 1 IV value is too short and not protected from reuse2
The way keys are constructed from IV makes it susceptible to weak key (FMS) attack 3
No effective way to detect message tampering 4
Directly uses master keys with no provision for re-keying 5
No protection against replay attacks

5. Changes from WEP to TKIP
Purpose
Change
Weakness Addressed
Message Integrity
Adds a message integrity protocol to prevent tampering (one which can be implemented in software using a low power microprocessor)
(3)
IV selection and use
Changes how IV values are selected, uses it as a replay counter
(1) , (3)

6. Changes from WEP to TKIP
Purpose
Change
Weakness Addressed
Per-Packet Key Mixing
Changes encryption key for every frame
(1),(2),(4)
IV Size
Increases the size of the IV to avoid reusing the same IV
(1),(4)
Key Management
Adds a mechanism to distribute and change keys and derive temporal keys
(4)

7. Message Integrity Essential to security of the message
WEP uses ICV (Integrity Check Value), but it offers no real protection
Thus, ICV is not a part of TKIP security
Basic idea behind computing the MIC (Message Integrity Code) is calculating a checksum over the message bytes so that any modification to the message can be detected
This MIC is combined with a secret key so that only authorised parties can generate and verify the MIC
Many available cryptographic methods can be used for the purpose

8. Message Integrity - Michael
As WEP is required to work over existing hardware it cannot use computationally intensive cryptographic methods
Even if the computations are moved to software level in clients, existing Access Points cannot perform heavy computations
Thus, TKIP uses a method of computing MIC called Michael
Michael uses simple shift and add operations instead of multiplications and hence is usable in TKIP
Niels Ferguson invented Michael

9. Message Integrity - Michael
Michael operates on MSDUs (MAC Service Data Unit) rather than individual MPDUs (MAC Protocol Data Unit)
Useful as the computation can be performed in the device driver on the computer rather than on the adapter card
Also reduces overhead as MIC is not calculated for each MPDU being sent out
As Michael is computationally simple, it offers a weak form of security
To counter these drawbacks, it includes a set of countermeasures which are used when an attack is detected

10. Michael Countermeasures
Used to reliably detect attacks and shut down communication to the attacked station for a period of one minute
This is done by disabling keys for a link as soon as the attack is detected
Also has a blackout period of one minute before the keys are reestablished
This can be used by the attacker to launch a DoS attack on the network (theoretically)

11. IV Selection and Use
TKIP has the following major changes in the way IVs are used as compared to WEP
IV Size is increased from 24 to 48 bits
IV has a secondary role as a sequence counter to avoid replay attacks
IVs are constructed so as to avoid certain ‘weak keys’
Instead of directly appending it with the secret key, IVs are used to generate mixed keys

12. IV Use in TKIP Phase 1 Key Mixing Phase 2
Upper IV
Lower IV
32 bits
16 bits IV d
Per Packet Key
24 bits
104 bits
Phase 1
Key Mixing
Phase 2
MAC Address
Session Key
‘d’ is a dummy byte designed to avoid weak keys
Creating the RC4 Encryption Key

13. TSC (TKIP Sequence Counter)
WEP has no protection against replay attacks
In TKIP IV doubles up as a sequence counter to prevent replay attacks
TKIP uses the concept of replay window to implement the counters
The receiver keeps track of the highest TSC and the last 16 TSC values
When a new frame arrives it checks and classifies it as one of the following types
ACCEPT: TSC is larger than the largest seen so far
REJECT: TSC is less than the value of the largest - 16
WINDOW: TSC is less than the largest, but more than the lower limit

14. Per–Packet Key Mixing
Uses the session keys which are derived from the master keys
Per Packet key mixing mechanism further derives a separate unrelated key for each packet from the session key
To save computation key mixing is divided into two phases
Phase 1 involves data that is relatively static like secret session key, higher order 32 bits of IV, MAC address etc. so that this computation is done infrequently
Phase 2 is quicker to compute and is done for each packet – and used the lower 16 bits of the IV (which increases monotonically with each packet)

15. TKIP Role in Transmission
Compute MIC
Append MIC
Fragmentation
Key Mixing
IV Generation
Compute ICV
Encrypt
Append ICV to Packet
MPDU for Tx
MSDU for Transmission
Master Key
MIC Key
Encryption Key
Key derivation block
Michael block
RC4 block
Append IV & Add MAC Hdr

16. TKIP MPDU Frame Initialization Vector (IV) Key Identifier (ID)
Extended IV
Payload Data
MPDU data
MIC
The MIC value is computed using the Michael
algorithm over the entire payload data of the MSDU
Integrity Check Value (ICV)
The checksum value computed over the
unencrypted payload data
Frame Check Sequence (FCS)
(CRC) computed over all fields of the MPDU
Initialization Vector (IV) Contains bytes 1 through 0 of the TKIP Sequence Counter (TSC), which is used for replay protection. Key Identifier (ID) Bits 7 through 6 store the index of the key, within the default key table, used as the TKIP key. Bit 5 is set to indicate the presence of the Extended IV field. Bits 4 through 0 are reserved and are set to zero. Extended IV Contains Bytes 5 through 2 of the TSC. Payload Data Data from the MAC service data unit (MSDU) packet. MIC The MIC value is computed using the Michael algorithm over the entire payload data of the MSDU packet. The 8-byte MIC field is added to the end of the last MPDU fragment of the MSDU. Integrity Check Value (ICV) The checksum value computed over the unencrypted payload data. Frame Check Sequence (FCS) The IEEE 32-bit cyclic redundancy code (CRC) computed over all fields of the MPDU. (Courtesy Microsoft)

17. TKIP Role in Reception Master Key Compute MIC Remove & Check Mic
Re-Assembly
Key Mixing
Decrypt
IV Extraction
Check TSC Window
Strip MAC Hdr
MSDU Accepted
Master Key
MIC Key
Encryption Key
Key derivation block
Michael block
TSC block
Received MPDU
RC4 block
Reject if bad MIC, invoke counter-measures
Reject if bad ICV
Reject if bad TSC

18. References
Jon Edney and William Arbaugh, Real Security, Addison-Wesley, 2004