Presentation is loading. Please wait.

Presentation is loading. Please wait.

Temporal Key Integrity Protocol (TKIP) Presented By: Laxmi Nissanka Rao Kim Sang Soo.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Temporal Key Integrity Protocol (TKIP) Presented By: Laxmi Nissanka Rao Kim Sang Soo."— Presentation transcript:

1 Temporal Key Integrity Protocol (TKIP) Presented By: Laxmi Nissanka Rao Kim Sang Soo

2 Agenda Disadvantages of WEP Disadvantages of WEP Design Constraints Design Constraints Components of TKIP Components of TKIP Putting the pieces together Putting the pieces together Questions Questions

3 Disadvantages of WEP WEP provides no forgery protection WEP provides no forgery protection No protection against Message Replays No protection against Message Replays WEP misuses the RC4 encryption algorithm in a way that exposes the protocol to weak key attacks WEP misuses the RC4 encryption algorithm in a way that exposes the protocol to weak key attacks By reusing initialization vectors, WEP enables an attacker to decrypt the encrypted data without ever learning the encryption key By reusing initialization vectors, WEP enables an attacker to decrypt the encrypted data without ever learning the encryption key

4 Design Constraints WEP-patches, on the already deployed hardware, have to depend entirely on software upgrades. WEP-patches, on the already deployed hardware, have to depend entirely on software upgrades. The paucity of the CPU cycles. The paucity of the CPU cycles. The hardwiring of the encryption algorithm. The hardwiring of the encryption algorithm.

5 TKIP Temporal Key Integrity Protocol (TKIP) is the TaskGroupi’s solution for the security loop holes present in the already deployed 802.11 hardware Temporal Key Integrity Protocol (TKIP) is the TaskGroupi’s solution for the security loop holes present in the already deployed 802.11 hardware It is a set of algorithms that wrap WEP to give the best possible solution given all the above mentioned design constraints. It is a set of algorithms that wrap WEP to give the best possible solution given all the above mentioned design constraints.

6 Components of TKIP A cryptographic message integrity code, or MIC, called Michael: to defeat forgeries; A cryptographic message integrity code, or MIC, called Michael: to defeat forgeries; A new IV sequencing discipline: to remove replay attacks from the attacker’s arsenal; A new IV sequencing discipline: to remove replay attacks from the attacker’s arsenal; A per-packet key mixing function: to de- correlate the public IVs from weak keys A per-packet key mixing function: to de- correlate the public IVs from weak keys A re-keying mechanism: to provide fresh encryption and integrity keys, undoing the threat of attacks stemming from key reuse. A re-keying mechanism: to provide fresh encryption and integrity keys, undoing the threat of attacks stemming from key reuse.

7 Defeating Forgeries: Michael Every MIC has three components: a secret authentication key K (shared only between the sender and receiver), a tagging function, and a verification predicate. Every MIC has three components: a secret authentication key K (shared only between the sender and receiver), a tagging function, and a verification predicate. Designed by Niels Ferguson. Designed by Niels Ferguson.

8 Michael (contd.) 64-bit Michael key: represented as two 32-bit words (K0,K1). 64-bit Michael key: represented as two 32-bit words (K0,K1). The tagging function first pads a message with the hex value 0x5a and enough zero pad to bring the total message length to a multiple of 32-bits, then partitions the result into a sequence of 32-bit words M1 M2 … Mn. (L,R) ← (K0,K1) do i from 1 to n L ← L ^ Mi L ← L ^ Mi (L,R) ← b (L,R) (L,R) ← b (L,R) return (L,R) as the tag Where b is a function built up from rotates, little-Endean additions, and bit swaps. Where b is a function built up from rotates, little-Endean additions, and bit swaps.

9 Michael: Tagging Function

10 Michael: Verification Predicate

11 Michael (contd.) The design goal of the counter-measures is to throttle the utility of forgery attempts. The design goal of the counter-measures is to throttle the utility of forgery attempts. If a TKIP implementation detects two failed forgeries in a second, the design assumes it is under active attack. The station deletes its keys, disassociates, waits for a minute, and then re- associates. If a TKIP implementation detects two failed forgeries in a second, the design assumes it is under active attack. The station deletes its keys, disassociates, waits for a minute, and then re- associates.

12 Defeating replays: IV sequence enforcement TKIP reuses the WEP IV field as a packet sequence number. TKIP reuses the WEP IV field as a packet sequence number. Both transmitter and receiver initialize the packet sequence space to zero whenever new TKIP keys are set, and the transmitter increments the sequence number with each packet it sends. Both transmitter and receiver initialize the packet sequence space to zero whenever new TKIP keys are set, and the transmitter increments the sequence number with each packet it sends.

13 IV sequence enforcement (contd.) TKIP defines a packet as out-of-sequence if its IV is the same or smaller than a previous correctly received MPDU associated with the same encryption key. TKIP defines a packet as out-of-sequence if its IV is the same or smaller than a previous correctly received MPDU associated with the same encryption key. If an MPDU arrives out of order, then it is considered to be a replay, and the receiver discards it and increments a replay counter. If an MPDU arrives out of order, then it is considered to be a replay, and the receiver discards it and increments a replay counter.

14 Per-Packet Key Mixing WEP constructs a per-packet key by simply concatenating a base-key and the IV WEP constructs a per-packet key by simply concatenating a base-key and the IV TKIP constructs a per-packet key by going through 2 key mixing phases TKIP constructs a per-packet key by going through 2 key mixing phases The mixing phases make difficult for an attacker to correlate IVs and per-packet key The mixing phases make difficult for an attacker to correlate IVs and per-packet key

15 Per-Packet Key Mixing: 1 st Phase XORs the MAC address of the station and the temporal key to produce an intermediate key XORs the MAC address of the station and the temporal key to produce an intermediate key Mixing MAC and the temporary key in this way causes different stations and APs to generate different intermediate keys, even if they have the same temporal key Mixing MAC and the temporary key in this way causes different stations and APs to generate different intermediate keys, even if they have the same temporal key For performance optimization, intermediate key is computed only when the temporal key is changed (and most of the time its value is saved on memory) For performance optimization, intermediate key is computed only when the temporal key is changed (and most of the time its value is saved on memory)

16 Per-Packet Key Mixing: 2nd Phase Takes the packet sequence number and encrypts it using the intermediate key from the first phase, producing finally a 128-bit per-packet key Takes the packet sequence number and encrypts it using the intermediate key from the first phase, producing finally a 128-bit per-packet key In actuality, the first 3 bytes (24 bits) of Phase 2 output corresponds exactly to the WEP IV, and the last 13 bytes to the WEP base key. Now we can use the existing WEP hardware to do the encryption using the per-packet key Now we can use the existing WEP hardware to do the encryption using the per-packet key

17 Per-Packet Key Mixing: Diagram Phase 1 Phase 2 Temporal Key MAC Addr Intermediate Key Sequence Number Per-packet key

18 ReKey Mechanism Refers to a process of delivering fresh encryption and integrity keys (MIC Keys) to the stations and APs Refers to a process of delivering fresh encryption and integrity keys (MIC Keys) to the stations and APs Accomplished by employing IEEE 802.1X Accomplished by employing IEEE 802.1X Defines an authentication server that distributes keys Defines an authentication server that distributes keys TKIP uses three distinct keys TKIP uses three distinct keys 1. Temporal keys 2. key encryption keys 3. master keys

19 Temporal Keys Two Temporal Key types: Two Temporal Key types: 128-bit encryption key 128-bit encryption key 64-bit Michael key 64-bit Michael key Used by stations and APs for normal TKIP communication Used by stations and APs for normal TKIP communication

20 Key Encryption Keys As the name suggests, a temporal key is “ temporal ” and needs to be updated frequently As the name suggests, a temporal key is “ temporal ” and needs to be updated frequently Key Encryption Keys encrypt the information regarding the key distribution. They protect the Temporal Keys. Key Encryption Keys encrypt the information regarding the key distribution. They protect the Temporal Keys. Requires two distinct key encryption keys Requires two distinct key encryption keys 1. To encrypt the distributed Keying material 2. To protect the re-key messages from forgery

21 Master Key Used to secure the distribution of the key encryption keys Used to secure the distribution of the key encryption keys Also related to TKIP ’ s support of user authentication: Also related to TKIP ’ s support of user authentication: A station gets a master key after it is “ authenticated ” A station gets a master key after it is “ authenticated ”

22 ReKey Summary Master KeyKey Encryption Keys Master Key encrypts Key Encryption Keys Key Encryption KeysTemporal Keys Key Encryption Keys encrypt Temporal Keys Temporal KeysUser Data Temporal Keys encrypt User Data Master Key Authentication Server generates a Master Key Station is Authenticated

23 TKIP Encryption Process

24 TKIP Decryption Process

25 Q&A

26 References http://www.tech-faq.com/wireless- networks/tkip-temporal-key-integrity- protocol.shtml http://www.tech-faq.com/wireless- networks/tkip-temporal-key-integrity- protocol.shtml http://www.tech-faq.com/wireless- networks/tkip-temporal-key-integrity- protocol.shtml http://www.tech-faq.com/wireless- networks/tkip-temporal-key-integrity- protocol.shtml http://www.tech-faq.com/wireless- networks/tkip-temporal-key-integrity- protocol.shtml http://www.tech-faq.com/wireless- networks/tkip-temporal-key-integrity- protocol.shtml http://www.tech-faq.com/wireless- networks/tkip-temporal-key-integrity- protocol.shtml http://www.tech-faq.com/wireless- networks/tkip-temporal-key-integrity- protocol.shtml http://cache- www.intel.com/cd/00/00/01/77/17769_80211 _part2.pdf http://cache- www.intel.com/cd/00/00/01/77/17769_80211 _part2.pdf

Download ppt "Temporal Key Integrity Protocol (TKIP) Presented By: Laxmi Nissanka Rao Kim Sang Soo."

Similar presentations

IEEE 802.11i IT443 Broadband Communications Philip MacCabe October 5, 2005

IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
CSE 6590 1.  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in 802.11  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 

CSE  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.

Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
Chalmers University of Technology Wireless security Breaking WEP and WPA.

Chalmers University of Technology Wireless security Breaking WEP and WPA.
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
Wireless LAN Security Jerry Usery CS 522 December 6 th, 2006.

Wireless LAN Security Jerry Usery CS 522 December 6 th, 2006.
OpenSig 2003: Panel Discussion on the Differences and Similarities of Wired vs. Wireless Security Russ Housley 9 October 2003.

OpenSig 2003: Panel Discussion on the Differences and Similarities of Wired vs. Wireless Security Russ Housley 9 October 2003.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID 001790660.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
Intercepting Mobiles Communications: The Insecurity of 802.11 Danny Bickson ACNS Course, IDC Spring 2007.

Intercepting Mobiles Communications: The Insecurity of Danny Bickson ACNS Course, IDC Spring 2007.
How To Not Make a Secure Protocol 802.11 WEP Dan Petro.

How To Not Make a Secure Protocol WEP Dan Petro.
DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.

DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.
W i reless LAN Security Presented by: Pallavi Priyadarshini Student ID 003503527.

W i reless LAN Security Presented by: Pallavi Priyadarshini Student ID
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
Security in Wireless LAN 802.11 Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.

Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
E-mail: kemal@cs.siu.edu Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE 802.11.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
IEEE 802.11 Wireless Local Area Networks (WLAN’s).

IEEE Wireless Local Area Networks (WLAN’s).

Similar presentations

Ads by Google