View
224
Download
0
Tags:
Embed Size (px)
Citation preview
Temporal Key Temporal Key Integrity Integrity
Protocol (TKIP)Protocol (TKIP)Presented By:Presented By:
Laxmi Nissanka RaoLaxmi Nissanka Rao
Kim Sang SooKim Sang Soo
AgendaAgenda
Disadvantages of WEPDisadvantages of WEP Design ConstraintsDesign Constraints Components of TKIPComponents of TKIP Putting the pieces togetherPutting the pieces together QuestionsQuestions
Disadvantages of WEPDisadvantages of WEP
WEP provides no forgery protectionWEP provides no forgery protection No protection against Message ReplaysNo protection against Message Replays WEP misuses the RC4 encryption WEP misuses the RC4 encryption
algorithm in a way that exposes the algorithm in a way that exposes the protocol to weak key attacksprotocol to weak key attacks
By reusing initialization vectors, WEP By reusing initialization vectors, WEP enables an attacker to decrypt the enables an attacker to decrypt the encrypted data without ever learning encrypted data without ever learning the encryption key the encryption key
Design ConstraintsDesign Constraints
WEP-patches, on the already WEP-patches, on the already deployed hardware, have to depend deployed hardware, have to depend entirely on software upgrades.entirely on software upgrades.
The paucity of the CPU cycles.The paucity of the CPU cycles. The hardwiring of the encryption The hardwiring of the encryption
algorithm. algorithm.
TKIPTKIP
Temporal Key Integrity Protocol Temporal Key Integrity Protocol (TKIP) is the TaskGroupi’s solution (TKIP) is the TaskGroupi’s solution for the security loop holes present in for the security loop holes present in the already deployed 802.11 the already deployed 802.11 hardware hardware
It is a set of algorithms that wrap It is a set of algorithms that wrap WEP to give the best possible WEP to give the best possible solution given all the above solution given all the above mentioned design constraints. mentioned design constraints.
Components of TKIPComponents of TKIP A cryptographic message integrity code, or A cryptographic message integrity code, or
MIC, called Michael: to defeat forgeries; MIC, called Michael: to defeat forgeries; A new IV sequencing discipline: to remove A new IV sequencing discipline: to remove
replay attacks from the attacker’s arsenal; replay attacks from the attacker’s arsenal; A per-packet key mixing function: to de-A per-packet key mixing function: to de-
correlate the public IVs from weak keys correlate the public IVs from weak keys A re-keying mechanism: to provide fresh A re-keying mechanism: to provide fresh
encryption and integrity keys, undoing the encryption and integrity keys, undoing the threat of attacks stemming from key reuse. threat of attacks stemming from key reuse.
Defeating Forgeries: Defeating Forgeries: MichaelMichael
Every MIC has three components: a Every MIC has three components: a secret authentication key K (shared secret authentication key K (shared only between the sender and only between the sender and receiver), a tagging function, and a receiver), a tagging function, and a verification predicate. verification predicate.
Designed by Niels Ferguson. Designed by Niels Ferguson.
Michael (contd.)Michael (contd.) 64-bit Michael key: represented as two 32-bit words 64-bit Michael key: represented as two 32-bit words
(K0,K1).(K0,K1). The tagging function first pads a message with the
hex value 0x5a and enough zero pad to bring the total message length to a multiple of 32-bits, then partitions the result into a sequence of 32-bit words M1 M2 … Mn.
(L,R) ← (K0,K1) (L,R) ← (K0,K1) do i from 1 to n do i from 1 to n
L ← L ^ Mi L ← L ^ Mi (L,R) ← b (L,R) (L,R) ← b (L,R)
return (L,R) as the tag return (L,R) as the tag
Where b is a function built up from rotates, little-Where b is a function built up from rotates, little-Endean additions, and bit swaps. Endean additions, and bit swaps.
Michael: Tagging Michael: Tagging FunctionFunction
Michael Tagging Function
MIC Key
SA + DA +PlainTextMSDU
SA + DA + PlaintextMSDU + MIC
Michael: Verification Michael: Verification PredicatePredicate
MIC’
MSDU with failed TKIP
MIC
MIC =MIC’?
MIC
Michael
MIC Key
SA + DA + Plaintext MSDU
Counter Measures
PlaintextMSDU
Michael (contd.)Michael (contd.)
The design goal of the counter-The design goal of the counter-measures is to throttle the utility of measures is to throttle the utility of forgery attempts.forgery attempts.
If a TKIP implementation detects If a TKIP implementation detects two failed forgeries in a second, the two failed forgeries in a second, the design assumes it is under active design assumes it is under active attack. The station deletes its keys, attack. The station deletes its keys, disassociates, waits for a minute, disassociates, waits for a minute, and then re-associates. and then re-associates.
Defeating replays: IV Defeating replays: IV sequence enforcement sequence enforcement
TKIP reuses the WEP IV field as a TKIP reuses the WEP IV field as a packet sequence number. packet sequence number.
Both transmitter and receiver Both transmitter and receiver initialize the packet sequence space initialize the packet sequence space to zero whenever new TKIP keys are to zero whenever new TKIP keys are set, and the transmitter increments set, and the transmitter increments the sequence number with each the sequence number with each packet it sends. packet it sends.
IV sequence enforcement IV sequence enforcement (contd.)(contd.)
TKIP defines a packet as out-of-TKIP defines a packet as out-of-sequence if its IV is the same or sequence if its IV is the same or smaller than a previous correctly smaller than a previous correctly received MPDU associated with the received MPDU associated with the same encryption key. same encryption key.
If an MPDU arrives out of order, If an MPDU arrives out of order, then it is considered to be a replay, then it is considered to be a replay, and the receiver discards it and and the receiver discards it and increments a replay counter. increments a replay counter.
Per-Packet Key MixingPer-Packet Key Mixing
WEPWEP constructs a per-packet key by constructs a per-packet key by simply concatenating a base-key and simply concatenating a base-key and the IVthe IV
TKIPTKIP constructs a per-packet key by constructs a per-packet key by going through 2 key mixing phasesgoing through 2 key mixing phases The mixing phases make difficult for an The mixing phases make difficult for an
attacker to correlate IVs and per-packet attacker to correlate IVs and per-packet keykey
Per-Packet Key Mixing: 1Per-Packet Key Mixing: 1stst PhasePhase
XORs the XORs the MAC addressMAC address of the station and of the station and the the temporal keytemporal key to produce an to produce an intermediate keyintermediate key
Mixing MAC and the temporary key in this Mixing MAC and the temporary key in this way causes different stations and APs to way causes different stations and APs to generate different generate different intermediate keys,intermediate keys, even if they have the same temporal keyeven if they have the same temporal key
For performance optimizationFor performance optimization, , intermediate keyintermediate key is computed only when is computed only when the temporal key is changed (and most of the temporal key is changed (and most of the time its value is saved on memory)the time its value is saved on memory)
Per-Packet Key Mixing: 2nd Per-Packet Key Mixing: 2nd PhasePhase
Takes the packet sequence number and Takes the packet sequence number and encrypts it using the encrypts it using the intermediate keyintermediate key from from the first phase, producing finally a 128-bit the first phase, producing finally a 128-bit per-packet keyper-packet key
In actuality, the first 3 bytes (24 bits) of Phase 2 output corresponds exactly to the WEP IV, and the last 13 bytes to the WEP base key.
Now we can use the existing WEP hardware Now we can use the existing WEP hardware to do the encryption using the per-packet to do the encryption using the per-packet keykey
Per-Packet Key Mixing: Per-Packet Key Mixing: DiagramDiagram
Phase 1
Phase 2
Temporal Key
MAC Addr
Intermediate Key
Sequence Number
Per-packet key
ReKey MechanismReKey Mechanism Refers to a process of delivering fresh Refers to a process of delivering fresh
encryption and integrity keys (MIC Keys) encryption and integrity keys (MIC Keys) to the stations and APsto the stations and APs
Accomplished by employing IEEE Accomplished by employing IEEE 802.1X802.1X
Defines an authentication server that Defines an authentication server that distributes keysdistributes keys
TKIP uses three distinct keysTKIP uses three distinct keys1.1. Temporal keysTemporal keys2.2. key encryption keyskey encryption keys3.3. master keysmaster keys
Temporal KeysTemporal Keys
Two Temporal Key types:Two Temporal Key types: 128-bit encryption key128-bit encryption key 64-bit Michael key64-bit Michael key
Used by stations and APs for normal Used by stations and APs for normal TKIP communicationTKIP communication
Key Encryption KeysKey Encryption Keys
As the name suggests, a temporal key is As the name suggests, a temporal key is “temporal” and needs to be updated “temporal” and needs to be updated frequentlyfrequently
Key Encryption KeysKey Encryption Keys encrypt the encrypt the information regarding the key distribution. information regarding the key distribution. They protect the Temporal Keys.They protect the Temporal Keys.
Requires two distinct key encryption keysRequires two distinct key encryption keys1.1. To encrypt the distributed Keying materialTo encrypt the distributed Keying material
2.2. To protect the re-key messages from forgeryTo protect the re-key messages from forgery
Master KeyMaster Key
Used to secure the distribution of Used to secure the distribution of the key encryption keysthe key encryption keys
Also related to TKIP’s support of Also related to TKIP’s support of user authentication:user authentication:
A station gets a master key after it is A station gets a master key after it is “authenticated”“authenticated”
ReKey SummaryReKey Summary
Master KeyMaster Key encrypts Key Encryption KeysKey Encryption Keys
Key Encryption KeysKey Encryption Keys encrypt Temporal KeysTemporal Keys
Temporal KeysTemporal Keys encrypt User DataUser Data
Authentication Server generates a Master KeyMaster Key
Station is Authenticated
TKIP Encryption ProcessTKIP Encryption Process
Phase 2Key
Mixing
Michael Fragment(s)
WEPEncapsulation
TKIP Sequence Counter(s)
MIC Key
SA + DA +PlainText
MSDU
PlaintextMPDU(s)
PlaintextMSDU + MIC
CiphertextMPDU(s)
WEP seed(s)Represented
as WEP IV + RC4 KeyPhase 1
KeyMixingMAC
Address
Temporal Key
Intermediate Key
TKIP Decryption ProcessTKIP Decryption Process
Phase IIKey
MixingMichael
WEPDecapsulation
TKIP Sequence Counter
MIC KeyCiphertext
PlaintextMPDU
WEP seedPhase 1
KeyMixing
MACAddress
Intermediate Key
Unmix IV
Reassemble
MPDU
WEP IV
Out of Sequence
MPDU
In Sequence
MPDU
SA + DA + Plaintext MSDU
MSDU with failed TKIP MIC
MIC =MIC’?
MIC
Counter Measures
MIC’
PlaintextMSDU
Temporal Key
Q&AQ&A
ReferencesReferences
http://www.tech-faq.com/wireless-nehttp://www.tech-faq.com/wireless-networks/tkip-temporal-key-integrity-prtworks/tkip-temporal-key-integrity-protocol.shtmlotocol.shtml
http://www.tech-faq.com/wireless-nehttp://www.tech-faq.com/wireless-networks/tkip-temporal-key-integrity-prtworks/tkip-temporal-key-integrity-protocol.shtmlotocol.shtml
http://cache-www.intel.com/cd/http://cache-www.intel.com/cd/00/00/01/77/17769_80211_part2.pdf00/00/01/77/17769_80211_part2.pdf