Transcript TKIP
TKIP Temporal Key Integrity Protocol (TKIP) • A cipher suite based on old hardware (RC4 cipher) – A transmitter calculates a keyed cryptographic message integrity code (MIC). TKIP appends the computed MIC. The receiver discards any frames with invalid MIC. MIC in TKIP is not perfect due to hardware constraints. Has a timeout countermeasure. – Uses a transmit sequence counter (TSC) for every frame. Defend replay attack. – Uses a key-mixing function to combine the temporal key, the transmitter address (TA), and the TSC into the seed (IV, key) for the RC4 stream cipher TKIP Encapsulation The figures are from http://standards.ieee.org/getieee802/download/802.11i-2004.pdf Decpsulation Format Note: ICV is just the 4-byte checksum Format • • • • TSC0 and TSC1 are used in phase 2 key mixing TSC2 to TSC5 are used in phase 1 key hashing Extended IV – 1 for TKIP, 0 for WEP Key ID – ``set to the key index supplied by the MLME-SETKEYS.request primitive for the key used in encapsulation of the frame.’’ • WEPSeed[1] = (TSC1 | 0x20) & 0x7f. MIC • WEP design allows the packet forgery. Attacks: – Bit-flipping attacks – Data (payload) truncation, concatenation, and splicing – Fragmentation attacks – Iterative guessing attacks against the key – Redirection by modifying the MPDU DA or RA field – Impersonation attacks by modifying the MPDU SA or TA field MIC Note: priority is set to be all 0 and is reserved for the future Michael • TKIP uses a customized algorithm, called Michael, to compute the 8-byte MIC. – The message is appended by 0x5a at the end, then 4-7 0x00. Divided into a 32-bit words: M0 to Mn-1. – Then, iteratively does the following: Michael • The block function: Note: <<< and >>> represents shift with rotation. XSWAP for a function that swaps the position of the 2 least significant octets. MIC • TKIP MIC is not very strong. So, among other things, – TKIP MIC failure events should be logged. – ``The rate of MIC failures must be kept below two per minute. This implies that STAs and APs detecting two MIC failure events within 60 s must disable all receptions using TKIP for a period of 60 s. The slowdown makes it difficult for an attacker to make a large number of forgery attempts in a short time.’’ – Also defined procedures in case of MIC failure. TKIP Mixing Function • The mixing function has two phases: – 1. mix the temporal key with TA and TSC. – 2. mix the output of phase 1 with TSC, temporal key to get the WEP seed. The S-box used in TKIP • Both phase 1 and phase 2 depend on the Sbox, the same S-box used in AES. • The S-box replaces a 16bit with another 16 bit. • There is a table of [2][256]. Given the 16bits, the high byte and low byte are used as indices and then xor. #define _S_(v16) (Sbox[0][Lo8(v16)] ^ Sbox[1][Hi8(v16)]) Phase 1 • The output of Phase 1 is TTAK, which is 80 bits and divided into 5 16-bit words TTAK1 to TTAK5. Note: Mk16(X,Y) = (256⋅X)+Y, where X and Y are 8-bits values. PHASE1_LOOP_COUNT = 8. Phase 2 • Input: TTAK(80 bits), temporal key (128 bits), TSC( lower 16 bits). • Output: 128 bits (pre-frame key, WEP seed). Phase 2 Note: PPK is a variable as 16-bit array Note: RotR1 is to rotate right by 1 Beyond TKIP • TKIP will become outdated. • The replacement is CTR with CBC-MAC Protocol (CCMP) which uses AES. • Page 57-61. Reading • http://madwifi-project.org/browser/madwifi/trunk/net80211/ieee80211_crypto_tkip.c • Page 43-57, http://standards.ieee.org/getieee802/download/802.11i-2004.pdf