TKIP

1
TKIP
2
Temporal Key Integrity Protocol(TKIP)

• A cipher suite based on old hardware (RC4 cipher)
• A transmitter calculates a keyed cryptographic
  message integrity code (MIC). TKIP appends the
  computed MIC. The receiver discards any frames
  with invalid MIC. MIC in TKIP is not perfect due
  to hardware constraints. Has a timeout
  countermeasure.
• Uses a transmit sequence counter (TSC) for every
  frame. Defend replay attack.
• Uses a key-mixing function to combine the
  temporal key, the transmitter address (TA), and
  the TSC into the seed (IV, key) for the RC4
  stream cipher

3
TKIP Encapsulation
The figures are from http//standards.ieee.org/ge
tieee802/download/802.11i-2004.pdf
4
Decpsulation
5
Format
Note ICV is just the 4-byte checksum
6
Format

• TSC0 and TSC1 are used in phase 2 key mixing
• TSC2 to TSC5 are used in phase 1 key hashing
• Extended IV 1 for TKIP, 0 for WEP
• Key ID set to the key index supplied by the
  MLME-SETKEYS.request primitive for the key used
  in encapsulation of the frame.
• WEPSeed1 (TSC1 0x20) 0x7f.

7
MIC

• WEP design allows the packet forgery. Attacks
• Bit-flipping attacks
• Data (payload) truncation, concatenation, and
  splicing
• Fragmentation attacks
• Iterative guessing attacks against the key
• Redirection by modifying the MPDU DA or RA field
• Impersonation attacks by modifying the MPDU SA or
  TA field

8
MIC
Note priority is set to be all 0 and is reserved
for the future
9
Michael

• TKIP uses a customized algorithm, called Michael,
  to compute the 8-byte MIC.
• The message is appended by 0x5a at the end, then
  4-7 0x00. Divided into a 32-bit words M0 to
  Mn-1.
• Then, iteratively does the following

10
Michael

• The block function

Note ltltlt and gtgtgt represents shift with rotation.
XSWAP for a function that swaps the position of
the 2 least significant octets.
11
MIC

• TKIP MIC is not very strong. So, among other
  things,
• TKIP MIC failure events should be logged.
• The rate of MIC failures must be kept below two
  per minute. This implies that STAs and APs
  detecting two MIC failure events within 60 s must
  disable all receptions using TKIP for a period of
  60 s. The slowdown makes it difficult for an
  attacker to make a large number of forgery
  attempts in a short time.
• Also defined procedures in case of MIC failure.

12
TKIP Mixing Function

• The mixing function has two phases
• 1. mix the temporal key with TA and TSC.
• 2. mix the output of phase 1 with TSC, temporal
  key to get the WEP seed.

13
The S-box used in TKIP

• Both phase 1 and phase 2 depend on the S-box, the
  same S-box used in AES.
• The S-box replaces a 16bit with another 16 bit.
• There is a table of 2256. Given the 16bits,
  the high byte and low byte are used as indices
  and then xor.

define _S_(v16) (Sbox0Lo8(v16)
Sbox1Hi8(v16))
14
Phase 1

• The output of Phase 1 is TTAK, which is 80 bits
  and divided into 5 16-bit words TTAK1 to TTAK5.

Note Mk16(X,Y) (256X)Y, where X and Y are
8-bits values. PHASE1_LOOP_COUNT 8.
15
Phase 2

• Input TTAK(80 bits), temporal key (128 bits),
  TSC( lower 16 bits).
• Output 128 bits (pre-frame key, WEP seed).

16
Phase 2
Note PPK is a variable as 16-bit array
Note RotR1 is to rotate right by 1
17
Beyond TKIP

• TKIP will become outdated.
• The replacement is CTR with CBC-MAC Protocol
  (CCMP) which uses AES.
• Page 57-61.

18
Reading

• http//madwifi-project.org/browser/madwifi/trunk/n
  et80211/ieee80211_crypto_tkip.c
• Page 43-57, http//standards.ieee.org/getieee802/d
  ownload/802.11i-2004.pdf