Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
CS265
Project Report
By
Date:
03/25/2005
TKIP (Temporal Key Integrity Protocol)
1. Introduction
2. Design Constraints
3. TKIP Description
Michael:
WEP uses CRC-32 for message integrity check. Since CRC is not designed
exclusively for message integrity check but for detecting transmission errors, CRC is
weak. TKIP employs a new message integrity mechanism called, Michael.
The Message Integrity Code, also called Micheal, consists of three components: the
secret key K, shared only between the sending and the receiving parties, the tagging
function and the verification function. The tagging function takes the key K and the
message M as the inputs and generates a tag T that is sent along with the encrypted
message M’. The receiving party, on receiving the encrypted message M’ along with the
tag T, calls the verification function with M’, T and key K as inputs. The verification
function returns ‘false’ if the received tag T does not match the computed tag implying
that the message has been modified. If the verification function returns ‘true’, the
message is presumed to be un-tampered.
The tagging function used by Micheal is designed by Neils Fergusan. The key used is 64
bit long and is represented as two 32-bit blocks (K0, K1).
The Micheal tagging function first appends a hexadecimal of 0x5A and then enough zero
pads to the message to make the length of the message M a multiple of 32-bit blocks.
These blocks are represented as M1, M2, ..., Mn and the tag is computed as follows:
(L, K) (K0,K1)
for i = 1 to n
L L ^ Mi
(L, R) f(L, R)
end loop
return (L, R)
The verification function re-computes the tag over the decrypted message M and
returns a true if the computed tag matches the received tag.
One interesting aspect of Michael is that the algorithm is not secure due to its simple
design. As I mentioned before, the designers of TKIP wanted algorithms to be simple
and efficient. Because the hardware environment is presumed to be the old and slow
WEP system, they did not want to use some famous Hash Function such as MD5 and
suffer performance degradation.
In order to make the Michael more secure, TKIP encrypts the hash value along with other
fields. Furthermore, the Michael Key is updated every one minute. With this design,
“the maximum expected number of message integrity error is one per year” [1].
TKIP fixes the small initialization vector (IV) and short encryption key problems
with WEP by using longer key. It uses a 128-bit encryption key, a 48-bit IV, and a 64-bit
authentication key.
In addition to increased key length, TKIP also guarantees a unique key to be used for
each packet. There is a mixing function that creates a new per-packet WEP key by taking
the 1) base key(128-bit encryption key), 2)transmitter MAC address, and 3)packet
sequence number as inputs. (See the diagram below)
Transmit
MAC Encryption
Address Key
Ciphertext
TKIP Per-Packet WEP Key
Per-Packet MPDU(s)
Sequence
Key WEP
Number
Mixing
(48 bits)
Fragment
Plaintext
MPDU(s)
Michael
Key
Michael
PlainText Plaintext
MSDU MPDU + MIC
Key Management:
The Key Management is not supported in WEP, and all the network stations use
the same key. It is also troublesome to change the key often. TKIP adopted IEEE
802.1X, which provides both authentication and key management capabilities. Using
IEEE 802.1X, TKIP generates per-user, per-session keys. Therefore, TKIP can
authenticate users and distribute different keys among the users. For example, we have
mentioned above that the Michael Key gets periodically changed for increased message
integrity security.
4. After TKIP: CCMP
TKIP is a quick, short-term solution to the problems of WEP. Since TKIP was
initially designed to work on the existing WEP hardware, it had limited design choices.
For example, RC4 is used since it is already implemented on the hardware. On the other
hand, CCMP, unlike TKIP, is designed from scratch. Even though CCMP is another
security protocol specified in IEEE 802.11i, CCMP uses 128-bit advanced encryption
standard (AES) rather than RC4. Furthermore, there is no assumption of using low
computing processors as in TKIP and that use of simple and efficient algorithm, is not a
big concern anymore.
[1] Nancy Cam-Winget, Russ Housley, Davis Wagner, and Jesse Walker, “Security flaws
in 802.11 data link protocols”, Communications of the ACM Vol 46, Number 5, 2003
http://libaccess.sjsu.edu:2225/10.1145/770000/769823/p35-cam_winget.pdf
[3] Bruce Potter, “Wireless Security’s Future”, IEEE Security & Privacy, July/August
2003 http://libaccess.sjsu.edu:2084/iel5/8013/27399/01219074.pdf
[4] Avishai Wool, “A note on the fragility of the Michael message integrity code”
http://libaccess.sjsu.edu:2209/iel5/7693/29589/01343878.pdf
[5] Jesse Walker, 802.11 “Security Series, Part II: The Temporal Key Integrity Protocol
(TKIP)” http://cache-www.intel.com/cd/00/00/01/77/17769_80211_part2.pdf