IEEE 802.11iRobust Security Networks TKIPCCMP

WEP Cryptographic Operations

• Confidentiality and integrity are handled simultaneously in WEP

WEP Data Processing

• 802.1X addresses two of the major flaws in WEP 1. authentication 2. key management

• The major remaining flaw to be addressed – Lack of confidentiality

• idea to overcome this problem– Link Layer encryption technique.

802.11i ?• 802.11i defines 2 protocols for link layer protection

1. Temporal Key Integrity Protocol (TKIP)

2. Counter Mode with CBC-MAC Protocol (CCMP)

• First new link layer encryption technique.

• upgraded the security of WEP-based hardware

• Retains the basic architecture and operations of

WEP.

• Initially called “WEP2”

The Temporal Key Integrity Protocol (TKIP)

The Temporal Key Integrity Protocol (TKIP)

1. Key hierarchy and automatic key management

– Use of master keys for deriving key for frame encryption.

– key management operations automatically refreshes key.

2. Per-frame keying

– Every frame has a unique RC4 key from the master key.

– This process is called key mixing

Differences from WEP (Features of TKIP)

The Temporal Key Integrity Protocol (TKIP)

3. Sequence counterUse:

1. out-of-order frames can be flagged,2. mitigating against replay attacks

4. New message integrity check– CRC replaced with Michael integrity check – more robust cryptographic Algorithm– easier to detect frame forgeries

Differences from WEP

The Temporal Key Integrity Protocol (TKIP)

5. Countermeasures on message integrity check failures– Michael can be compromised in an active attack– so TKIP includes countermeasures

Differences from WEP

The Temporal Key Integrity Protocol (TKIP)

• Doubles the length of the IV from 24 to 48 bits.• This made attackers difficult to predict the keys

• key mixing– RC4 key unique to each frame– key mixing calculation is done by including

temporal key+transmitter address+ sequence counter .

TKIP initialization vector use and key mixing

The Temporal Key Integrity Protocol (TKIP)

• TKIP IV also serves as a sequence counter.• When a new master key is installed it sets sequence counter to 1 and

increments as the frames are transmitted.

• following are the steps to defend replay attacks:– TKIP maintains the most recent sequence counter– The sequence counter is checked against the most recently received sequence

counter– If it is larger than any previous value, the frame is accepted– If smaller, it is rejected. – If equal, duplicate frame for error.– Duplicate sequence numbers may represent an error.

TKIP sequence counter and replay protection

The Temporal Key Integrity Protocol (TKIP)

• WEP uses CRC which proved un suitable.• Major challenge of TKIP is to strengthen integrity check and

also able to run on a low power processor – Michael is implemented entirely with bitwise operations – Can run on any processor without harming performance– MIC better than CRC , but fails against a sustained and

determined attack• countermeasures detect the active attack and shut

down the network and refresh the keys

The Michael Integrity Check and countermeasures

TKIP Data Processing and Operation

• Like WEP, TKIP provides confidentiality and integrity together.• Confidentiality is achieved through encryption using RC4

hardware with string security belts of key management.

TKIP Data Processing and Operation

TKIP Inputs1. The frame2. A temporal key 3. A MIC key 4. The transmitter

address 5. A sequence counter

TKIP Design – Key Mixing

TKIP data transmission1. The 802.11 frame is queued for transmission. 2. The Message Integrity Check (MIC) is computed. 3. Sequence numbers are assigned to fragments. 4. Each frame is encrypted with a unique per-frame WEP key. 5. The frame plus Michael message integrity check value from

step 2 and the RC4 key from step 4 are passed to WEP.

TKIP Data Processing and Operation

TKIP reception process

1. When a frame is received by the wireless interface and passes the frame check sequence .

2. The first step TKIP takes is to check the sequence number to prevent replay attacks.

3. The WEP seed used to encrypt the packet is recovered. 4. With the WEP seed in hand, the outer WEP layer around the

frame can be removed and the contents recovered.5. If fragmentation was applied, it may be necessary to wait for

further frames to arrive before reassembling a complete payload.

6. Once the frame is reassembled, Michael is calculated over the contents of the frame.

TKIP reception process

The Michael Integrity Check

• Michael operates on frames passed down to it at the MAC service layer from higher-layer protocols

• Michael is not a secure cryptographic protocol and it does not protect individual 802.11 frames

• It protects the reassembled data unit given to 802.11 for transmission

• Several attacks on WEP served as the motivation for Michael. • Message integrity check (MIC) value calculated on data,

destination address (DA) and source address (SA). It also adds four zero bytes before the unencrypted data.

Michael data processing Operates on 32-bit blocks of data. Padding is used , if required, and only for the computation of the MIC, but not

transmitted. MIC is added on to the tail of the data frame The data-plus-MIC is given to 802.11 for transmission During the fragmentation process, the MIC value may be split across multiple

802.11 fragments

Michael countermeasuresIf an attacker is able to bypass replay protection and the WEP integrity check,

it would be possible to mount a brute-force attack on the Michael integrity check.When a station detects a MIC failure1. The MIC failure is noted and logged. Before the MIC is validated, the frame

must pass through the replay protection hurdle as well as the legacy WEP integrity check. Getting a frame to Michael for validation is not a trivial undertaking. Therefore, any MIC validation error is likely to be an extremely security-relevant matter that should be investigated by system administrators.

2. If the failure is the second one within a 60-second window, countermeasures dictate shutting down communications for a further 60 seconds. When the second MIC failure within 60 seconds is detected, all TKIP communication is disabled for 60 seconds. Instituting a communication blackout makes it impossible for an attacker to mount a sustained attack quickly.

3. Keys are refreshed. Stations delete their copies of the master keys and request new keys from the authenticator; authenticators are responsible for generating and distributing new keys.

Counter Mode with CBC-MAC Protocol (CCMP)

So far interpretation ?? –TKIP is better than WEPStill Problem ?? – TKIP relies on WEP encryption technique which is again proved insecure.What is the solution ?? – IEEE began working with AES technique for encryption.CCMP is the protocol that uses AES for encryption.

Counter Mode with CBC-MAC Protocol (CCMP)

CCMP is basically a combination of counter(CTR) mode privacy and Cipher Block Chaining(CBC) message authentication with AES technique.The CCM mode combines CTR for confidentiality and CBC-MAC for authentication and integrity.Basically AES is flexible to use with any key size and block size. But all AES processing used within CCMP mandates AES with a 128 bit key and a 128 bit block size.Like TKIP, CCMP uses a fresh temporal key (TK) for every session. CCMP also requires a unique nonce value for each frame protected by a given TK, and CCMP uses a 48-bit packet number (PN) for this purpose.

CCMP Data Processing-encryption(Transmission)

CCMP Inputs• The frame• A temporal key • A key identifier • A packet number

CCMP data transmission.1. 802.11 frame is queued for transmission MAC header + payload.2. A 48 bit packet number is assigned:3. The Additional Authentication Data (AAD) field is constructed using MAC

header of the frame:4. Construct CCMP Nonce block : Packet number + sender address5. CCMP Header is constructed: Packet number + key id6. Run CCM encryption using the temporal key (TK), AAD, Nonce and data to

form the ciphertext and Message Integrity Check (MIC):7. The Encrypted frame is formed by concatenating the original MAC Header, the

CCMP header, the Encrypted Data and the MIC.

CCMP Data Processing

CCMP receptionIt’s the reverse of encryption and transmission process1. When a frame is received by the wireless interface and checks Frame check

sequence and if valid passes to CCMP.2. The additional authentication data (AAD) is recovered from the received

frame. 3. The CCMP nonce is also recovered from the frame. 4. The receiver decrypts the ciphertext. 5. The integrity check is calculated over the plaintext data and the additional

authentication data. 6. Finally replay detection is done.

Data Transfer Summary WEP TKIP CCMP

Cipher RC4 RC4 AESKey Size 40 or 104 bits 128 bits 128 bits

encryption,64 bit auth

Key Life 24-bit IV, wrap 48-bit IV 48-bit IVPacket Key Concat. Mixing Fnc Not NeededIntegrity

Data CRC-32 Michael CCMHeader None Michael CCM

Replay None Use IV Use IVKey Mgmt. None EAP-based EAP-based

• These are the standard operations that will set the procedure for key derivation and distribution.

• Defines two keys :1. Pairwise keys2. Group keys

Robust Security Network (RSN) Operations

Robust Security Network (RSN) Operations

• 802.11i pairwise Key Hierarchy

Key Confirmation Key : to compute integrity checks on keysKey Encryption Key : to encrypt keying messages

• Group key hierarchy (for broadcast and multicast transmissions)

Robust Security Network (RSN) Operations

802.11i Key Derivation and Distribution

• This section explains the technique of key derivation and distribution securely- pairwise key and group key

• The process is often called key exchange process.

• Also explains the method of updating the keys.

802.11i Key Derivation and DistributionUpdating pairwise keys: the four-way handshake

Updating pairwise keys: the four-way handshakeStep1:i. Authenticator sends nonce(random value) to the supplicant. Nonce

prevents the replay attackii. After receiving this supplicant expands pairwise master key . Expansion = MAC address supplicant + MAC address MAC address of Authenticator + PMK + two nonces.Step 2:iii. Supplicant sends supplicant nonce and a copy of security parameters

from initial association with network. Whole message is authenticated by EAPOL KCK.

iv. Authenticator extracts supplicant nonce which allows authenticator to derive full pairwise key through this. Authenticator validates the message. If invalid handshake fails.

Updating pairwise keys: the four-way handshakeStep3:i. At this point keys are in place both sides but requires confirmation.ii. Authenticator sends supplicant a message indicating sequence number+

GTK which is encrypted using KEK and entire message is authenticated using KCK

Step 4:iii. Supplicant sends a final confirmation message that it has received the

keying messages so that authenticator can start using the keysiv. Entire message is authenticated using KCK

1. The authenticator sends the supplicant a nonce, which is a random value that prevents replay attacks. There is no authentication of the message, but there is no danger from tampering. If the message is altered, the handshake fails and will be rerun.At this point, the supplicant can expand the pairwise master key into the full pairwise key hierarchy. Expansion requires the MAC addresses of the supplicant and authenticator, the pairwise master key, and the two nonces.

2. The supplicant sends a message that has the supplicant nonce and a copy of the security parameters from the initial association with the network. The whole message is authenticated by an integrity check code calculated using the EAPOL Key Confirmation Key.The authenticator receives the message and extracts the supplicant nonce, which allows the authenticator to derive the full pairwise key hierarchy. Part of the key hierarchy is the key used to "sign" the message. If the authenticator cannot validate the message, the handshake fails.

Updating pairwise keys: the four-way handshake

3. Keys are now in place on both sides of the handshake, but need to be confirmed. The Authenticator sends the supplicant a message indicating the sequence number for which the pairwise key will be added. It also includes the current group transient key to enable update of the group key. The group transient key is encrypted using the EAPOL Key Encryption Key, and the entire message is authenticated using the Key Confirmation Key.

4. The supplicant sends a final confirmation message to the authenticator to indicate that it has received the keying messages and the authenticator may start using the keys. The message is authenticated using the Key Confirmation Key.

Updating pairwise keys: the four-way handshake

Updating group keys: the group key handshake

Because the group transient key is encrypted with the Key Encryption Key from the pairwise hierarchy, the group key handshake requires that a successful four-way handshake has already occurred.1. The authenticator sends the group transient key (GTK),

encrypted with the Key Encryption Key from the pairwise key hierarchy. The message is also authenticated with a code calculated with the Key Confirmation Key.

2. The supplicant sends an acknowledgment message, indicating the authenticator should begin to use the new key for group frames. This message is also authenticated using the Key Confirmation Key.

Improved 802.11i ArchitectureStage 1: Network and Security Capability Discovery

Stage 2: 802.1X Authentication (mutual authentication, shared secret, cipher suite)

Stage 3: Secure Association (management frames protected)

Stage 4: 4-Way Handshake(PMK confirmation, PTK derivation, and GTK distribution)

Stage 5: Group Key Handshake

Stage 6: Secure Data Communications

Michael MIC Failure or Other Security Failures

Group Key Handshake Timout

4-Way Handshake Timout

Association Failure

802.1X Failure

State 1Unauthenticated, Unassociated

State 2Authenticated, Unassociated

State 3Authenticated, and Associated

Successful MAC layer

Authentication

Successful Association or Reassociation

Disassociation Notification

DeAuthentication Notification

Deauthentication

notification

Class 1 Frames

Class 1 & 2 Frames

Class 1, 2 & 3 Frames

Classic 802.11 State Machine

State 1Unauthenticated,

Unassociated

State 2Authenticated, Unassociated

State 3Authenticated, and

Associated

Successful MAC layer Authentication

Successful Association or Reassociation

Disassociation Notification

DeAuthentication Notification

Deauthentication notification

Class 1 Frames + ESN Class 2 frames

Class 1 & 2 Frames

Class 1, 2 & 3 Frames

802.11i State Machine

State 4ESN Associated

ESN Association or Reassociation

ESN Disassociation

Notification

Successful upper layer Authentication

Class 1, 2 & 3 Frames except Authentication & Deauthentication

802.11i Fast Handoff

STAAPold APnew

Associate-Request

Associate-Response

ACKDSNotified

Reassociate-Request (Authenticated)

Reassociate-Response (Authenticated)

ACK

DSNotified

Disassociate (Authenticated)

Transition Period ~ RTTSTA-AP

802.1X/Identity Request

EAP-Success

802.1X/Identity Response

EAP-RequestEAP-Response

Transition Period ~ nRTTSTA-AP

n =3.5 (TLS), 2.5 (TLS continuation)