Cryptography Reference
In-Depth Information
Packet Sequencing
The classical method for thwartingreplay attacks is to bind a packet se-
quence number space with a MIC key, and reinitialize the sequence space each
time the MIC key is replaced. TKIP does not stray far from the classical
paradigm. TKIP employs a 48-bit sequence number, which it binds to the TKIP
encryption key (rather than the MIC key). Then, TKIP mixes the sequence
number into the key and enciphers the MIC and WEP IV via the following.
Per-Packet Key Mixing Function
As we discussed earlier, in the WEP protocol, the encryption key is vul-
nerable to attack due to the weak 24-bit IV, amongother factors. TKIP fixes
this with a mixingfunction that inputs a 128-bit temporal key
TK
, the 48-bit
packet sequence number,
SEQ
, and the transmitter address,
TA
, then outputs
a fresh per-packet 128-bit key, called a WEP seed key. The mixingstae is
broken down into two phases in order to save on computingtime.
The first phase inputs the
TK
, the
TA
, and the first four most significant
bytes,
msb
,of
SEQ
to an S-box that outputs an intermediate key
IK
.
In the second phase,
IK
is mixed with the least two significant bytes,
lsb
,
of
SEQ
to output the per-packet key,
PPK
. The end result is that a different
key is used for each packet that is sent.
Diagram 9.4 Per-Packet Key Mixing
lsb
TA
−−−−→
msb
−−−−→
Phase 1
Mixer
Phase 2
Mixer
IK
−−−−→
PPK
−−−−→
Once TKIP has processed the data and produced the MIC, together with
the plaintext MSDU, TKIP appends the MIC to the data field. Then the 802.11
implementation fragments the MSDU into
Media Access Control Protocol Data
Packets
(MPDU)s, required for WEP encryption. Once this has been done, each
fragment is given a packet sequence number to establish a per-packet encryption
key for each such fragment. This is all summarized in Diagram 9.5 on page 352.
Summary
TKIP was meant only for short-term security until the standard RSN became
a fact. As a wrapper around WEP it did alleviate some the the problems with
the original WEP design, such as removing weak key attacks and thwarting
the redirection of packets to unauthorized sites (via Michael's protection of SAs
and DAs). However, this comes sometimes at a performance cost, such as the
additional key mixingtime and rapid rekeyingrate, which arises from reuse of
WEP packets and IV spaces. Basically, it is a trade-off between security and
acceptable performance characteristics. WEP met virtually none of its security
goals, and TKIP addressed these problem in the short term. RSN provides the
more robust solution.
Search WWH ::
Custom Search