Temporal Key Integrity Protocol

From Wikipedia, the free encyclopedia
Jump to: navigation, search
Temporal Key Integrity Protocol
General
Designers Wi-Fi Alliance
First published October 2002
Derived from Wired Equivalent Privacy
Cipher detail
Key sizes 128 bits
Best public cryptanalysis
Deprecated

Temporal Key Integrity Protocol or TKIP /tˈkɪp/ was a stopgap security protocol used in the IEEE 802.11 wireless networking standard. TKIP was designed by the IEEE 802.11i task group and the Wi-Fi Alliance as an interim solution to replace WEP without requiring the replacement of legacy hardware. This was necessary because the breaking of WEP had left WiFi networks without viable link-layer security, and a solution was required for already deployed hardware. TKIP is no longer considered secure and was deprecated in the 2012 revision of the 802.11 standard.[1]

Background[edit]

On October 31, 2002, the Wi-Fi Alliance endorsed TKIP under the name Wi-Fi Protected Access (WPA).[2] The IEEE endorsed the final version of TKIP, along with more robust solutions such as 802.1X and the AES based CCMP, when they published IEEE 802.11i-2004 on 23 July 2004.[3] The Wi-Fi Alliance soon afterwards adopted the full specification under the marketing name WPA2.[4]

TKIP was deprecated by the IEEE in January 2009.[1]

Technical details[edit]

TKIP and the related WPA standard implement three new security features to address security problems encountered in WEP protected networks. First, TKIP implements a key mixing function that combines the secret root key with the initialization vector before passing it to the RC4 initialization. WEP, in comparison, merely concatenated the initialization vector to the root key, and passed this value to the RC4 routine. This permitted the vast majority of the RC4 based WEP related key attacks.[5] Second, WPA implements a sequence counter to protect against replay attacks. Packets received out of order will be rejected by the access point. Finally, TKIP implements a 64-bit Message Integrity Check (MIC).[6]

To be able to run on legacy WEP hardware with minor upgrades, TKIP uses RC4 as its cipher. TKIP also provides a rekeying mechanism. TKIP ensures that every data packet is sent with a unique encryption key.[citation needed]

Key mixing increases the complexity of decoding the keys by giving an attacker substantially less data that has been encrypted using any one key. WPA2 also implements a new message integrity code, MIC. The message integrity check prevents forged packets from being accepted. Under WEP it was possible to alter a packet whose content was known even if it had not been decrypted.

Security[edit]

TKIP uses the same underlying mechanism as WEP, and consequently is vulnerable to a number of similar attacks. The message integrity check, per-packet key hashing, broadcast key rotation, and a sequence counter discourage many attacks. The key mixing function also eliminates the WEP key recovery attacks.

Notwithstanding these changes, the weakness of some of these additions have allowed for new, although narrower, attacks.

Beck-Tews attack[edit]

TKIP is vulnerable to a keystream recovery attack that, if successfully executed, permits an attacker to transmit 7–15 packets of the attacker's choice on the network. The current publicly available TKIP-specific attacks do not reveal the Pairwise Master Key or the Pairwise Temporal Keys. On November 8, 2008, Martin Beck and Erik Tews released a paper detailing this attack method.[7]

The attack is an extension of the WEP chop-chop attack. Because WEP uses a cryptographically insecure checksum mechanism (CRC32), an attacker can guess individual bytes of a packet, and the wireless access point will confirm or deny whether or not the guess is correct. If the guess is correct, the attacker will be able to detect the guess is correct and continue to guess other bytes of the packet. However, unlike the chop-chop attack against a WEP network, the attacker must wait for at least 60 seconds after an incorrect guess (a successful circumvention of the CRC32 mechanism) before continuing the attack. This is because although TKIP continues to use the CRC32 checksum mechanism, it implements an additional MIC code named Michael. If two incorrect Michael MIC codes are received within 60 seconds, the access point will implement countermeasures, meaning it will rekey the TKIP session key, thus changing future keystreams. Accordingly, the Beck-Tews TKIP attack will wait an appropriate amount of time to avoid these countermeasures. Because ARP packets are easily identified by their size, and the vast majority of the contents of this packet would be known to an attacker, the number of bytes an attacker must guess using the above method is rather small (approximately 14 bytes). Beck and Tews estimate recovery of 12 bytes is possible in about 12 minutes on a typical network.

An attacker already has access to the entire ciphertext packet. Upon retrieving the entire plaintext of the same packet, the attacker has access to the keystream of the packet, as well as the MIC code of the session. Using this information the attacker can construct a new packet and transmit it on the network. To circumvent the WPA implemented replay protection, the Beck-Tews attack uses QoS channels to transmit these newly constructed packets. An attacker able to transmit these packets may be able to implement any number of attacks, including ARP poisoning attacks, denial of service, and other similar attacks.

In October 2009, Halvorsen with others made a further progress, enabling attackers to inject a larger malicious packet (596 bytes, to be more specific) within 18 minutes and 25 seconds.[8]

Ohigashi-Morii attack[edit]

Building on the Beck-Tews attack, Japanese researchers Toshihiro Ohigashi and Masakatu Morii reported a simpler and faster implementation of a similar attack.[9] It uses a similar attack method, but uses a man-in-the-middle attack and does not require the vulnerable access point to have Quality of Service enabled.

As with the Beck-Tews attack, the attack is only effective against TKIP, and not against WPA using AES.

Legacy[edit]

ZDNet reported on June 18, 2010 that WEP & TKIP would soon be disallowed on Wi-Fi devices by the Wi-Fi alliance.[10]

See also[edit]

References[edit]

  1. ^ a b "802.11mb Issues List v12" (excel). 20 Jan 2009. p. CID 98. "The use of TKIP is deprecated. The TKIP algorithm is unsuitable for the purposes of this standard" 
  2. ^ "Wi-Fi Alliance Announces Standards-Based Security Solution to Replace WEP". Wi-Fi Alliance. 2002-10-31. Retrieved 2007-12-21. 
  3. ^ "IEEE 802.11i-2004: Amendment 6: Medium Access Control (MAC) Security Enhancements" (pdf). IEEE Standards. 2004-07-23. Retrieved 2007-12-21. 
  4. ^ "Wi-Fi Alliance Introduces Next Generation of Wi-Fi Security". Wi-Fi Alliance. 2004-09-01. Retrieved 2007-12-21. 
  5. ^ Edney, Jon; Arbaugh, William A. (2003-07-15). Real 802.11 Security: Wi-Fi Protected Access and 802.11i. Addison Wesley Professional. ISBN 0-321-13620-9. 
  6. ^ IEEE-SA Standards Board. Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications. Communications Magazine, IEEE, 2007.
  7. ^ Martin Beck & Erik Tews, "Practical attacks against WEP and WPA", available at [1].
  8. ^ Halvorsen, F. M.; Haugen, O.; Eian, M.; Mjølsnes, S. F. (2009). "An Improved Attack on TKIP". Identity and Privacy in the Internet Age. Lecture Notes in Computer Science 5838. p. 120. doi:10.1007/978-3-642-04766-4_9. ISBN 978-3-642-04765-7.  edit
  9. ^ A Practical Message Falsification Attack on WPA
  10. ^ Wi-Fi Alliance to dump WEP and TKIP ... not soon enough