What the TKIP protocol is all about

How TKIP strengthens WEP

Wired Equivalent Privacy (WEP) was designed to provide wireless networks with the same type of privacy a user gets with classic wired networks. Once touted as the security savior of wireless LANs, WEP has been lambasted by cryptography experts as being easy to exploit.

WEP's shortcomings gave wireless encryption engineers the impetus to build something more robust and more secure, which is how Temporal Key Integrity Protocol (TKIP) came about. TKIP is not here to replace WEP. Rather it works as sort of a wrapper around WEP to make it stronger, and less vulnerable.

WEP makes use of symmetric cryptosystems that rely on shared secret encryption keys to encrypt and decrypt data. The problem with WEP is that with a small amount of effort, it's not that difficult for unauthorized users (presumably hackers) to obtain the secret encryption key needed to unlock access to the data. Using wireless sniffers such as AirSnort, LinkFerret, or a Netstumbler Kit, an unauthorized user can intercept the encryption key, and private data can then be deciphered and turned into plain-text, readable by anyone.

The author would like to thank Jim O'Riordan of Cisco Systems for assisting with the technical details of this article.

Wireless networking
802.11 is an IEEE standard that defines the protocol architecture of a wireless local area network. Currently, the two most popular types of wireless networks are 802.11a and 802.11b. 802.11a networks (otherwise known as Wi-Fi5) have a maximum bandwidth of 54 Mbps and operate on the 5.2-GHz spectrum. 802.11b networks (otherwise known as Wi-Fi) have a maximum bandwidth of 11 Mbps and operate on the 2.4-GHz spectrum.

Also, 802.11g has recently been ratified, and it uses a different modulation scheme (OFDM) that gets the speed up to 54 Mbps using the same 2.4-GHz range as 802.11b. It is also backward compatible with 802.11b so they can talk to each other at the lower common denominator�

Most wireless networks in existence today are 802.11b networks, though for the sake of security, all three types of wireless networks are equally vulnerable. Most of the security for these WLANs is implemented primarily on the MAC sub layer of the datalink (or logical link) layer of the OSI network model. Some security can be implemented through filters on the network and applications layers, but since WEP and TKIP function at the datalink layer, I'll save network and application layer wireless security for another time.

What is wrong with WEP?
WEP has never been touted as a protocol that provides strong authentication or access control, so the fact that it doesn't is not actually a flaw, but is certainly a reason to question its security prowess.

Similar to how you tune in a radio station, for any wireless network all you need is a proper receiver to pick up the traffic. Because "tuning in" someone else's network traffic is so easy to do, WEP was built into 802.11 for the purpose of keeping wireless transmissions private. WEP originally used the 40 bit RC4 stream cipher developed by RSA Security to encrypt the network traffic. RC4 is a symmetric stream cipher, which means that it uses the same key to encrypt and decrypt data, and that the key is shared between the two (or more) communicating parties. Though RC4 can also be implemented in 128 bits, 40 bit RC4 was selected for WEP because there are no export controls on 40 bit ciphers. RC4 is the most widely used stream cipher in use today, but it is not a good choice for wireless networks for a variety of reasons.

WEP uses a pseudo-random key stream that is generated by combining a public initialization vector with a secret key. While the data payload is encrypted, the initialization vector is transmitted in clear-text. If an attacker captures a large number of clear-text initialization vectors (probably at least 60-70), then there is a high probability that the attacker will be able to decipher the key. Since WEP does not require the initialization vector to change after every packet, and the WEP initialization vector is only 24 bits (a relatively small amount of bits in the world of encryption), RC4 sometimes reuses the key stream, creating patterns that emerge upon inspection. To make matters worse, some network cards reset the IV to zero each time they are reinitialized, practically guaranteeing key stream reuse. Cryptographers refer to the reuse of a key stream as a "collision." After about 5000 packets, enough collisions occur that a hacker cryptanalyst can ascertain the key and use it to decode the rest of the ciphertext .

For a large WLAN, the secure distribution of the secret encryption keys poses yet another logistical problem for WEP. Distributing secret keys to large numbers of end users is an administrative challenge. Also, a secret key that is shared by a large population of people does not remain a secret for very long. What do you do when a key is compromised? If you change the key, each and every wireless network user will have to reconfigure their wireless network interface card (NIC) drivers.

More detailed problems with RC4 and its implementation in WEP are widely documented by a multitude of experts. Ultimately, as a result of WEP's vulnerabilities, wireless networks using WEP are susceptible to man-in-the-middle attacks, replay attacks, packet alteration attacks, collision attacks, and authentication forgery.

Where TKIP comes in
In response to the problems surrounding WEP, the IEEE created a task force known as Task Group I (TGi) to resolve the problems with 802.11 wireless security. Engineers from well respected technology companies such as Cisco, IBM, Intel, Microsoft, RSA Security, and a few others came together in TGi to work on improving the security of 802.11 networks.

The goals of the TGi were to implement a new, stronger encryption algorithm in a secure manner, thereby preventing packet alteration attacks, collision, and authentication forgery. A primary concern of TGi was that the new solution had to be able to secure 802.11 networks that were already deployed.

TKIP is one of the solutions that TGi has devised. TKIP continues to use RC4, which may not sound like a good idea at first, but the thinking was to protect the investments that many organizations have already made in wireless devices.

The security enhancements of TKIP are still evolving, however, significant progress has already been made, and TKIP is available for use today. To start with, TKIP adds new encryption algorithms to WEP, all of which specialize in a particular function. Let's take a closer look at three significant enhancements that TKIP brings.

1. Message Integrity Code (MIC)
First, MIC (also known as Michael) is a cryptographic message integrity code used specifically to defeat altered, or forged, packets. MIC was designed by Niels Ferguson and brings up the rear of the packet (see the green section in Figure A) providing data integrity to safeguard the packet from unauthorized alterations. MIC is a type of message authentication code used to detect packet forgeries.

Figure A

2. Dynamic initialization vector
There is one type of man-in-the-middle attack that MIC cannot protect against. A packet alteration attack can occur when an unauthorized user obtains a packet in mid-flight (using a sniffer or protocol analyzer) and retransmits it either after deciphering information from it, or after altering it. To mitigate the risk of this packet alteration, man-in-the-middle attack, a new type of initialization vector has been added. If you assign a packet sequence number to the MIC key, and reinitialize the sequence each time a new key is used, the transmitter can increment the sequence number for each packet sent, preventing packets that were captured using an old MIC key from infiltrating the sequence. The initialization vector, as its name implies, marks the starting point of the encryption sequence. If you constantly change the initialization vector, you change the keys, and the sequence numbers along with it. When packets that are out of sequence arrive at the receiving end, they get discarded and a replay flag is incremented. This is referred to as a dynamic initialization vector, and the green section highlighted in Figure B shows where it fits in a packet.

Figure B

3. Key scrambling and fragmentation
At the beginning of the encryption process, TKIP combines an interim key (sometimes called a temporal key) with the packet sequence counter to create a new key for each packet, putting in place another safeguard against key reuse. Next the key for the cleartext (a key that is different than the temporal key) is fragmented and each fragment is assigned a sequence number. The sequence numbers of the fragments are then combined with the temporal key to create an encrypted initialization vector for RC4. This new, secure, and dynamically changing initialization vector compensates for the vulnerabilities in straight-up WEP, and RC4 can then encrypt the data as usual without exposing it to the previously described vulnerabilities. The process is laid out in Figure C.

Figure C

With TKIP, the encryption keys are encrypted themselves, and are constantly changing. So even if you use a wireless sniffer and obtain the key, the pilfered key will basically time-out and cease to operate after a time period pre-determined by you (5 minutes, for example) leaving an attacker little time to compromise data.

Additional resources

WEP and TKIP Wireless sniffers and protocol analyzers:

Implementing TKIP
The downside of TKIP is that every vendor implementation is different and one vendor's TKIP may not interoperate with another vendor's. The Wi-Fi Group (an industry consortium) has blessed a "standard" TKIP cipher called Wireless Protected Access (WPA). It gives you a choice of certain IEEE 802.1x authentication types (Cisco's LEAP, EAP-TLS, PEAP, etc.) to use with TKIP/MIC encryption. The Wi-Fi Group tests WPA implementations for interoperability in order to make your choice of vendor for client cards and infrastructure wireless access points more flexible.