Shambhu Upadhyaya1

802.11 Security – Key 802.11 Security – Key HierarchyHierarchy

Shambhu UpadhyayaWireless Network SecurityCSE 566 (Lecture 11)

Shambhu Upadhyaya2

Pairwise Keys• Unicast data sent between two stations has to be private

between them• For this purpose a pairwise key is used which is known to

the two parties• Each mobile device has a unique pairwise key with the

access point

AP

MobileDevice

Key 1

MobileDevice

Key 2

MobileDevice

Key 3

Key 1 Key 2 Key 3Pairwise Key

Shambhu Upadhyaya3

Group Keys• For Broadcast or multicast transmissions, data is

received by multiple stations• Thus a key needs to be shared by all members of the

trusted group• Each trusted mobile device shares this group key with

the Access Point

AP

MobileDevice

Key G

MobileDevice

Key G

MobileDevice

Key G

Key GGroup Key

Shambhu Upadhyaya4

Types of Keys• Preshared keys

- Installed in the access point and mobile device by some method outside of RSN/WPA

- Used by most WEP systems- Possession of the key is the basis for authentication- Bypasses the concept of upper layer authentication

completely• Server-based keys

- The keys are generated by some upper layer authentication protocol

- Authentication server provides the access points with the temporal keys required for session protection

Shambhu Upadhyaya5

Pairwise Key Hierarchy

• At the top of the hierarchy is Pairwise Master Key (PMK)

• Can be delivered from upper layer authentication protocol or can use a preshared secret

• There exists a unique PMK for each mobile host

Shambhu Upadhyaya6

Creation and Delivering of PMK• Generation of the PMK is based on the top level key held by

both the user and the server• Could be in a ‘smart card’ or a password known to both the

user and the server (kept in a person’s head)• During the EAP authentication process the method proves that

both parties know this secret• After successful authentication a key generating authentication

process (e.g., TLS, Kerberos) then generates random-like key material

• This random key material is used to create the PMK• Thus after the authentication process the PMK is known to both

the client and the authentication server• This key needs to be transferred to the Access Point for use

during the session- WPA mandates the use of RADIUS to make this transfer- RSN does not specify a particular method for the transfer

Shambhu Upadhyaya7

Computing Temporal Keys• 802.1X model, data can start flowing once access

point has the key, but WPA/RSN has more steps• Now temporal keys are derived from this PMK for use

during each session• These keys are called temporal keys as they are

recomputed each time the mobile device associates with the AP

• There are four keys derived for this purpose- Data Encryption Key (128 bits)- Data Integrity Key (128 bits)- EAPOL-Key Encryption Key (128 bits)- EAPOL-Key Integrity Key (128 bits)

• Collection of these four keys is called as Pairwise Transient Key (PTK)

Shambhu Upadhyaya8

Details of Temporal Keys• First two keys are used to encrypt and protect the

data• Last two are used to protect communication between

the access point and mobile device during the initial handshake

• As the temporal keys change every time a station reattaches with the AP, liveliness is ensured by including a couple of Nonces in the computation of the temporal keys

• A Nonce is a value which is “never” or “extremely unlikely” to be repeated

• Each device generates a nonce and passes it to the other device

• Also to bind identity of the devices to the keys, MAC addresses of the devices are included in computation

Shambhu Upadhyaya9

Temporal Key Generation

KeyComputation

Block

PMK

Nonce1

Nonce2

MAC 1

MAC 2

Data Encr

Data MIC

EAPOL Encr

EAPOL MIC

Temporal Key Computation

Shambhu Upadhyaya10

Exchanging and Verifying Key Information (Legitimizing AP)

• In the above exchange there is an implicit trust between the mobile host and the Access point

• To ensure that the Access Point is not rogue, it must authenticate itself with the mobile device

• To do this, the access point proves its possession of the PMK which it gets from the authentication server and can only be obtained by a legitimate AP

• This is done by carrying out a four-way mutual authentication between the AP and the mobile host using EAPOL Key Messages

Shambhu Upadhyaya11

Access Point’s Legitimacy- Message (A): Authenticator -> Supplicant

• Contains the ANonce (nonce from the AP)• Message is send unencrypted• On receiving this message supplicant computes the

temporal keys- Message (B): Supplicant -> Authenticator

• Contains the SNonce (nonce from the mobile host)• Also contains the MIC (Message Integrity Code) to

prevent the message from being tampered• This is done using the EAPOL Key Integrity key from

the PTK• The Authenticator calculates the PTK based on the

received SNonce

Shambhu Upadhyaya12

Four-way Handshake Contd..• It now verifies the MIC based on the calculated temporal

keys• This MIC check ensures the Authenticator that the

supplicant has matching PMK- Message (C): Authenticator -> Supplicant

• Message indicates that the authenticator is ready to start using the new set of keys

• Also contains a MIC so that supplicant can verify Authenticator’s possession of the PMK

• Also contains the start sequence for the first encrypted frame

- Message (D): Supplicant -> Authenticator• This acknowledges the completion of the four way

handshake• Also indicates that the supplicant would now install the

new temporal keys

Shambhu Upadhyaya13

Group Key Hierarchy

• Used for broadcast and multicast transmissions

• Broadcasts and multicasts can be sent from the access point only

• Pairwise keys cannot be used as the same transmission is to be heard by all stations

• Hence the same key is shared by all stations and is called the Group key

Shambhu Upadhyaya14

Group Key Hierarchy• Group keys pose a problem when a station

leaves the network• The pairwise keys are removed when a

station disconnects but the group keys are still valid and can be used by the station to passively listen to the group transmissions

• This might be undesirable in some situations

• The solution to this problem is to change the group key once a station leaves the network

Shambhu Upadhyaya15

Group Key Hierarchy• Changing and distributing group keys is easier than

pairwise keys as there already exists a secure channel (using pairwise keys) over which the group key can be sent

• The access point performs the following functions during Group Key Rekeying- Create a 256 bit Group Master Key (GMK)- Derive a Group Transient Key (GTK) from which the

temporal keys are obtained- After establishment of each pairwise secure

connection• Send GTK to mobile device with current sequence

number• Check for acknowledgement of the receipt

Shambhu Upadhyaya16

Group Key Hierarchy• To provide an uninterrupted service, WEP provided

the support for multiple keys• Using this, four keys can be installed in a device at a

time• Each transmission carries a KeyID which specifies

which of the keys to use for decryption• Thus, if during a multicast transmission a station

disconnects, the AP can continue transmission using the old key set till the new set of Group keys is calculated and distributed, after which it switches to the new keys set

• Also, GMK is not bound to a particular station and hence can be easily chosen by simply choosing a cryptographic quality random number

Shambhu Upadhyaya17

References

• Jon Edney and William Arbaugh, Real 802.11 Security, Addison-Wesley, 2004

Shambhu Upadhyaya18

802.11 Security – TKIP802.11 Security – TKIP

Shambhu UpadhyayaWireless Network SecurityCSE 566 (Lecture 12)

Shambhu Upadhyaya19

TKIP• Temporal Key Integrity Protocol• Designed as a wrapper around WEP

- Can be implemented in software- Reuses existing WEP hardware- Runs WEP as a sub-component

• Quick-fix to the existing WEP problem• New “procedures” around Legacy WEP• Components

- Cryptographic message integrity code- Packet sequencing- Per-packet key mixing- Re-keying mechanism

Shambhu Upadhyaya20

TKIP Introduction• Never use the same IV value more than once for

any particular session key- Prevents key-stream reuse by a system

• Receivers discard any packets whose IV value is less or equal to the last successfully received packet encrypted with the same key- Prevents replay attacks

• Regularly generate a new random session key before the IV counter overflows- Prevents key-stream reuse

• Provide a more thorough mixing of the IV value and the session key to derive the packet's RC4 key- To “fix” the RC4 Key scheduling issues with WEP

Shambhu Upadhyaya21

Weaknesses of WEP

1IV value is too short and not protected from reuse

2The way keys are constructed from IV makes it susceptible to weak key (FMS) attack

3 No effective way to detect message tampering

4Directly uses master keys with no provision for re-keying

5 No protection against replay attacks

Shambhu Upadhyaya22

Changes from WEP to TKIP

Purpose ChangeWeakness Addressed

Message Integrity

Adds a message integrity protocol to prevent tampering (one which can be implemented in software using a low power microprocessor)

(3)

IV selection and use

Changes how IV values are selected, uses it as a replay counter

(1) , (3)

Shambhu Upadhyaya23

Changes from WEP to TKIP

Purpose ChangeWeakness Addressed

Per-Packet Key Mixing

Changes encryption key for every frame

(1),(2),(4)

IV SizeIncreases the size of the IV to avoid reusing the same IV

(1),(4)

Key Management

Adds a mechanism to distribute and change keys and derive temporal keys

(4)

Shambhu Upadhyaya24

Message Integrity • Essential to security of the message• WEP uses ICV (Integrity Check Value), but it offers

no real protection• Thus, ICV is not a part of TKIP security• Basic idea behind computing the MIC (Message

Integrity Code) is calculating a checksum over the message bytes so that any modification to the message can be detected

• This MIC is combined with a secret key so that only authorised parties can generate and verify the MIC

• Many available cryptographic methods can be used for the purpose

Shambhu Upadhyaya25

Message Integrity - Michael• As WEP is required to work over existing

hardware it cannot use computationally intensive cryptographic methods

• Even if the computations are moved to software level in clients, existing Access Points cannot perform heavy computations

• Thus, TKIP uses a method of computing MIC called Michael

• Michael uses simple shift and add operations instead of multiplications and hence is usable in TKIP

Shambhu Upadhyaya26

Message Integrity - Michael• Michael operates on MSDUs (MAC Service Data

Unit) rather than individual MPDUs (MAC Protocol Data Unit)- Useful as the computation can be performed in the

device driver on the computer rather than on the adapter card

- Also reduces overhead as MIC is not calculated for each MPDU being sent out

• As Michael is computationally simple, it offers a weak form of security

• To counter these drawbacks, it includes a set of countermeasures which are used when an attack is detected

Shambhu Upadhyaya27

Michael Countermeasures

• Used to reliably detect attacks and shut down communication to the attacked station for a period of one minute

• This is done by disabling keys for a link as soon as the attack is detected

• Also has a blackout period of one minute before the keys are reestablished

• This can be used by the attacker to launch a DoS attack on the network (theoretically)

Shambhu Upadhyaya28

IV Selection and Use

• TKIP has the following major changes in the way IVs are used as compared to WEP- IV Size is increased from 24 to 48 bits- IV has a secondary role as a sequence

counter to avoid replay attacks- IVs are constructed so as to avoid certain

‘weak keys’- Instead of directly appending it with the

secret key, IVs are used to generate mixed keys

Shambhu Upadhyaya29

IV Use in TKIP

Upper IV Lower IV32 bits 16 bits

IV d IV Per Packet Key

24 bits 104 bits

Phase 1 Key Mixing

Phase 2 Key Mixing

MAC Address

Session Key

‘d’ is a dummy byte designed to avoid weak keys

Creating the RC4 Encryption Key

Shambhu Upadhyaya30

TSC (TKIP Sequence Counter)• WEP has no protection against replay attacks• In TKIP IV doubles up as a sequence counter to

prevent replay attacks• TKIP uses the concept of replay window to implement

the counters- The receiver keeps track of the highest TSC and the

last 16 TSC values- When a new frame arrives it checks and classifies it

as one of the following types• ACCEPT: TSC is larger than the largest seen so far• REJECT: TSC is less than the value of the largest - 16• WINDOW: TSC is less than the largest, but more than

the lower limit

Shambhu Upadhyaya31

Per–Packet Key Mixing• Uses the session keys which are derived from the

master keys• Per Packet key mixing mechanism further derives a

separate unrelated key for each packet from the session key

• To save computation key mixing is divided into two phases- Phase 1 involves data that is relatively static like

secret session key, higher order 32 bits of IV, MAC address etc. so that this computation is done infrequently

- Phase 2 is quicker to compute and is done for each packet – and used the lower 16 bits of the IV (which increases monotonically with each packet)

Shambhu Upadhyaya32

TKIP Role in Transmission

Compute MIC Append MIC

Fragmentation

Key Mixing

IV Generation Compute ICV

EncryptAppend ICV to Packet

MPDU for Tx

MSDU for Transmission

Master Key

MIC Key

Encryption Key

Key derivation

block

Michael block

RC4 block

Append IV & Add MAC Hdr

TKIP MPDU Frame• Initialization Vector (IV) • Key Identifier (ID) • Extended IV• Payload Data

- MPDU data

• MIC - The MIC value is computed using the Michael

algorithm over the entire payload data of the MSDU

• Integrity Check Value (ICV) - The checksum value computed over the

unencrypted payload data

• Frame Check Sequence (FCS) - (CRC) computed over all fields of the MPDU

Shambhu Upadhyaya33

Shambhu Upadhyaya34

TKIP Role in Reception

Compute MICRemove & Check Mic

Re-Assembly

Key MixingDecrypt

IV Extraction Check TSC Window

Strip MAC Hdr

MSDU Accepted

Master Key

MIC Key

Encryption Key

Key derivation

block

Michael block

TSC block

Received MPDU

RC4 block

Reject if bad MIC, invoke counter-measures

Reject if bad ICV

Reject if bad TSC

Shambhu Upadhyaya35

References

• Jon Edney and William Arbaugh, Real 802.11 Security, Addison-Wesley, 2004