June 2009Stig Frode Mjlsnes, ITEMMartin Eian, ITEMMaster of Science in Communication TechnologySubmission date:Supervisor:Co-supervisor:Norwegian University of Science and TechnologyDepartment of TelematicsCryptanalysis of IEEE 802.11i TKIPFinn Michael HalvorsenOlav HaugenProblem DescriptionA new vulnerability in the Temporal Key Integrity Protocol (TKIP) defined in 802.11i [1] wasrecently discovered and published in [2]. Verification and further analysis on this vulnerability isneeded.The students will give a detailed explanation of the attack, followed by experimental verification viavarious tools. The severeness of the attack and application areas should be discussed. If it ispossible and if time permits, the students will also look for other weaknesses in the TKIP protocolthat may lead to other attacks.[1] http://standards.ieee.org/getieee802/download/802.11i-2004.pdf[2] http://dl.aircrack-ng.org/breakingwepandwpa.pdfAssignment given: 14. January 2009Supervisor: Stig Frode Mjlsnes, ITEMAbstractThe Temporal Key Integrity Protocol (TKIP) was created to x the weak-nesses of Wired Equivalent Privacy (WEP). Up until November 2008, TKIPwas believed to be a secure alternative to WEP, although some weak pointswere known. In November 2008, the German researchers Martin Beck andErik Tews released a paper titled Practical Attacks Against WEP and WPA[10]. This paper introduced the rst practical cryptographic attack on TKIP.ThisthesiscontinuestheworkofBeckandTews, andpresentsanim-proved attack as an advancement of their original attack. The thesis startsby giving a comprehensive study of the current state of wireless network andsecurity protocols. Next, a detailed description of Beck and Tews attack willbegiven. ThemaincontributioninthisthesisisanimprovementofBeckand Tews attack on TKIP. This improved attack is able to obtain more thanten times theamount of keystream than theoriginal attack,by exploitingthefactthattheDynamicHostCongurationProtocol (DHCP)containslargeamountsofknownplaintext. Additionally, theauthorsprovehowitis possible to modify the original attack on TKIP to be able to perform anAddressResolutionProtocol(ARP)poisoningattackandacryptographicDenial-of-Service (DoS) attack.Inadditiontothesetheoreticalresults, thecontributionsmadebytheauthors were implemented as extensions to the source code provided by BeckandTews. Experimental vericationof theattacks was alsoperformed;this includedtheoriginal attackbyBeckandTews, as well as our owncontributions.iiiPrefaceThis report is the nal result of the Masters Thesis in Information Security,conductedinthe10thsemesteroftheMastersProgrammeinCommuni-cation Technology at The Norwegian University of Science and Technology,NTNU. TheassignmentwasgivenbyMartinEianattheDepartmentofTelematics, NTNU.Conducting research on the cutting edge of information security has beenachallenginganddemandingtask. Theauthorswererequiredtoproducenew and novel enhancements to existing attacks. On the other hand, beingabletomakenewdiscoverieshasbeenverymotivatingandexciting. Es-pecially the use of practical experimentation made the research a fulllingexperience.WewouldliketothankoursupervisorMartinEianforhiscontinuousfeedbackandsupport. Additionally,wewouldalsoliketothankprofessorStig F. Mjlsnes and the Department of Telematics for giving us the oppor-tunity to write this thesis. As a result of this thesis, a paper was submittedto the NordSec Conference. We would like to thank Stig F. for the supportregarding the process of writing this paper.Trondheim, June 2009Finn Michael Halvorsen Olav HaugeniiiivAcronymsAESAdvanced Encryption StandardAPAccess pointARC4Alleged RC4BOOTPBootstrap ProtocolBSSIDBasic Service Set IdentierBSSBasic Service SetCCMPCounter Mode with Cipher Block Chaining MessageAuthentication Code ProtocolCHADDRClient Hardware AddressCIADDRClient IP AddressCRCCyclic Redundancy CheckDADestination AddressDHCPDynamic Host Conguration ProtocolDNSDomain Name SystemDoSDenial-of-ServiceDSDistribution SystemEAPOLExtensible Authentication Protocol Over LANEAPExtensible Authentication ProtocolESSIDExtended Service Set IdentierESSExtended Service SetFCSFrame Check SequencevGIADDRRelay Agent IP AddressGPUGraphical Processing UnitGUI Graphical User InterfaceHLENHardware LengthHTYPEHardware TypeIBSSIndependent Basic Service SetIEEEInstitute of Electrical and Electronics EngineersIPInternet ProtocolLANLocal Area NetworkLLCLogical Link ControlLSBLeast Signicant BitMACMedia Access ControlMBZMust Be ZeroMD5Message Digest 5MICMessage Integrity CodeMPDUMAC Protocol Data UnitMSBMost Signicant BitMSDUMAC Service Data UnitMTUMaximum Transmission UnitNATNetwork Address TranslationNDPNeighbor Discovery ProtocolOPOperationPMKPairwise Master KeyPRGAPseudo Random Generation AlgorithmPRNGPseudo Random Number GeneratorPTKSAPairwise Transient Key Security AssociationRC4-KSARC4 Key Scheduling AlgorithmviRC4Rivest Cipher 4RFCRequest For CommentSASource AddressSHASecure Hash AlgorithmSIADDRNext Server IP AddressSNAMEServer Host NameSNAPSub Network Access ProtocolSSIDService Set IdentierSTAStationTATransmitter Address or Transmitting Station AddressTCPTransmission Control ProtocolTIDTrac IdentierTKIPTemporal Key Integrity ProtocolTKTemporal Key (Session Key)TSCTKIP Sequence CounterTTAKTKIP-mixed Transmit Address and KeyWEPWired Equivalent PrivacyWLANWireless Local Area NetworkWMMWiFi MultiMediaWPAWiFi Protected AccessXIDTransaction IDXORExclusive-OrYIADDRYour IP AddressviiviiiContentsAbstract iPreface iiiAcronyms v1 Introduction 11.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.2 Related Work. . . . . . . . . . . . . . . . . . . . . . . . . . . 21.3 Problem Description and Goals . . . . . . . . . . . . . . . . . 21.4 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.5 Research Methodology. . . . . . . . . . . . . . . . . . . . . . 31.6 Document Structure . . . . . . . . . . . . . . . . . . . . . . . 42 Background 72.1 Security Principles . . . . . . . . . . . . . . . . . . . . . . . . 72.1.1 General Principles . . . . . . . . . . . . . . . . . . . . 72.1.2 Encryption techniques . . . . . . . . . . . . . . . . . . 92.1.3 Authentication and Authorization . . . . . . . . . . . 102.1.4 Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . 112.2 IEEE 802.11 Wireless Networks. . . . . . . . . . . . . . . . . 122.2.1 General Description . . . . . . . . . . . . . . . . . . . 122.2.2 Structure of Wireless Networks . . . . . . . . . . . . . 122.2.3 History . . . . . . . . . . . . . . . . . . . . . . . . . . 142.2.4 IEEE 802.11 Transmission Protocols Roundup . . . . 152.3 Wireless Security . . . . . . . . . . . . . . . . . . . . . . . . . 152.3.1 IEEE 802.11 Security Protocols. . . . . . . . . . . . . 162.4 Wired Equivalent Privacy (WEP) . . . . . . . . . . . . . . . . 182.4.1 History . . . . . . . . . . . . . . . . . . . . . . . . . . 182.4.2 Protocol Overview . . . . . . . . . . . . . . . . . . . . 192.4.3 Authentication . . . . . . . . . . . . . . . . . . . . . . 21ix2.4.4 Pseudorandom Number Generator - RC4 . . . . . . . 222.4.5 Integrity Check Value - CRC-32 . . . . . . . . . . . . 242.4.6 Initialization Vector - IV . . . . . . . . . . . . . . . . . 252.4.7 Weaknesses of WEP . . . . . . . . . . . . . . . . . . . 262.5 Attacks on WEP . . . . . . . . . . . . . . . . . . . . . . . . . 292.5.1 The FMS Attack . . . . . . . . . . . . . . . . . . . . . 302.5.2 The KoreK Attack . . . . . . . . . . . . . . . . . . . . 302.5.3 The PTW Attack . . . . . . . . . . . . . . . . . . . . . 312.5.4 Beck and Tews Improved Attack on RC4 . . . . . . . 322.5.5 Chopchop Attack . . . . . . . . . . . . . . . . . . . . . 332.5.6 Fragmentation Attack . . . . . . . . . . . . . . . . . . 352.6 Temporal Key Integrity Protocol (TKIP) . . . . . . . . . . . 372.6.1 History . . . . . . . . . . . . . . . . . . . . . . . . . . 372.6.2 Protocol overview . . . . . . . . . . . . . . . . . . . . 372.6.3 TKIP Encapsulation. . . . . . . . . . . . . . . . . . . 382.6.4 TKIP Decapsulation. . . . . . . . . . . . . . . . . . . 392.6.5 TKIP Packet Structure . . . . . . . . . . . . . . . . . 402.6.6 TKIP Sequence counter (TSC) . . . . . . . . . . . . . 412.6.7 Message Integrity Code (MIC) . . . . . . . . . . . . . 422.6.8 Temporal Key . . . . . . . . . . . . . . . . . . . . . . 452.7 Counter Mode with CBC MAC Protocol (CCMP) . . . . . . 472.8 Attacks on TKIP and CCMP. . . . . . . . . . . . . . . . . . 492.9 IEEE 802.11e - QoS/WMM. . . . . . . . . . . . . . . . . . . 502.10Address Resolution Protocol (ARP) . . . . . . . . . . . . . . 512.10.1 Protocol Overview . . . . . . . . . . . . . . . . . . . . 512.10.2 ARP Packet Structure. . . . . . . . . . . . . . . . . . 522.10.3 Attacks on ARP . . . . . . . . . . . . . . . . . . . . . 532.11Dynamic Host Conguration Protocol (DHCP) . . . . . . . . 542.11.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . 552.11.2 DHCP Packet Structure . . . . . . . . . . . . . . . . . 563 BeckandTewsAttackonTKIP 593.1 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . 593.1.1 QoS/WMM. . . . . . . . . . . . . . . . . . . . . . . . 593.1.2 Key Renewal Interval . . . . . . . . . . . . . . . . . . 603.2 The Attack in Details . . . . . . . . . . . . . . . . . . . . . . 603.2.1 Client De-Authentication . . . . . . . . . . . . . . . . 623.2.2 Modied Chopchop Attack . . . . . . . . . . . . . . . 623.2.3 Guessing The Remaining Bytes. . . . . . . . . . . . . 633.2.4 Reversing the MICHAEL Algorithm. . . . . . . . . . 633.3 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643.4 Application Areas . . . . . . . . . . . . . . . . . . . . . . . . 653.4.1 ARP Poisoning. . . . . . . . . . . . . . . . . . . . . . 663.4.2 Denial-of-Service . . . . . . . . . . . . . . . . . . . . . 66x3.5 Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . 664 AnImprovedAttackonTKIP 694.1 The DHCP ACK Message . . . . . . . . . . . . . . . . . . . . 694.2 The Attack in Details . . . . . . . . . . . . . . . . . . . . . . 704.3 Application Areas . . . . . . . . . . . . . . . . . . . . . . . . 734.3.1 DHCP DNS Attack . . . . . . . . . . . . . . . . . . . 734.3.2 NAT Traversal Attack . . . . . . . . . . . . . . . . . . 765 LaboratoryEnvironment 775.1 Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 775.1.1 Computers . . . . . . . . . . . . . . . . . . . . . . . . 785.1.2 Access Point . . . . . . . . . . . . . . . . . . . . . . . 785.2 Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 795.2.1 The Aircrack-ng Suite . . . . . . . . . . . . . . . . . . 795.2.2 Wireshark. . . . . . . . . . . . . . . . . . . . . . . . . 805.2.3 Command Line Tools . . . . . . . . . . . . . . . . . . 816 Experiments 836.1 Preparations for the Attacks . . . . . . . . . . . . . . . . . . . 836.2 Verication of the Original Implementation . . . . . . . . . . 846.3 Modifying tkiptun-ng Into an ARP Poisoning Attack. . . . . 856.4 Modifying tkiptun-ng Into a Cryptographic DoS Attack . . . 856.5 Verication of the Improved Attack . . . . . . . . . . . . . . . 866.6 Experimentation With Other Systems . . . . . . . . . . . . . 877 Results 897.1 Verication of the Original Attack . . . . . . . . . . . . . . . 897.2 ARP Poisoning Attack. . . . . . . . . . . . . . . . . . . . . . 917.3 A Cryptographic Denial-of-Service Attack . . . . . . . . . . . 927.4 Verication of the Improved Attack . . . . . . . . . . . . . . . 947.5 Results With Dierent Congurations . . . . . . . . . . . . . 967.5.1 The Original Tkiptun-ng Attack . . . . . . . . . . . . 967.5.2 Access Points . . . . . . . . . . . . . . . . . . . . . . . 977.5.3 Injection on Dierent QoS Channels . . . . . . . . . . 987.5.4 Forcing DHCP Renewal . . . . . . . . . . . . . . . . . 987.5.5 Predictability of DHCP Transaction IDs. . . . . . . . 987.5.6 Summary of Experimentation With Other Systems. . 988 Discussion 1018.1 Application Areas . . . . . . . . . . . . . . . . . . . . . . . . 1018.1.1 The Original Attack . . . . . . . . . . . . . . . . . . . 1018.1.2 The Improved Attack . . . . . . . . . . . . . . . . . . 1028.2 Real World Applicability . . . . . . . . . . . . . . . . . . . . . 103xi8.3 Lessons Learned . . . . . . . . . . . . . . . . . . . . . . . . . 1048.3.1 Negative Experiences . . . . . . . . . . . . . . . . . . . 1048.3.2 Positive Experiences . . . . . . . . . . . . . . . . . . . 1049 FurtherWork 1059.1 Further Improvement of the Attack . . . . . . . . . . . . . . . 1059.2 Obtaining Two-way keystream . . . . . . . . . . . . . . . . . 1069.3 DHCP DNS Spoong . . . . . . . . . . . . . . . . . . . . . . 1069.4 Fragmentation Attack . . . . . . . . . . . . . . . . . . . . . . 1079.5 Key Recovery Attack . . . . . . . . . . . . . . . . . . . . . . . 10710 Conclusion 109ASourceCode 115A.1 Denial-of-Service Attack . . . . . . . . . . . . . . . . . . . . . 115A.2 ARP Poisoning Attack. . . . . . . . . . . . . . . . . . . . . . 118A.3 Improved Attack . . . . . . . . . . . . . . . . . . . . . . . . . 119BAttachedCD-ROM/ZIP-le 133xiiList of Figures2.1 A typical infrastructure based wireless network . . . . . . . . 132.2 Wireless security timeline . . . . . . . . . . . . . . . . . . . . 172.3 Construction of expanded WEP MPDU . . . . . . . . . . . . 202.4 WEP encapsulation block diagram. . . . . . . . . . . . . . . 202.5 WEP decapsulation block diagram. . . . . . . . . . . . . . . 212.6 WEP encryption by XOR. . . . . . . . . . . . . . . . . . . . 212.7 Sequence diagram of Shared Key Authentication . . . . . . . 222.8 PTW attack recovers the key . . . . . . . . . . . . . . . . . . 322.9 Success rate of Beck and Tews new attack on WEP . . . . . 332.10Illustration of the Chopchop attack . . . . . . . . . . . . . . . 342.11Illustration of the fragmentation attack . . . . . . . . . . . . 362.12TKIP encapsulation block diagram. . . . . . . . . . . . . . . 392.13TKIP decapsulation block diagram. . . . . . . . . . . . . . . 402.14Construction of expanded TKIP MPDU. . . . . . . . . . . . 412.15Authenticator MIC countermeasures . . . . . . . . . . . . . . 442.16The client is informed of the MIC countermeasures . . . . . . 442.17Supplicant MIC countermeasures . . . . . . . . . . . . . . . . 452.18TKIP Pairwise Key Hierarchy . . . . . . . . . . . . . . . . . . 462.19TKIP Per-Packet Key Mixing. . . . . . . . . . . . . . . . . . 472.20Expanded CCMP MPDU . . . . . . . . . . . . . . . . . . . . 482.21Aircrack-ng successfully cracking a WPA PSK . . . . . . . . . 502.22A wireless network with two stations . . . . . . . . . . . . . . 522.23ARP poisoning attack . . . . . . . . . . . . . . . . . . . . . . 542.24DHCP sequence diagram . . . . . . . . . . . . . . . . . . . . . 552.25DHCP packet structure . . . . . . . . . . . . . . . . . . . . . 563.1 A owchart of the attack on TKIP . . . . . . . . . . . . . . . 613.2 Tkiptun-ng successfully decrypts an ARP packet . . . . . . . 644.1 An encrypted DHCP ACK packet with 16 unknown bytes . . 704.2 A owchart of our improved attack on TKIP . . . . . . . . . 72xiii4.3 AsequencediagramshowingaDHCPDNSattackandthemessage exchange after the occurrence of an IP conict . . . 744.4 Flowchart showing a DHCP DNS attack. . . . . . . . . . . . 754.5 NAT traversal attack using TCP SYN packets . . . . . . . . . 765.1 Screenshot of Wireshark live capture . . . . . . . . . . . . . . 817.1 A successful completion of the original tkiptun-ng attack . . . 907.2 The STAs ARP Cache before poisoning attack . . . . . . . . 917.3 The STAs ARP Cache after poisoning attack . . . . . . . . . 927.4 The client is informed of the MIC countermeasures . . . . . . 937.5 Screenshot from the modied attack, showing a DHCP ACKbeing successfully decrypted. . . . . . . . . . . . . . . . . . . 959.1 An illustration of the known and unknown values of the Tem-poralKeyComputationaftertheattackonTKIPhasbeenperformed. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108xivList of Tables2.1 Dierent wireless protocols of 802.11 . . . . . . . . . . . . . . 152.2 ARP Packet Structure . . . . . . . . . . . . . . . . . . . . . . 535.1 Specications of the victims computer. . . . . . . . . . . . . 785.2 Specications of the attackers computer. . . . . . . . . . . . 785.3 Specications of the access point . . . . . . . . . . . . . . . . 785.4 Tools of the Aircrack-ng Suite . . . . . . . . . . . . . . . . . . 806.1 The dierent STAs used for experimentation . . . . . . . . . 877.1 Summary of experimentation with dierent systems . . . . . 99xvxviList of Algorithms1 RC4 state vector initialization . . . . . . . . . . . . . . . . . . 232 RC4 state vector initial permutation . . . . . . . . . . . . . . 233 RC4 S-Box stream generation. . . . . . . . . . . . . . . . . . 24xviixviii AcronymsChapter 1IntroductionToday, wireless networks aresowidelydeployedthat theyhavebecomealmostubiquitous. Theconvenienceofinstallingawirelessnetworkwith-out having to worry about cables overweigh the fact that wireless networksalso are prone to become a security risk if not properly congured. WiredEquivalentPrivacy(WEP)wasdevelopedinordertosecurewirelessnet-worksandprovidesecurityequivalenttotheonethatcouldbeexpectedfrom a wired network. When WEP failed miserably [17, 29, 22, 33] to de-liver the required security, the Temporal Key Integrity Protocol (TKIP) wasbuilt around WEP to x its aws and provide backwards compatibility witholder equipment. Much resources and money were invested into upgradingold WEP networks to TKIP.1.1 MotivationUntil recently, TKIP has been considered to be a secure alternative to WEP.Little previous work had been done until Martin Beck and Erik Tews [10],in November 2008, explained in a paper how they had discovered an attackagainstTKIP.Eventhoughtheirattackprovedtobelimited,attackslikethese become opening doors for new possibilities for the security communitytodiscovernewandmoreseriousattacks. Forthisreason, asystemwithonly a small breach should at any cost be avoided and should be consideredbroken.Our motivation for this thesis is based on the fact that we believe thisis only the beginning in discovering weaknesses in TKIP. Wireless securityis an exciting eld of study,and we aim to nd more weaknesses and newapplication areas of the attacks on TKIP. We hope that our work may con-tribute to motivate people to migrate their wireless security protocols to themore secure alternative CCMP. At the same time, we nd this a golden op-12 Introductionportunity to learn more about network security, C programming, Linux andall other competences that are needed to perform an in-depth cryptanalysisof a security protocol.1.2 RelatedWorkTherehasbeenlittleresearchpreviouslyregardingattacksonTKIP.Onesubjecthasbeenapparentforalongtime, namelytheinsecurityof theMessage Integrity Code (MIC) used in TKIP, which is based on the Michaelalgorithm [18]. The fact that the MIC is reversible, has led to discussions onthe impact it will have on the security of TKIP. The designers of TKIP real-ized this weakness and consequently implemented the MIC countermeasures.Our work is primarily related to the work done by Beck and Tews [10, 32].TheirpaperfromNovember2008[10]describeshowamodiedversionofthe Chopchop attack [21], can be executed on a Quality of Service (QoS) orWiFi MultiMedia(WMM)enablednetworktoobtainkeystreamforcom-munication from the access point to a station. Their attack is, in contrasttothepreviousattacksonWEP,notakeyrecoveryattack. Itenablesanattacker to inject packets into the network and may thus lead to attacks onthe dierent control protocols of the network.In addition to the attacks of Beck and Tews, our work can also be relatedto some of the previous attacks on the WEP protocol. The new attack onTKIP is based on previous attacks on WEP such as the Chopchop attack byKoreK[21]. KoreKdiscoveredawayofobtainingkeystreamwithouteverknowingtheencryptionkey. Amodiedversionof thisattackisusedtoattack TKIP. We also feel that it is relevant to relate to all previous attacksonWEP[17,29,22,33,11],andviewtheseinaevolutionaryperspectivewhich have led to more and more sophisticated attacks on the wireless se-curity protocols.1.3 ProblemDescriptionandGoalsThe goal for our research is to study the attack by Beck and Tews in detailandlookfornewapplicationareas. Additionally, weaimtoenhancetheoriginal attack by Beck and Tews, by looking for other weaknesses in boththe TKIP protocol itself, as well as other protocols that are used in wirelessnetworks. Hence, the objectives for this thesis can be summarized as follows:Give a detailed explanation of the attack on TKIPPresent the theory and history of wireless security in detailLimitations 3Verify the attack via various toolsLook for application areas of the attackSeek out new weaknesses or enhancements to the attack1.4 LimitationsDue to both limitations in time and resources this thesis will focus less onthe following:Statistical cryptanalysis of the underlying ciphers of the TKIP protocolExperimentation and verication with dierent combinations of hard-ware and their success ratesProvide generic code, we will focus on proof-of-concept1.5 ResearchMethodologyAresearchmethodologyistheformal approachatwhichresearchiscon-ductedtoachievetheendresults. Thewayresearchisconductedvariesamongdierentsciences. Incomputerscience,amethodologyoftenreferstosoftwaredevelopmentmodelssuchaseXtremeProgramming, Agilede-velopment,Waterfall,Scrum and more. Even though information securitycanbeconsideredasubsetofcomputerscience, themethodologyisoftenmore theoretical.Our work is classied as cryptanalysis. RFC4949 [27] denes cryptanal-ysis as:The mathematical science that deals with analysis of a crypto-graphic system to gain knowledge needed to break or circumventthe protection that the system is designed to provide.However, thisworkwill notfocusonthemathematical science, sincemuch work regarding this have already been done. Examples are the Chop-chop attack [21] and several statistical analysis on RC4 [20, 29, 22, 33, 10].In our research, we will rather use the previous work as a basis for our fur-ther cryptanalysis of TKIP, with special emphasis on network protocols.Denning et al. [13] denes three paradigms used in the context of Com-puter Science, theory, abstraction and design. However, relating our researchmethodology to such formal paradigms seems unnecessary. Our research willbe divided in three. First we will perform a comprehensive study of the re-latedtheory. Thiswill provideuswiththerequiredknowledgeneededto4 Introductioncontinue with an in-depth analysis, experimentation and enhancement of theprevious work by Beck and Tews [10]. Next, we will use experimentation asa tool of verifying the original attack on TKIP. Finally,our own contribu-tions, comprising enhancements and modications of the original attack onTKIP, will be added.This way of working could be considered an iterative method. Each newideawillbedependingonoutcomesofpreviousexperiments. Inthisway,achainof iterativeeventswill eventuallyleadtothenal result. Whenworking iteratively, the experiment, or the act of experimenting, is the mostessential tool. Rather than following a pre-dened procedure, the iterativemethod uses experiments to dynamically obtain more knowledge and closein on the result. This way of working is in direct contrast to what is called adirect method, where a problem is solved with a nite sequence of operationsand the procedure is thus predictable.1.6 DocumentStructureThis thesis is organized as follows:Chapter 2: Background presents background theory related to this the-sis. This chapter starts with some basic security principles. It then continuesbypresentingwirelessnetworksandwirelessnetworksecurityindetail,aswell asattacksonthevarioussecurityprotocols. Thechapternishesbydetailing some network protocols relevant to the work presented later in thethesis.Chapter 3: The Attack on TKIP details the attack published by Beckand Tews in November 2008. This chapter also explains some limitations ofthe attack, and countermeasures to prevent it.Chapter 4: An Improved Attack on TKIP explains the details of animprovement to Beck and Tews attack made by the authors. This chapteralso presents some application areas of this improved attack.Chapter 5: Laboratory Environment presents the hardware and soft-ware environment used in the experiments conducted throughout this thesis.Chapter6: Experimentsdescribesthepractical experimentationcar-riedout toverifytheoriginal attackandour improvements toit. Thischapter also describes our methodology.Document Structure 5Chapter7: Results presents the ndings from our experimentation andresearch.Chapter8: Discussionevaluatestheexperimentationandresults, anddiscusses some lessons learned during the research.Chapter10: Conclusion summarizes the main ndings of our research,and concludes the thesis.Chapter9: FurtherWork presents some ideas for further work on thetopic.Additionally, the following appendices are included:Appendix A: Source Code lists the source code modications made bythe authors to be able to perform various attacks on TKIP.AppendixB: AttachedCD-ROM/ZIP-leliststhecontentsoftheattached CD/ZIP-le.6 IntroductionChapter 2BackgroundThis chapter will cover the basic theory that will establish a fundament forthe rest of the work in this thesis. First, we will dene some general securityprinciples. Next, wewill giveabasicintroductiontowirelessnetworkingand wireless security. For historical and evolutionary reasons,we will givea detailed description of the protocols WEP and TKIP, and known attackson these. This chapter will also cover other protocols that we nd essentialand relevant in order to understand the attack on TKIP.2.1 SecurityPrinciplesSecurity,inthiscontextInformationSecurity,isincreasinglybecominganevery-day issue. Computers and computer networks, especially the Internet,have become a vital part of modern society, and hence the security of thesesystemsisveryimportant. Aspectsrangingfromtheprivacyof userstopreservingimportantinfrastructureandpublicservices, areall relyingonthe security of computer systems and networks.2.1.1 GeneralPrinciplesPosthumus et al. split information security into three main principles: Con-dentiality, Integrity and Availability [26]. These principles go beyond thetechnical security implementations and include social and organizational as-pects as well. This section will focus on the general technical principles ofsecurity.CondentialityRFC4949 [27] denes condentiality as:78 BackgroundThe property that data is not disclosed to system entities unlessthey have been authorized to know the data.As an example, if a user logs into a computer system the password must bekept secret to maintain condentiality. This means that the password shouldneverbesentoveranetworkincleartext, butalsothattheusershouldneverstoreitunprotectedordiscloseittootherpersons. Condentialityis technically achieved through the use of encryption, which is described inSection 2.1.2. Another aspect of condentiality when talking about networksistracowcondentiality, whichistheprotectionof informationthatcould be derived from observing network trac ow [28]. Condentiality isa key aspect in maintaining the privacy of users.IntegrityIntegrity is dened by Stallings [28] as:The assurance that data received is exactly as sent by an autho-rized entity. (i.e. contain no modication, insertion, deletion orreplay.)Information integrity can be compromised both intentionally and uninten-tionally. To detect modication of data, a Message Integrity Code (MIC)1is often computed of the data. Any modication of the data will result in adierent MIC, which will indicate that the data has been modied. Thereare many dierent means of providing integrity, ranging from simple CyclicRedundancy Checks (CRC) to MICs based on advanced cryptographic hashfunctions like MD5 or SHA. To be able to fully protect the integrity of thedata, theMICand/ordataneedtobeencrypted. Otherwise, anattackercould simply modify the data and re-compute the MIC correspondingly. Ifencryption is used, some form of shared secret is needed, i.e. a key.Simple MICs can only detect minor modications like for example trans-mission errors and does not give protection against intentional tampering ofthe data. Cryptographic hash functions are designed to detect any changein the data, and it should be computationally infeasible to modify the datawithoutchangingthehashvalue. Itshouldalsobeimpossibleforanat-tacker to replay, or retransmit, previously sent data without triggering someformofreplayprotectionscheme, thisismostoftenachievedthroughtheuse of sequence numbers and/or time stamps.Byusinganintegritycodethattakesasecretkeyasinputalongwiththemessage, orbyencryptingtheintegritycode, theauthenticityof the1In the context of computer networks the term MIC is used instead of the more commonMAC(MessageAuthenticationCode),toavoidconfusionwithMACaddresses.Security Principles 9message will also be protected. By using this method,the receiver cannotonlyverifytheintegrityof themessage, butalsotheauthenticityof thesender. I.e., only an entity that holds the secret key is able to construct avalid code.AvailabilityAvailability is dened in RFC4949 [27] as:The property of a system or a system resource being accessible,or usable or operational upon demand, by an authorized systementity, according to performance specications for the system.Aninformationsystemneeds tobeaccessibletoits users whenneeded.Otherwise it fails to meet its requirements. This property is especially im-portantincomputernetworksandservers, whichservealargeamountofusersandareavital partof modernsociety, e.g. bankingsystems. Thelargest intentional threat against availability is Denial-of-Service (DoS) at-tacks. DoS attacks are typically executed by generating an excessive amountof requests or trac. This will make legitimate use of the service impossible.Exploitation of protocol weaknesses could also compromise the availabilityof a system. Availability is achieved through the use of physical redundancyand safety, and proper management and control of system resources [28].2.1.2 EncryptiontechniquesEncryptionisoneof thebasictechniquesininformationsecurity, andisthe main technique used to maintain condentiality in communications. Anencryption scheme takes some plaintext and a key as input, and outputs aseemingly random output called the ciphertext. It should be computation-allyinfeasibletoobtaintheplaintextfromtheciphertextwithoutknowl-edge of the key. The only way to obtain the plaintext would be to try everypermutationof thekey, i.e. brute-force, orexploitsomeweaknessintheencryption algorithm or protocols using it.It is common to divide encryption into two dierent types: symmetric-and asymmetric encryption [28]. The main dierence between the two typesis that while a symmetric cipher uses the same key for encryption and de-cryption, asymmetric ciphers have two keys, one for encryption and one fordecryption. These keys are, in the case of public-key encryption, referred toas the public- and private-key respectively.Symmetricciphersarefurtherdividedintotwomaincategories, blockciphersandstreamciphers. Themostcommonscheme, theblockcipher,alwaystreatsablockofdataatatime, andoutputsblocksofequal size.10 BackgroundThe de facto standard block cipher used today is the Advanced EncryptionStandard (AES2), which is also used in the newer wireless network securitystandards. The use of AES in wireless security is further discussed in Sec-tion 2.7.Theother typeof symmetricencryptionis thestreamcipher, whichworks on one byte or bit at a time, as opposed to a block of data in block ci-phers. This type of cipher typically has a very simple structure. Encryptionworks by taking a pseudorandom keystream and XOR it with the plaintextto make the ciphertext. Decryption works the same way;the ciphertext isXORed with the same keystream to produce the original plaintext. This isdue to the properties of the exclusive or (XOR / ) logical operation, whichis symmetrical. This means that ifAB = CB C = AC A = BPutanotherway, if oneknowstwoof theoperandsthethirdcanbeob-tained from the rst two. For stream ciphers this means that the keystreamisrequiredtoencryptanddecryptmessages, butalsothatthekeystreamcanbeobtainedifboththeplaintextandciphertextisknown. Thepseu-dorandom keystream is generated from a key, and should be unpredictablewithout the knowledge of this key [28].TheRC4cipherisanexampleof astreamcipher, andisthecipherused in the Wired Equivalent Privacy (WEP) security standard for wirelessnetworks. RC4 was designed in 1987 by Ron Rivest for RSA Security, andisavariablekey-sizestreamcipherthatoperatesonbytes[28]. Severalweaknesses in both WEP and RC4 have been discovered [17, 29]. WEP andRC4 are discussed further in Section 2.4.2.1.3 AuthenticationandAuthorizationWhen a user accesses an information system, the system needs to know whothe user is and what the user should have access to. It might also be nec-essary for the system to prove its identity to the user. In other words it isneeded to have some form of authentication and authorization. Authentica-tion is dened in RFC4949 [27] as:The process of verifying a claim that a system entity or systemresource has a certain attribute value.Thisattributecan beanything,forinstancea claimedidentity. Authenti-cation consists of two steps [27]: First the claimed attribute is presented to2AESisbasedontheRijndaelcipherdevelopedbyJoanDaemenandVincentRijmen[14]Security Principles 11the system, and secondly present some form of evidence to prove this claim.This could be a value signed with a private key or a shared secret key.When an entity has been authenticated, the system will determine whatresources this entity should be able to access. This activity is referred to asauthorization. Authorization is dened in RFC4949 [27] as:An approval that is granted to a system entity to access a systemresource.Authentication does not imply authorization, it could be the case that a useris authenticated but is not authorized to e.g. view a specic document or le.2.1.4 AttacksAttacks, inthecontextofnetworksecurity, canbeclassiedintwomainclasses, activeand passiveas dened by RFC4949 [27]. Passive attacks im-ply that the attacker does not generate trac or interfere with the network,andtypicallytakestheformof eavesdroppingonaninformationstream.Such attacks could compromise the condentiality of the information if noprotection scheme is used. Another form of passive attack is trac analysis,where the actual contents of the information are not obtained, but some in-formation could be derived or guessed by analyzing communication patterns.An active attack involves some form of interaction with the informationstream. Stallings[28] denesfourcategoriesof activeattacks: masquer-ade, replay, modication of messagesand Denial-of-Service. A masqueradeattack is when an entity pretends to be a dierent entity. This can be accom-plished by for instance changing the Internet Protocol (IP) or Media AccessControl (MAC) address to an address that is authorized by the system. Areplayattackisexecutedbypassivelycapturingtracandthenreplayingit into the network. For instance, a replay attack against an insecure creditcard transaction can cause additional funds to be transferred. Modicationof messages, or a message modication attack, can vary from reordering ordelaying messages to actually modifying or deleting the message itself. In acredit card transaction this could for instance be to alter the receiving bankaccountnumber. ThefourthactiveattackistheDenial-of-Service(DoS)attack. DoSattackspreventthenormal orintendeduseof asystem, inother words it is an attack against the availability of a system. This couldbeaccomplishedbyforinstancegeneratinglargeamountsofbogustracto overload a system [28].12 Background2.2 IEEE802.11WirelessNetworksIn1997, TheInstituteof Electrical andElectronicsEngineers(IEEE)re-leasedtheirrststandardforwirelesslocalareanetworks(WLAN)called802.11 [1]. This standard was further revised in 1999 [2]. Today, the work-ingstandardisthe2007version[5]. All earlierversionsof thestandardare marked as archived, and are thus considered to be obsolete. The IEEE802.11 standard is a collection of specications, which denes most aspectsof wirelesscommunication, comprisingphysical layers, data-linklayersaswell as security protocols.2.2.1 GeneralDescriptionAwirelessnetworkissomewhatdierentfromawiredethernetnetworkwhereanaddress represents aphysical location. Inawireless network,signals are transmitted to stations with a specic address, which is indepen-dent of their location within the network. Signals are transmitted betweenstations (STA) on channels,which are pre-dened divisions of the electro-magnetic spectrum where the transmission protocol operates. Even thoughsignalsaredirectedtoaspecicSTA, theyarestill broadcastedintotheairforanyonetoread. Thus,awirelessnetworkisreferredtoasa sharedmediumincomparisontoswitchedwirednetworkswheretracareelec-tronicallyswitchedtoreachaspecicaddress. Oneshouldnotethatthetermsharedmediumcanalsobeenusedtodescribeolderwirednetworkswith a hub or a token ring topology.Even though there are clear physical dierences between wired and wire-less networks, they need to be able to intercommunicate. Hence, the IEEE802.11standardrequiresthewirelessnetworkstoappeartohigherlayers(i.e. the logical link layer LLC) as a regular 802 LAN. To achieve this, thelayersbelowtheMAClayermustbeabletohandleoperationsspecictowireless networks such as station mobility.2.2.2 StructureofWirelessNetworksThe 802.11 standard describes two types of wireless networks: adhocandinfrastructure.In an ad hoc network (also referred to as an Independent Basic ServiceSet (IBSS)), there is a at hierarchy of stations (STA), all communicatingdirectly to each other without any dened infrastructure or hierarchy. Al-thoughthismightbeconvenientinmanysituations, thistypeofwirelessIEEE 802.11 Wireless Networks 13network structure is less used.Theinfrastructurenetworkisthemostcommonstructureof wirelessnetworks. Thebasicbuildingblockof aninfrastructurewirelessnetworkistheBasicServiceSet (BSS).ABSSistheareaconsistingofanAccessPoint (AP) with the surrounding STAs associated with the AP. An AP dif-ferentiates from a STA, by being able to communicate with the DistributionSystem(DS). ADSisthearchitectural componentusedtointerconnectBSSs. In more common terms, the DS can be considered to be a regular 802LAN. Figure 2.1 shows a typical infrastructure wireless network.APSTASTASTAAPSTASTASTABSS1BSS2DSFigure2.1: A typical infrastructure based wireless networkWirelessnetworksareaddressedandidentiedbytheirServiceSetIden-tiers. EveryAPhasitsownuniqueidentiercalledaBasicServiceSetIdentier (BSSID). It has the same form as a 48-bit IEEE 802 MAC addressused in wired networks. The BSSID is thus used for direct communicationbetween AP and STAs and is included as a part of the 802.11 MAC head-ers. In addition to the BSSID, there is a eld called a Service Set Identier(SSID), which is a part of the body frame of the management frames. TheSSID is a variable length eld of 0 to 32 octets that represent a human read-able identier for the network. E.g., a Linksys AP would by default applythe text string linksysfor the SSID.In cases where there are more than one access point connected to a DS,the SSID eld is used to contain the ESSID. The extended service set(ESS)is a system where more than one AP gives access to the same system. Anexample of this could be the public WLAN at a campus, where the ESSID(i.e. the name of the network) remains the same regardless of the locationof the STA. In such a setting, each AP have their own unique BSSID whichmakethemdistinguishablefromoneanother, andatthesametimetheyshare an ESSID such that STAs can recognize them as the same network.14 Background2.2.3 HistorySince the release of IEEE 802.11 1997, there have been two major revisions ofthe standard; in 1999 and 2007. In between the main revisions of the IEEE802.11 standard, many 802.11 amendments have been added as supplementsto the standard. These amendments comprise both security protocols suchas the 802.11i and QoS protocols such as 802.11e.IEEE802.111997The rst standard of IEEE 802.11 was released in 1997 [1]. It described howstations could communicate over the 2.4 GHz spectrum with data rates of 2Mbit/s and lower. Additionally a less popular infrared option was described.In addition to the physical specications,the IEEE 802.11 standard of1997 introduced a security protocol called Wired Equivalent Privacy (WEP)(further described in Section 2.4). As the name suggests, it aimed to providethesamelevel ofsecurity, asoneshouldexpectfromaregular802wirednetwork.IEEE802.111999In 1999, a revision of the original IEEE 802.11 standard of 1997 was released[2]. Additionally, two new amendments to the IEEE 802.11 standard wereadded, namelythe802.11aandthe802.11bamendments. Thesetwonewamendments did not introduce any new security protocols;they rather in-troducednewandhigherbitratesforwirelesscommunication. TheIEEE802.11a protocol operated at 54 Mbit/s at the 5GHz band, while the IEEE802.11bprotocoloperatedat11Mbit/satthe2.4GHzband. Fromase-curity perspective, this is a relevant advancement, as with higher bit ratesmore packets are transferred per time unit, which makes it easier to performstatistical attacks on the security protocols (more examples in Section 2.5).IEEE802.11g2003In2003, theIEEE802.11gamendmenttotheIEEE802.11standardwasreleased [4]. Like IEEE 802.11a and IEEE 802.11b, the 802.11g amendmentdoes not introduce any new security protocols, it denes new transmissionrates up to 54 Mbit/s at the 2.4 GHz spectrum. This was the same speedas the older IEEE 802.11a protocol achieved on the 5GHz band. The new802.11gprotocol wasbackwardscompatiblewiththe802.11bprotocol inorder to ease the transition. Today, the IEEE 802.11g protocol is one of themost used protocol in wireless networks.Wireless Security 15IEEE802.11iAsapartof enhancingthesecurityof IEEE802.11networks, theIEEE802.11i task force was established. In 2004, the IEEE 802.11i [5] amendmentwas released, which is further explained in Section 2.3.1.IEEE802.11eIn 2005, another amendment called IEEE 802.11e was submitted. It denesQuality of Service enhancements for wireless networks. The attack on TKIPrequires QoS to be enabled, and hence 802.11e is further detailed in Section2.9.IEEE802.11nThe IEEE 802.11n amendment should also be mentioned, as it signicantlyenhances the transmission rates of wireless networks. Even though it still is adraft standard (early 2009), several manufactures have already implementedit in new equipment.2.2.4 IEEE802.11TransmissionProtocolsRoundupThetablebelowshowsanoverviewofthedierenttransmissionprotocolsof IEEE 802.11.Protocol ReleaseDate Frequency Maxdatarate802.11a October 1999 5 GHz 54 Mbit/s802.11b October 1999 2.4 GHz 11 Mbit/s802.11g June 2003 2.4 GHz 54 Mbit/s802.11n Draft (2009) 5 GHz / 2.4 GHz 600 Mbit/sTable2.1: Dierent wireless protocols of 802.112.3 WirelessSecurityDue to the steady increase in both reliability and performance, the deploy-ment of wireless networks is increasing in both home and business environ-ments. Theconvenienceofavoidingthephysicalinfrastructureofawirednetwork, often make wireless network favorable over wired networks. Wire-less networks are, due to their nature, more prone to security threats thanwired networks. In a wired network, computers are connected through wires,and hence it is easy for the administrator to control who is allowed to accessthis trusted zone.16 BackgroundIn a wireless network, however, trac propagate in any direction over theair, and can be easily captured by a wireless interface within range on thecorrect channel. For that reason, if a wireless network is not protected, oneshould assume that everything that is being sent could be read by anyone.Toprotecttheinformationoneneedstoapplyencryption. Ifanyonecansee the transmitted data, one have to make sure it is useless to them unlessthey are in possession of some shared secret; namely a key.2.3.1 IEEE802.11SecurityProtocolsThere exist much confusion and misinterpretation of the abbreviations of thesecurity protocols available in wireless networks. In this section a historicaloverview of the security protocols of IEEE 802.11 will be given in order toclear up some of the confusion.Over the years, the development of wireless security protocols has beenaracebetweentheIEEE(thestandardizationcommittee)andtheWiFiAlliance (the industry). In 1997, Wired Equivalent Privacy (WEP) (furtherexplainedinSection2.4)becameapartoftheIEEE802.11standard. Itaimedtoprovidesecurityequivalenttotheoneyoushouldgetinawirednetwork. In2001, WEPcouldnolongerbeconsideredsecureafterbeingproved to be completely broken [17, 29].Wireless Security 17IEEENov, 1997WEP1997 1998 1999 2000 2001 2002Fluhrer, Mantin & Shamir2001Weaknesses in the key scheduling alg. of RC4IEEE2001IEEE 802.11i task group establishedFluhrer, Mantin & ShamirAug, 2001FMS Attack2003 2005 2004Wi-Fi Alliance2003Introduces WPAIEEEJune, 2004IEEE 802.11i is ratiedKoreKSep, 2004ChopChop attackKoreKSep, 2004Attack on WEP2006 2007 2008Tews, Weinmann & Pyshkin2007PTW attackTews & BeckNov, 2008Practical attacks against WEP and WPABorisov, Goldberg & WagnerJan, 2001InterceptingMobileCommunications:The Insecurityof 802.11Andreas Klein2005Attacks on the RC4 stream cipherAndrea BittauSep, 2005The Fragmentation Attack in PracticeFigure2.2: A timeline of the development of wireless security compared with thedevelopment of attacks and discoveries of vulnerabilitiesTo cope with the weaknesses in WEP, the IEEE established the 802.11itask group. The WiFi Alliance became restless in the time consuming pro-cess of IEEE to establish an 802.11i standard, resulting in the developmentof WiFi Protected Access (WPA), which was released by the WiFi Alliancein 2003. The WPA standard has two modes, one running the Temporal KeyIntegrity Protocol (TKIP) and another optional mode running the AdvancedEncryption Standard (AES), which is further explained in Section 2.6 and2.7 respectively. Both of these were developed on basis of the current workdone by the 802.11i task group.In 2004, the IEEE 802.11i task group nished their work on the 802.11isecuritystandard. ThestandardwascoinedRobustSecurityNetwork(RSN) by the IEEE. RSN included two modes: the TKIP (an improved ex-18 Backgroundtension of WEP) and the Counter Mode CBC-MAC Protocol (CCMP3) withAES encryption. By then, the WPA brand (by the WiFi Alliance) was wellestablished in access points and routers, and hence the RSN standard wasgiven the name WPA2 by the WiFi Alliance. A timeline of the developmentof security protocols is displayed in gure 2.22.4 WiredEquivalentPrivacy(WEP)WiredEquivalentPrivacy(WEP)wasthesecuritystandardimplementedin the rst 802.11 wireless LAN networks. The security of WEP has beenthoroughly broken [17, 29] and the standard has ever since the introductionofWPAand802.11ibeendeprecated[5]. EventhoughTKIPisthemainsubject for this thesis, TKIP is build around WEP and thus inherits many ofits features as well as aws. Hence, we feel it appropriate and relevant to givethis detailed description of WEP. This section will give an overview of thehistory, background and technical detail of WEP as well as its weaknesses.Thenextsectionwill explainthevariousattacksagainstWEP, of whichsome can be adopted to attack TKIP.2.4.1 HistoryAsthenameindicates, WEPwasonlyintendedtogiveWiredEquivalentPrivacy. Inotherwordsthesamecondentialityasprovidedbyawirednetwork. Anormal wirednetworkprovidesnocondentialityatthedatalink layer and all trac is sent unencrypted as long as no higher layer en-cryption is used. The only protection at this layer is the physical protectionfrom someone to plug a network cable into the network equipment. As men-tioned in Section 2.3, wireless networks are implicitly more vulnerable thanits wired counterparts. Anyone with a radio antenna and a wireless networkcard can eavesdrop on the data and also potentially gain network access.It is obvious that wireless networks needadditional protection, bothfromlossof condentialityandunauthorizednetworkaccess. TheIEEEintroduced WEP in the 802.11 1997 standard. As the popularity of wirelessnetworks increased, it attracted the attention of the cryptographic commu-nity. Already in 2001, several weaknesses were discovered, and tools to crackWEP in short time with a personal computer became freely available on theInternet [16, 17, 7].It should be noted that WEP was only designed to be reasonably strong[1] and the designers also had to make sure it was compliant with the strong3Fullyextended,thisabbreviationstandsforCounterModewithCipherBlockChain-ingMessageAuthenticationCodeProtocolWired Equivalent Privacy (WEP) 19U.S. export regulations of cryptographyat thetime. Theprotocol wasalso designed to be self-synchronizing, ecient, and implementable in bothhardware and software [1]. The self-synchronizing property necessitate thatevery packet is encrypted separately, and therefore can be decrypted sepa-rately without any dependence on previous packets. This property is veryimportantinwirelessnetworks, whicharepronetopacketloss, becauseasingle dropped packet would otherwise require some form resynchronization[16].2.4.2 ProtocolOverviewTheconstructionoftheWEPMPDU(MACProtocol DataUnit)canbeseen in Figure 2.3. The MPDU consists of three main parts:The actual mes-sage or Data, an Integrity Check Value (ICV) and the Initialization Vector(IV). ThisMPDUisfurtherencapsulatedinan802.11header. InWEP,only the actual message data and the ICV are encrypted. The IV and the802.11 headers are sent in the clear. The ICV consists of a 32-bit CRC-32value, further detailed in Section 2.4.5, which is added to verify the integrityof the packet. The IV eld is also 32 bits in length. It consists of the 24-bitIV, a 2-bit Key ID subeld and 6 bits of padding [5]. The 24-bit IV is usedin combination with the shared secret key as input to the RC4 encryptionalgorithm,andtheKeyIDsubeldindicateswhichsecretkey,outoffourpossible, that was used to encrypt the packet. The details of RC4 are givenin Section 2.4.4.WEPusesa40-bitkeyforencryption, thereasonforthissmallkeyisthe mentioned U.S. restrictions on export of cryptography. After these re-strictionswerelifted, somevendorsimplementeda104-bitversion, calledWEP-104,which tremendously increased the eort required to complete abrute-forceattack. Thecryptographicencapsulationanddecapsulationisidentical whether a 40 or 104-bit key is used, and hence WEP can refer toeitherversion. InadditiontotheversionsdescribedbytheIEEE802.11standard, somevendorspecicimplementationshavealsobeensuggested.Examples are WEPplus by Agere Systems, which avoids using the weak IVsthat exists in WEP. Another example is Dynamic WEP, which dynamicallychanges WEP keys. Such proprietary systems were never fully compatiblewith the IEEE 802.11 WEP standard.20 BackgroundSizes in OctetsIV4Data>=1ICV4Encrypted(Note)Init. Vector31 octetPad6 bitsKey ID2 bitsSizes in OctetsIV4Data>=1ICV4Encrypted(Note)Init. Vector31 octetPad6 bitsKey ID2 bitsFigure2.3: Construction of expanded WEP MPDU [5]A block diagram depicting the WEP encapsulation can be seen in Figure2.4. Startingatthetopofthegure,theIVisaddedtothebeginningofthe packet, and also concatenated with the WEP Key. This concatenationof the IV and WEP Key is then used to feed the RC4 pseudorandom num-ber generator (PRNG), and produce the pseudorandom key-stream used forencryption.||RC4PRNGCRC-32IVCipher textInitializationVector (IV)WEP KeyPlaintextMessageSeed Key StreamIntegrity Check Value (ICV)||Figure2.4: WEP encapsulation block diagram [5]The message is rst put through a CRC-32 algorithm to produce the ICV.TheICVisthenconcatenatedtothemessage. TheresultingdataisthenXORedwiththepseudorandomkey-streamtoproducetheencryptedci-phertextandaddedtothenal WEPpacket, thisisillustratedinFigure2.6. The nal WEP encapsulated packet will then contain the plaintext IV,followed by the encrypted message and ICV.Wired Equivalent Privacy (WEP) 21PlaintextWEPKeyICV'KeyStreamSeedIV ||CiphertextRC4 PRNG MessageIntegrity algorithm ICV'=ICV?ICVFigure2.5: WEP decapsulation block diagram [5]The WEP decapsulation can be seen in Figure 2.5. It is similar to a reverseWEP encapsulation, with only minor dierences as will be explained. Theprocedure starts with the concatenation of the WEP key with the IV. ThisvalueisthenusedasinputtotheRC4PRNGtoproducethekeystream.Next, the ciphertext is XORed with the keystream to produce the decryptedmessage and ICV. The message is then put through the CRC-32 algorithmtoproduceanothervalue, ICV. TheICVandICV isthencomparedtocheckiftherehasbeensomeformofintegritylossormessagetampering.IftheICVsmatch, thepacketispassedoninthesystem, otherwiseitisdiscarded.RC4 1 1 0 1 0 0 1 00 1 1 0 0 1 0 01 0 1 1 0 1 1 0=IV + keyPlaintextCiphertextKeystreamFigure2.6: WEP encryption using the keystream generated by RC4 XORed withthe plaintext2.4.3 AuthenticationBefore any communication can take place between a station and the network,thestationneedstoauthenticatetobecomeassociatedwiththenetwork.WEPsupportstwotypesof authentication: OpenSystemauthenticationandSharedKeyauthentication[16]. TheOpenSystemauthenticationisactually a null authentication algorithm [5], which means that any STA can22 Backgroundauthenticate if the AP is set to Open System Authentication. This protocolsimply consists of a Request and a Success message, and there is no actualauthentication taking place.The Shared Key authentication oers a one-way authentication, as op-posed to mutual authentication. The STA authenticates with the AP, butthe AP never authenticates with the STA. Only STAs that know the secretkey are able to successfully authenticate with the AP. This protocol consistsofafour-wayhandshake,andisinitiatedbytheSTAsendinganAuthen-tication request. A sequence diagram of the authentication can be seen inFigure2.7. TheAPwillthenrespondwithachallenge, whichcontainsa128-octet message generated by the WEP PRNG. When the STA receivesthis challenge, the 128-octet is encrypted using WEP with the secret sharedkeyandsendsthisbacktotheAP.WhentheAPreceivesthismessageitis decapsulated and the ICV is checked. If this check is successful, the de-crypted contents are compared with the challenge previously sent. If thesematch, theAPknowsthattheSTAknowsthesharedkeyandsendsanauthentication success message.STA(Requestor)AP(Responder)#1: Authentication Request#2: Authentication Challenge#3: Authentication Response#4: Authentication ResultFigure2.7: Sequence diagram of Shared Key AuthenticationEven though this method of authentication may seem to be more secure thanthe Open System Authentication, it has some severe weaknesses which aredescribed in Section 2.4.7. The Shared Key authentication is deprecated andif WEP (which is also deprecated) is used, only Open System authenticationshould be enabled.2.4.4 PseudorandomNumberGenerator-RC4WEPmakesuseoftheRC4pseudorandomnumbergeneratorforencryp-tion. The algorithmis actuallyreferred to asARC4(Alleged RC4)in theIEEE 802.11 standard [5],because the owner of the algorithm,RSA Secu-Wired Equivalent Privacy (WEP) 23rity, has never actually published the details of it. The source code of RC4wasanonymouslypostedonanInternetmailinglistin1994[9]. RC4isastreamcipher,whichmeansitoperatesonthebytelevel,asopposedtoablock cipher, which operates on blocks of several bytes. Various encryptiontechniques were discussed in more detail in Section 2.1.2.RC4takesavariablesize(1to256bytes)key, orseed, asinputandproducesapseudorandomstreamofbytes. InWEPthiskeyis64or128bits, the 24-bit IV concatenated with the 40 or 104-bit shared key. To en-crypt data, the generated stream of pseudorandom bytes is XORed with theplaintext to construct the ciphertext. Decryption works the same way, thisbecause XOR is a symmetric operation. The ciphertext is XORed with thestream of pseudorandom bytes to produce the plaintext.The RC4 algorithm is surprisingly simple, and can be easily explained.RC4 operates on a 256-byte state vector S, which contains all 256 permuta-tions of 8 bits. This state vector is rst initialized to contain all the values inascending order. A 256-byte temporary vector is also created which containthe keyK. If the key is smaller than 256 bytes the key is simply repeateduntil the vector is lled. This initialization is described in Algorithm 1.Algorithm1RC4 state vector initialization [28]fori = 0 to 255 doS[i] = i;T[i] = K[i modkeylen];end forThenextstepistousethetemporaryvector, T,toproduceaninitialpermutation of the state vector, S. This is done by swapping two bytes inS according to a procedure given by T. Since the only operation done onSis swapping of bytes,Swill still contain all permutations of eight bits. Thealgorithm for the initial permutation ofSis given in Algorithm 2.Algorithm2RC4 state vector initial permutation [28]j= 0;fori = 0 to 255 doj = (j +S[i] +T[i]) mod 256;Swap (S[i], S[j]);end forWhentheinitial permutationiscomplete, thekeyandthetemporaryvector are never used again. The keystream is generated one byte at a timebyswappingeverybyteof S, basedonitsownstate. Next, abytekisselected for the keystream. This procedure is given in Algorithm 3.24 BackgroundAlgorithm3RC4 S-Box stream generation [28]i, j= 0;while true doi = (i + 1) mod 256;j = (j +S[i]) mod 256;Swap (S[i], S[j]);t = (S[i] +S[j]) mod 256;k = S[t];end whileRC4, and especially the way WEP uses it, has some weaknesses. Theseweaknesses will be discussed in Section 2.4.7.2.4.5 IntegrityCheckValue-CRC-32The ICV eld of the WEP MPDU consists of a 32-bit Cyclic RedundancyCheck(CRC-32)value. ACRCvalueiscomputedonthemessagetover-ify the integrity of the received data, i.e. to conrm that no intentional orunintentional modicationof thedatahastakenplace. If thisvaluewastobesentunencryptedanattackercouldsimplymodifythemessageandre-compute the CRC, but WEP encrypts both the message and the ICV toavoid this. But as shall be described in Section 2.4.7 CRC has some prop-erties that make it vulnerable to attacks. This vulnerability resulted in theChopchop attack (Section 2.5.5), which is an essential part of the attack onTKIP. Hence, we feel it appropriate to explain the CRC-32 function in somegreater detail.The CRC algorithm consists of two elements, the inputand the polyno-mial (axeddivisor)[35]. Thenumber32inthenameCRC-32indicatesthe width4(W) of the polynomial. In the case of WEP, the polynomial is axed 33-bit binary number. IEEE 802.11 [5] denes this polynomial as:G(x) = x32+x26+x23+x22+x16+x12+x11+x10+x8+x7+x5+x4+x2+x+1.ThecalculationoftheCRCchecksumworksbyperformingseveraldi-visions of the input over the polynomial. It starts by appendingWzeroesto the input. Next, the polynomial is placed under the leftmost side of theinput. If the input bit above the leftmost polynomial bit is 1, an XOR oper-ation between the input and the polynomial is performed, followed by a onebit right shift of the polynomial. If the input bit above the leftmost poly-nomial bit is 0, no XOR operation is performed, only the one bit right shiftof the polynomial. This process repeated until the polynomial is shifted allthe way to the rightmost bit of the input. Then, a resulting Wbit reminder4Thepolynomialwidthisn 1,wherenisthetotalnumberofbits.Wired Equivalent Privacy (WEP) 25called the CRC checksum will remain.As a simple example well use a polynomial of W 4 [35].Original message: 1101011011Polynomial: 10011After the rst iteration:11010110110000