Cryptanalysis of IEEE 802.11i TKIP Finn Michael Halvorsen Olav Haugen Master of Science in Communication Technology Submission date: June 2009 Supervisor: Stig Frode Mjølsnes, ITEM Co-supervisor: Martin Eian, ITEM Norwegian University of Science and Technology Department of Telematics Problem Description A new vulnerability in the Temporal Key Integrity Protocol (TKIP) defined in 802.11i [1] was recently discovered and published in [2]. Verification and further analysis on this vulnerability is needed. The students will give a detailed explanation of the attack, followed by experimental verification via various tools. The severeness of the attack and application areas should be discussed. If it is possible and if time permits, the students will also look for other weaknesses in the TKIP protocol that may lead to other attacks. [1] http://standards.ieee.org/getieee802/download/802.11i-2004.pdf [2] http://dl.aircrack-ng.org/breakingwepandwpa.pdf Assignment given: 14. January 2009 Supervisor: Stig Frode Mjølsnes, ITEM Abstract The Temporal Key Integrity Protocol (TKIP) was created to fix the weak- nesses of Wired Equivalent Privacy (WEP). Up until November 2008, TKIP was believed to be a secure alternative to WEP, although some weak points were known. In November 2008, the German researchers Martin Beck and Erik Tews released a paper titled Practical Attacks Against WEP and WPA [10]. This paper introduced the first practical cryptographic attack on TKIP. This thesis continues the work of Beck and Tews, and presents an im- proved attack as an advancement of their original attack. The thesis starts by giving a comprehensive study of the current state of wireless network and security protocols. Next, a detailed description of Beck and Tews’ attack will be given. The main contribution in this thesis is an improvement of Beck and Tews’ attack on TKIP. This improved attack is able to obtain more than ten times the amount of keystream than the original attack, by exploiting the fact that the Dynamic Host Configuration Protocol (DHCP) contains large amounts of known plaintext. Additionally, the authors prove how it is possible to modify the original attack on TKIP to be able to perform an Address Resolution Protocol (ARP) poisoning attack and a cryptographic Denial-of-Service (DoS) attack. In addition to these theoretical results, the contributions made by the authors were implemented as extensions to the source code provided by Beck and Tews. Experimental verification of the attacks was also performed; this included the original attack by Beck and Tews, as well as our own contributions. i ii Preface This report is the final result of the Master’s Thesis in Information Security, conducted in the 10th semester of the Master’s Programme in Communi- cation Technology at The Norwegian University of Science and Technology, NTNU. The assignment was given by Martin Eian at the Department of Telematics, NTNU. Conducting research on the cutting edge of information security has been a challenging and demanding task. The authors were required to produce new and novel enhancements to existing attacks. On the other hand, being able to make new discoveries has been very motivating and exciting. Es- pecially the use of practical experimentation made the research a fulfilling experience. We would like to thank our supervisor Martin Eian for his continuous feedback and support. Additionally, we would also like to thank professor Stig F. Mjølsnes and the Department of Telematics for giving us the oppor- tunity to write this thesis. As a result of this thesis, a paper was submitted to the NordSec Conference. We would like to thank Stig F. for the support regarding the process of writing this paper. Trondheim, June 2009 Finn Michael Halvorsen Olav Haugen iii iv Acronyms AES Advanced Encryption Standard AP Access point ARC4 Alleged RC4 BOOTP Bootstrap Protocol BSSID Basic Service Set Identifier BSS Basic Service Set CCMP Counter Mode with Cipher Block Chaining Message Authentication Code Protocol CHADDR Client Hardware Address CIADDR Client IP Address CRC Cyclic Redundancy Check DA Destination Address DHCP Dynamic Host Configuration Protocol DNS Domain Name System DoS Denial-of-Service DS Distribution System EAPOL Extensible Authentication Protocol Over LAN EAP Extensible Authentication Protocol ESSID Extended Service Set Identifier ESS Extended Service Set FCS Frame Check Sequence v GIADDR Relay Agent IP Address GPU Graphical Processing Unit GUI Graphical User Interface HLEN Hardware Length HTYPE Hardware Type IBSS Independent Basic Service Set IEEE Institute of Electrical and Electronics Engineers IP Internet Protocol LAN Local Area Network LLC Logical Link Control LSB Least Significant Bit MAC Media Access Control MBZ Must Be Zero MD5 Message Digest 5 MIC Message Integrity Code MPDU MAC Protocol Data Unit MSB Most Significant Bit MSDU MAC Service Data Unit MTU Maximum Transmission Unit NAT Network Address Translation NDP Neighbor Discovery Protocol OP Operation PMK Pairwise Master Key PRGA Pseudo Random Generation Algorithm PRNG Pseudo Random Number Generator PTKSA Pairwise Transient Key Security Association RC4-KSA RC4 Key Scheduling Algorithm vi RC4 Rivest Cipher 4 RFC Request For Comment SA Source Address SHA Secure Hash Algorithm SIADDR Next Server IP Address SNAME Server Host Name SNAP Sub Network Access Protocol SSID Service Set Identifier STA Station TA Transmitter Address or Transmitting Station Address TCP Transmission Control Protocol TID Traffic Identifier TKIP Temporal Key Integrity Protocol TK Temporal Key (Session Key) TSC TKIP Sequence Counter TTAK TKIP-mixed Transmit Address and Key WEP Wired Equivalent Privacy WLAN Wireless Local Area Network WMM WiFi MultiMedia WPA WiFi Protected Access XID Transaction ID XOR Exclusive-Or YIADDR Your IP Address vii viii Contents Abstract i Preface iii Acronyms v 1 Introduction 1 1.1 Motivation ............................ 1 1.2 Related Work ........................... 2 1.3 Problem Description and Goals ................. 2 1.4 Limitations ............................ 3 1.5 Research Methodology ...................... 3 1.6 Document Structure ....................... 4 2 Background 7 2.1 Security Principles ........................ 7 2.1.1 General Principles .................... 7 2.1.2 Encryption techniques .................. 9 2.1.3 Authentication and Authorization ........... 10 2.1.4 Attacks .......................... 11 2.2 IEEE 802.11 Wireless Networks ................. 12 2.2.1 General Description ................... 12 2.2.2 Structure of Wireless Networks ............. 12 2.2.3 History .......................... 14 2.2.4 IEEE 802.11 Transmission Protocols Roundup .... 15 2.3 Wireless Security ......................... 15 2.3.1 IEEE 802.11 Security Protocols ............. 16 2.4 Wired Equivalent Privacy (WEP) ................ 18 2.4.1 History .......................... 18 2.4.2 Protocol Overview .................... 19 2.4.3 Authentication ...................... 21 ix 2.4.4 Pseudorandom Number Generator - RC4 ....... 22 2.4.5 Integrity Check Value - CRC-32 ............ 24 2.4.6 Initialization Vector - IV ................. 25 2.4.7 Weaknesses of WEP ................... 26 2.5 Attacks on WEP ......................... 29 2.5.1 The FMS Attack ..................... 30 2.5.2 The KoreK Attack .................... 30 2.5.3 The PTW Attack ..................... 31 2.5.4 Beck and Tews’ Improved Attack on RC4 ....... 32 2.5.5 Chopchop Attack ..................... 33 2.5.6 Fragmentation Attack .................. 35 2.6 Temporal Key Integrity Protocol (TKIP) ........... 37 2.6.1 History .......................... 37 2.6.2 Protocol overview .................... 37 2.6.3 TKIP Encapsulation ................... 38 2.6.4 TKIP Decapsulation ................... 39 2.6.5 TKIP Packet Structure ................. 40 2.6.6 TKIP Sequence counter (TSC) ............. 41 2.6.7 Message Integrity Code (MIC) ............. 42 2.6.8 Temporal Key ...................... 45 2.7 Counter Mode with CBC MAC Protocol (CCMP) ...... 47 2.8 Attacks on TKIP and CCMP .................. 49 2.9 IEEE 802.11e - QoS/WMM ................... 50 2.10 Address Resolution Protocol (ARP) .............. 51 2.10.1 Protocol Overview .................... 51 2.10.2 ARP Packet Structure .................. 52 2.10.3 Attacks on ARP ..................... 53 2.11 Dynamic Host Configuration Protocol (DHCP) ........ 54 2.11.1 Overview ......................... 55 2.11.2 DHCP Packet Structure ................. 56 3 Beck and Tews’ Attack on TKIP 59 3.1 Requirements ........................... 59 3.1.1 QoS/WMM ........................ 59 3.1.2 Key Renewal Interval .................. 60 3.2 The Attack in Details ...................... 60 3.2.1 Client De-Authentication ................ 62 3.2.2 Modified Chopchop Attack ............... 62 3.2.3 Guessing The Remaining Bytes ............. 63 3.2.4 Reversing the MICHAEL Algorithm .......... 63 3.3 Limitations ............................ 64 3.4 Application Areas ........................ 65 3.4.1 ARP Poisoning ...................... 66 3.4.2 Denial-of-Service ..................... 66 x 3.5 Countermeasures ......................... 66 4 An Improved Attack on TKIP 69 4.1 The DHCP ACK Message .................... 69 4.2 The Attack in Details ...................... 70 4.3 Application Areas ........................ 73 4.3.1 DHCP DNS Attack ................... 73 4.3.2 NAT Traversal Attack .................. 76 5 Laboratory Environment 77 5.1 Hardware ............................. 77 5.1.1 Computers ........................ 78 5.1.2 Access Point