CWSP Chapter 2 – Encryption

Centralized vs. Distributed encryption models

Hash Function

Takes a block of data and returns a fixed bit string (128-bit)

Cipher Types

Stream Cipher
- Sequentially bit-by-bit basis
- Uses some seed (IV + stack WEP key) to feed the algorithm and generates a keystream
- Uses the keystream with plaintext on XOR
- Example – RC4

Block Cipher
- Uses a fixed length of plaintext and generates a cyphertext of same length
- 64 to 256 bit block sizes
- Example – RC5, DES, 3DES, AES

Encryption Algorithms

Two types

Symmetric Encryption
- Uses a common secret key on both ends
- All wifi encryption methods use symmetric algorithm
- Example – WEP, TKIP, CCMP

Asymmetric Encryption
- Uses a pair of keys (shared public key to encrypt, secret private key to decrypt)
- Digital certificates with PKI (used by EAP TLS)

RC4 (Rivest Cipher/Ron’s Code)

RC5

Symmetric block
Uses variable block sizes (32, 64, 128), key sizes (0 – 2040), rounds/iterations (0 – 255)
Generated key table depends on the number of rounds

DES

3DES

Symmetric block
3 key (56-bits each) used – DES ran 3 times using 3 different keys
3 scenarios – 3 unique keys (strongest – 168 bits), 2 unique keys, 3 identical keys (weakest)
Recommended by FIPS

AES

Symmetric block based on Rijndael algorithm
128-bit block size, 3 keys sizes – 128, 192, 256 bits, 3 types of rounds (10 rounds for 128, 12 rounds for 192, 14 rounds for 256)
Used in WPA2, IPSec, CCMP – recommended by US govt.
CCMP – most popular 802.11ac/n encryption standard
GCMP uses AES in 802.11ad 60 MHz VHT mode (efficient than CCMP) – processing done in parallel unlike CCMP

Encryption Methods – 802.11-2012 (Cipher Suites)

Layer 2 encryption operates at L2 datalink layer -> encrypts L2 LLC + L3-7 data (Mac Service Data Unit – MSDU)
Layer 2 frame -> Mac Protocol Data Unit (MPDU)
Frames not encrypted – Management frame (only L2 payload), control frame (only header and trailer), null function data frame (no payload)
802.1w – management frame protection to avoid DOS attack impersonating management frames

WEP
- 64-bit WEP-> 24-bit cleartext IV + 40-bit secret static key (5 ASCII characters)
- 128-bit WEP -> 24-bit cleartext IV + 104-bit secret static key (13 ASCII characters)
- Weakness -> short IV, cleartext IV, static key
- Uses RC4 and converts IV + static key -> keystream
- Runs CRC on every frame and adds it to the encrypted data as Integrity Check Value (ICV)
- Uses Boolean XOR process -> Keystream + ICV -> Encrypted cyphertext
- Easy to crack -> IV collision attack (16M keys), weak key attack, reinjection attack, bit-flipping attack
- IV – plaintext, ICV – encrypted
- 2304 + 4 bytes for IV + 4 bytes for ICV = 2312 bytes MPDU (8 byte overload from encryption)
- WEP frames will have “protected frames” in protocol analyzer

Temporal Key Integrity Protocol (TKIP)
- Introduced in 2002 by Wifi alliance after WEP was cracked – temporary method until 802.11i was ratified in 2004
- Mandatory for WPA, optional for WPA2
- Cannot be used on HT, VHT data rate of 802.11n, 802.11ac
- Uses RC4 like WEP, but involves 4-way handshake for key generation for dynamic keys (vs. static of WEP)
- Temporal key instead of WEP static key –
  - Uses a secure 2-phase complex keying method than WEP
  - Protects from IV collision and weak key attacks
  - 128-bit key generated by 4-way handshake – PTK (unicast) or GTK (multicast/broadcast)
- Sequencing – (48-bit TKIP Sequence Counter – TSC 0-5) to avoid replay & reinjection attack -> IV
- Per-packet key mixing -> 48-bit IV + 128-bit temporal key (TK) + Source radio MAC addresses (TA) -> to avoid weak-key attacks
- Message Integrity Check (MIC) – used instead of CRC (protects from bit-flipping attack)
- TKIP Countermeasure – to address constraints of MIC

Seed 1 (TSC 2-5 + TA + TK) -> Phase 1 key mixing -> TKIP-mix Transmit Address & Key (TTAK )
Seed 2 (TTAK + TSC 0-1 + TK) -> Phase 2 key mixing -> WEP seed or RC4 seed
WEP seed -> RC4 -> Keystream
MIC -> MSDU + SA + DA + MIC key
MIC + MSDU -> MPDU
Same 4 octet ICV as WEP -> ICV
XOR -> keystream + ICV + MDPU
2304 + 4 bytes for IV + 4 bytes extended IV + 8 bytes MIC+ 4 bytes for ICV = 2324 bytes MPDU (20 byte overload from encryption)

Counter mode with Cipher-block chaining Message authentication code Protocol (CCMP)

Mandatory for 802.11i encryption (802.11-2012 RSN)
Used in WPA2 personal and enterprise
No keying required unlike TKIP
Uses block cipher 128-bit AES with 4-way handshake (AES can do 192 and 256 bits, but 802.11-2007 restricts 128-bit AES for CCMP)
Adds extra 16-byte overload to the frame
CPU intensive
Components
- CTR – CounterMode -> data confidentiality (encryption)
- CBC-MAC – Cipher-block chaining message authentication code -> Authentication & Integrity
- CCMP = CTR + CBC-MAC
- Temporal key – 128-bit key – PTK (unicast) or GTK (multicast/broadcast)
- Packet Number (PN) – 48-bit counter for identifying the frames – like sequence number of TKIP (to avoid replay & reinjection attack)
- Nonce – random number generated once (uses PN , TA, QOS)
- AAD – Additional Authentication Data. Constructed from a portion of MPDU header. Used for integrity check on both ends.
AAD + Nonce + Temporal Key + MPDU -> CCM/AES -> Encrypted MPDU
CCMP Header -> PN + Key ID (8 bytes) – unencrypted
MIC – Message Integrity Code -> CBC-MAC/CBC-MIC (8 bytes) – Encrypted MIC
This adds 16 byte overload to MPDU

	WEP	TKIP	CCMP
Algorithm	RC4	RC4	AES
Standard	Pre-802.11i	Temporary pre-RSN	802.11-2012 RSN
Wifi alliance	Shared Key	WPA	WPA2
Key	Static	Dynamic 4-way handshake	Dynamic 4-way handshake
Key Size	40-bit 104-bit	128-bit temporal key	128-bit temporal key
Per-packet Key mixing	Concat IV to Key	2 phase complex key mixing	None
Counter	24-bit IV	48-bit TKIP sequence Counter (TSC)	48-bit nonce (from packet number)
Seed	Key + IV	Temporal Key + TSC + TA	Temporal Key + Nonce + AAD
Integrity Check	32-bit CRC -> ICV	64-bit MIC Michael	64-bit MIC -> CBC-MAC (CCM)
Overhead	8 byte	20 byte	16 byte

Sharan's blog