Centralized vs. Distributed encryption models
- Centralized – encryption done end to end at the controller
- Distributed – encryption done between two end points (AP & Client)
Hash Function
Takes a block of data and returns a fixed bit string (128-bit)
Cipher Types
-
Stream Cipher
- Sequentially bit-by-bit basis
- Uses some seed (IV + stack WEP key) to feed the algorithm and generates a keystream
- Uses the keystream with plaintext on XOR
- Example – RC4
-
Block Cipher
- Uses a fixed length of plaintext and generates a cyphertext of same length
- 64 to 256 bit block sizes
- Example – RC5, DES, 3DES, AES
Encryption Algorithms
Two types
-
Symmetric Encryption
- Uses a common secret key on both ends
- All wifi encryption methods use symmetric algorithm
- Example – WEP, TKIP, CCMP
-
Asymmetric Encryption
- Uses a pair of keys (shared public key to encrypt, secret private key to decrypt)
- Digital certificates with PKI (used by EAP TLS)
RC4 (Rivest Cipher/Ron’s Code)
- Stream cipher
- Unofficially leaked version is called as ARC4
- Used in WEP and SSL
- Not recommended
RC5
- Symmetric block
- Uses variable block sizes (32, 64, 128), key sizes (0 – 2040), rounds/iterations (0 – 255)
-
Generated key table depends on the number of rounds
DES
- Symmetric block
- 64-bit block size, 56-bit key, 16 rounds
- Already cracked, very weak due to small 56-bit keys
3DES
- Symmetric block
- 3 key (56-bits each) used – DES ran 3 times using 3 different keys
- 3 scenarios – 3 unique keys (strongest – 168 bits), 2 unique keys, 3 identical keys (weakest)
-
Recommended by FIPS
AES
- Symmetric block based on Rijndael algorithm
- 128-bit block size, 3 keys sizes – 128, 192, 256 bits, 3 types of rounds (10 rounds for 128, 12 rounds for 192, 14 rounds for 256)
- Used in WPA2, IPSec, CCMP – recommended by US govt.
- CCMP – most popular 802.11ac/n encryption standard
- GCMP uses AES in 802.11ad 60 MHz VHT mode (efficient than CCMP) – processing done in parallel unlike CCMP
Encryption Methods – 802.11-2012 (Cipher Suites)
- Layer 2 encryption operates at L2 datalink layer -> encrypts L2 LLC + L3-7 data (Mac Service Data Unit – MSDU)
- Layer 2 frame -> Mac Protocol Data Unit (MPDU)
- Frames not encrypted – Management frame (only L2 payload), control frame (only header and trailer), null function data frame (no payload)
- 802.1w – management frame protection to avoid DOS attack impersonating management frames
- WEP – Pre-RSNA, RC4
- TKIP – RSN, RC4
- CCMP – RSN, AES
- GCMP – optional for RSN, AES
-
WEP
- 64-bit WEP-> 24-bit cleartext IV + 40-bit secret static key (5 ASCII characters)
- 128-bit WEP -> 24-bit cleartext IV + 104-bit secret static key (13 ASCII characters)
- Weakness -> short IV, cleartext IV, static key
- Uses RC4 and converts IV + static key -> keystream
- Runs CRC on every frame and adds it to the encrypted data as Integrity Check Value (ICV)
-
Uses Boolean XOR process -> Keystream + ICV -> Encrypted cyphertext
- Easy to crack -> IV collision attack (16M keys), weak key attack, reinjection attack, bit-flipping attack
- IV – plaintext, ICV – encrypted
- 2304 + 4 bytes for IV + 4 bytes for ICV = 2312 bytes MPDU (8 byte overload from encryption)
- WEP frames will have “protected frames” in protocol analyzer
-
Temporal Key Integrity Protocol (TKIP)
- Introduced in 2002 by Wifi alliance after WEP was cracked – temporary method until 802.11i was ratified in 2004
- Mandatory for WPA, optional for WPA2
- Cannot be used on HT, VHT data rate of 802.11n, 802.11ac
- Uses RC4 like WEP, but involves 4-way handshake for key generation for dynamic keys (vs. static of WEP)
-
Temporal key instead of WEP static key –
- Uses a secure 2-phase complex keying method than WEP
- Protects from IV collision and weak key attacks
- 128-bit key generated by 4-way handshake – PTK (unicast) or GTK (multicast/broadcast)
- Sequencing – (48-bit TKIP Sequence Counter – TSC 0-5) to avoid replay & reinjection attack -> IV
- Per-packet key mixing -> 48-bit IV + 128-bit temporal key (TK) + Source radio MAC addresses (TA) -> to avoid weak-key attacks
- Message Integrity Check (MIC) – used instead of CRC (protects from bit-flipping attack)
-
TKIP Countermeasure – to address constraints of MIC
- Seed 1 (TSC 2-5 + TA + TK) -> Phase 1 key mixing -> TKIP-mix Transmit Address & Key (TTAK )
- Seed 2 (TTAK + TSC 0-1 + TK) -> Phase 2 key mixing -> WEP seed or RC4 seed
- WEP seed -> RC4 -> Keystream
- MIC -> MSDU + SA + DA + MIC key
- MIC + MSDU -> MPDU
- Same 4 octet ICV as WEP -> ICV
- XOR -> keystream + ICV + MDPU
-
2304 + 4 bytes for IV + 4 bytes extended IV + 8 bytes MIC+ 4 bytes for ICV = 2324 bytes MPDU (20 byte overload from encryption)
Counter mode with Cipher-block chaining Message authentication code Protocol (CCMP)
- Mandatory for 802.11i encryption (802.11-2012 RSN)
- Used in WPA2 personal and enterprise
- No keying required unlike TKIP
- Uses block cipher 128-bit AES with 4-way handshake (AES can do 192 and 256 bits, but 802.11-2007 restricts 128-bit AES for CCMP)
- Adds extra 16-byte overload to the frame
- CPU intensive
-
Components
- CTR – CounterMode -> data confidentiality (encryption)
- CBC-MAC – Cipher-block chaining message authentication code -> Authentication & Integrity
- CCMP = CTR + CBC-MAC
- Temporal key – 128-bit key – PTK (unicast) or GTK (multicast/broadcast)
- Packet Number (PN) – 48-bit counter for identifying the frames – like sequence number of TKIP (to avoid replay & reinjection attack)
-
Nonce – random number generated once (uses PN , TA, QOS)
- AAD – Additional Authentication Data. Constructed from a portion of MPDU header. Used for integrity check on both ends.
- AAD + Nonce + Temporal Key + MPDU -> CCM/AES -> Encrypted MPDU
- CCMP Header -> PN + Key ID (8 bytes) – unencrypted
- MIC – Message Integrity Code -> CBC-MAC/CBC-MIC (8 bytes) – Encrypted MIC
-
This adds 16 byte overload to MPDU
WEP | TKIP | CCMP | |
Algorithm | RC4 | RC4 | AES |
Standard | Pre-802.11i | Temporary pre-RSN | 802.11-2012 RSN |
Wifi alliance | Shared Key | WPA | WPA2 |
Key | Static | Dynamic
4-way handshake |
Dynamic
4-way handshake |
Key Size | 40-bit
104-bit |
128-bit temporal key | 128-bit temporal key |
Per-packet Key mixing | Concat IV to Key | 2 phase complex key mixing | None |
Counter | 24-bit IV | 48-bit TKIP sequence Counter (TSC) | 48-bit nonce
(from packet number) |
Seed | Key + IV | Temporal Key + TSC + TA | Temporal Key + Nonce + AAD |
Integrity Check | 32-bit CRC -> ICV | 64-bit MIC Michael | 64-bit MIC -> CBC-MAC (CCM) |
Overhead | 8 byte | 20 byte | 16 byte |