CWNP CWSP – Module 03 – Encryption Ciphers and Methods Part 3

7. TKIP Part2

Alright, so a little bit more about the countermeasures with TKIP. So we already start off by talking about it’s using a very long key, 128 bit temporal key that comes from a four way handshake. And we’re going to see this four way handshake, four way handshake coming up over and over again as we get further into this encryption process. So don’t worry about that at this particular point. But the idea is like, like I said, with that is having those dynamic keys being created and when we see these handshakes, what we’re really going to see so let’s just put it in here. Laptop access point.

So there’s basically a four way set of communications that we use to develop the keys and we’re actually going to look at and we are going to look at it in a later part of our course, the actual key hierarchy when we get into what we call the AKM. So again, it’s like we’re slowly building onto all of these things that deal with protecting our traffic. So bear with me as I’m staying a little more high level knowing that you’re going to see more and more details, we continue on through our course. All right, so what’s going to happen out of this? And by the way, at some point we’re going to be adding an authentication server as well into this communication process for developing these keys.

But right now we’re looking at that replacement for Web. So we’re just kind of focusing on these two stations that are communicating with each other over radio. And when they go through that, they’re actually going to generate two different keys. One called a pairwise transient key or I should say, and or it’s going to create a GroupWise temporal key. What on earth is the difference between those? Well, so I just got through saying that with all of these stations that are connecting to the access point that they’re all going to have their own key. That’s the pairwise transient key. We use that pairwise transient key to encrypt the unicast traffic. Remember, unicast is point to point or host to host. But what if some server entity over here is well, in fact, let’s change it.

Let’s get into the world of multicast. Let’s say there’s a camera over here, there’s my Tripod, my camera, and it’s sending out a multicast stream that we want everybody to see. In fact, it’s going to send it to the wired network and I want everybody that’s connected to the access point to have access to it. Well, think about the work that it would take for that one stream to have to be encrypted in this case three different times to be able to send it to all of the stations or clients. Well, so that’s where we would use a group wise temporal or group temporal key to be able to take care of all of the broadcast and multicast traffic. Like I said, more details coming. So I’m just kind of giving you we’re slowly building up there, right there’s. Sometimes it seems like a lot that we have to remember about this encryption process.

So we’re building on it step by step. All right? And I think we already talked about one of the other features which they’re using as a countermeasure, which is this two phase key mixing process that created that TSC that we talked in. So that we’re mixing it in with the key as opposed to using just a single initialization vector. So here we are basically looking at having a 48 bit IV value. And so what do we do? We have a session key, we have a Mac address, we have the IVs, and we use that to do what they call phase one of the key mixing process. As we look through this, and again, let me break it down for you as we’re going through there. So again, as we’re going through this process, the TKIP sequence number, the TSC, that’s that 48 bit value that we were talking about, the IV value is going to be basically generated and broken into six octets. Remember, octet means byte eight bits and one is going to be labeled the lower IV. The one’s going to be labeled the upper IV. But if we do the six octets, multiply it by eight bits, that’s the 48 bits that we were talking about.

And I don’t know why we can’t again also have the same name for everything that we talk about, but nonetheless so what happens then is in phase one mixing, as you can see here, we’re going to combine that 128 bit temporal key with the octets of the Tkip’s sequence number as well as the transmit address. That’s that Mac address. We’ll call it the ta transmit address, which is whoever is the transmitter, right, could be the client or the access point. And so at that point, we have what’s called the TKIP mixed transmit address and key. All right, fancy way of saying TTAK. Now, after we do that, then we’re going to come into phase two key mixing. And that’s where we’re going to take this result, right, this whole result of everything here the TTAK. And basically we’re going to combine it again with the first and second octets, I guess I should say, of the TSC, again, combining it with the temporal key. And in this case it’s called the web phase or the web seed.

And that’s also going to be represented as well by the time we’re done with our original keys, our per packet key and the initialization vector. Remember, all of that is basically mixing a lot of things addresses the temporal key, parts of the IV and then other parts of the IV are going to be used for the phase two mixing, which is also going to mix that key with, again, at the temporal key. Really what we’re trying to do is really confuse everybody what that original temporal key was. And by the time we’re done, we have this 128 bits, right? We add them all up of the encryption key and look, a dummy bite as well. A dummy bite is just a random value that tries to make the IV not as easy to guess.

And now we have the WEP seed. And the WEP seed, remember, was again taking the plain text ones and zeros and doing the exclusive or now with our new TKIP or using Web, basically using RC four, if you think about it. So that’s the key and then the result of the XOR equals whatever that cipher text is going to be. So it sounds like a little more complicated of a process and it is kind of a complicated process because we don’t want it to be easy for people to actually break out and figure out what that key is. Now, one of the things I didn’t break down is how they labeled these upper and lower IVs.

You usually will see them listed as these TS zero through TS six again, right? Or actually five, I’m sorry, because there’s only six of them. So they’re really breaking these down into groups of eight bits or eight or, you know, single octets. And so that initialization vector is not used all at once, right? The upper one is used for phase one, the lower one is used for phase two. As I just got through saying, and who knows if you can even read my picture now after I went crazy drawing all over over the screen for you.

8. MIC

We’re going to talk about Mick or Michael. I’m not sure why they call it Michael. I mean, because that’s not even short for Michael. But anyway, you know all the terms and you know how they word them. And what it is is the message Integrity code and it was designed. So what is integrity? Integrity means that we don’t want to see any changes. No changes, no spoofing, no altering of data, no bit flipping, all these little things that people can do to really mess up our communications. And it’s something we use with the temporal key. Now, there are still some attacks that we have to worry about with Mick or Michael, however you want to use it, but that’s what it was. Its job was to verify, like I said, that nothing was being impersonated or redirected or any bit flipping.

Now, what’s redirection? Redirection is often what we call kind of a man in the middle. Let’s say, for example, that if you were broadcasting or transmitting your information and some hacker was intercepting it for you, maybe they were impersonating an access point. By the way, if you haven’t seen about that, I had a good friend who did one of those morning shows on CBS and was supposed to talk about weaknesses of wireless and unfortunately his name was Tim. He calls me and asked me for ID. And I said, hey, set up your cell phone as an access point and steal some WiFi at the hotel and have people go through you. And so he did that and I didn’t even get credit. That was sad. I wanted to be on TV. But anyway, so now as an access point, you’re associating with that laptop or that tablet or cell phone, and then they rebroadcast your information to the real access point with the same SSID. So they’re impersonating you, right, or doing some redirection. They’re stealing your information from you, letting you think that you are connected and then sending it off to the access point.

Well, part of what Michael was designed to do is to try to stop that process. We want to be able to know that we can stop the attacks and stop those impersonation attacks and be able to have more success. And the idea is that you fail the integrity protocol, then the packets are dropped so that you don’t have to worry about this type of an attack. Now, when we do this, parts of what we use to be able to compute this, one of them is what we call the destination address or the DA. The DA and the source address, the essay are important in the calculation.

So again, think about it, right? If somebody’s impersonating you acting as an access point, and then they send off the traffic on your behalf, they’re going to have a different destination address. Otherwise there’s going to be a failure between the two and of course, a different source address. This guy was using that access point as a source address. This one’s changing it. So adding those two keys right there can help a lot in setting it up. We also have the MSDU priority and the entire unencrypted MSDU plain text. So that means that, again, if we have some sort of what’s called a hash a hash is a type of encryption, but it’s a verification of the plain text and the plaintext information. And the nice thing about a hashing protocol is that if somebody changes it by one bit, even if they flip a bit, change a zero to a one and change another one to a zero, the resultant hash is going to be completely different. And so all of that information is going to be used to be able to generate this integrity protocol so that we know whether or not any changes have occurred.

By the time we’re done, we have eight bytes of information in size, and it’s appended, I should say, to the end of the MSDU. Now, if you think about it, and we have a hash of the plaintext, and the MSDU, remember, is the encrypted portion when it’s decrypted. So right, we decrypt this information and then compare the plaintext to the hash of the plaintext. We can easily see if that was changed because it will be completely different. Now, it’s not a perfect hashing algorithm. Many others are much better. As an example, eight bits is only 64, or eight bytes is only 64 bits. Things like MD Five all by itself uses 128 bit hashing algorithm, and it uses what they call the rainbow, or I’m sorry, not the rainbow, the waterfall effect. Of course, you could probably see a rainbow when you watch a waterfall. But anyway, the waterfall effect just says that the slightest change makes the hash completely different. So it’s not quite as strong as some of the other hashing that we have. So it really only contains 20 bits of effective security strength. So that means that it could be vulnerable to brute force attack. One of the weaknesses of any integrity check is that we might find two plain text sets of data that might come up with the same hashing option, and they actually call that the breaking of hashing.

And so the shorter the hash results, the easier it is to find another message that could come up with the same 20 bits of effective security strength. And so that’s why they’re saying it could be vulnerable to a brute force stack. But in reality, that’s very difficult to do, to be able to find two messages that would contain the same Mick or Michael, but it’s still there because it’s not as strong as some of the others. Okay, some of the other things that Mick does is logging. The idea of logging is that if there is a mic failure, it would show that as an active attack to be logged.

And what we would see is a 62nd shutdown. So basically, if two Mick failures occur in 60 seconds, it would be a shutdown on the temporal key for 60 seconds, which means that we would not have any transmissions. Now, you might say, okay, that sounds like somebody could do a denial of service attack against us by shutting it down. And yes, that’s true. That is the risk of using Michael is that you could be subject to a denial of service. But if you’re worried about a brute force attack and you have to wait after two errors, 60 seconds to be able to try again, it’s going to take you forever to be able to try all those different combinations on a brute force type of an attack. And so that’s, I guess, the trade off.

And there’s other ways to do a denial of service attack, too, besides attacking the Michael, and that would be setting management frames to try to disassociate you with the access point and so many other things that are out there. But nonetheless, this was a better I should say it was a better solution than what we had before. And remember, we’re still kind of talking about some of the legacy stuff that we had to try to help secure our networks.

9. TKIP MPDU

The next part is the temporal keys Mpdu. And I think we already talked a little bit about what the Mpdu is. So remember, the first 32 bytes of everything we send is the Mac header. And the Mac header, remember, is going to have a destination and a source address. Those are Mac addresses. Each one of those is six bytes. So together total, that would be twelve bytes of the 32 bytes. And that was the part that was unencrypted when we look at the 800 and 211 Mac header, which is not going to change and remember what the idea was right in that frame, the layer two Mac header stayed the same. And we encrypted the rest of everything from layer three to layer seven. So anyway, so the first 32 bytes are made up of that. And the encrypted frame body has five key pieces that we’re going to use.

And we can add them all up. And when we add them all up, we’ll come up with the total we already talked about Michael, which is another eight bytes. So what did I just say? We had twelve bytes there. So that’s another eight bytes for Michael. Now we’re up to 20. And as we go through there, some of the other things that we’re going to see is the IV, the initialization vector or KeyID, another four bytes. I hope that I don’t end up doing my math wrong here. It’s always embarrassing to do math in front of people and then not add it up correctly. So what are we at right there? Right now we’re at 24. All right, so we need eight more bytes. We also have the extended IV.

That’s a part of this. I think we talked about how the initialization vectors are different with TKIP when we talked about breaking it up into different portions. And so things like I mentioned, like TSC zero. This was back a couple of minutes ago when I was talking about things like key mixing. And then, of course, now the MSDU payload, we can’t really count that as a part of the actual overall 1st 32 bites because that is just depending on how big this encrypted portion is going to be that we set up there. And then, of course, as we continue on here and remember, the idea here is that we’re coming up with keys, we’re coming up with ways of doing encryption and we’re introducing these temporal objects. And then we have the ICV.

The ICV is another four bytes. So now we’re at 28. And I guess you could probably say if we wanted to talk about the size of the payload, that would make up the rest of our 32 bites. But anyway, adding all of that to it is just adding more to the actual layer two information as we talked about with the Mac header. Again, all of the things I said about key mixing is still there. And and so when we’re all said and done, technically, the 16 bytes for the Mac addresses or I’m sorry, the twelve bytes of the Mac addresses are still there. And when we started adding in here what was it? 1216, and potentially here four bytes with the rest of it, even though I didn’t write that in there, gets us up to the 32 bytes. And if you think about what we’re doing, we know we need twelve bytes to begin with, just for source and destination addresses.

The rest of the header adds another 20 bytes total for 32 bytes. And that shouldn’t be the end of the world. I mean, there is a thing called the Maximum Transmission Unit, which is how long a frame can actually be at any one point in time. But technically, we worry about the MTU with routers, and routers actually only care about layer three and beyond. So once we decrypt it and the router takes this information that would be decrypted, then the extra 20 bytes that we put at layer two don’t have any say in what it does to the performance of being able to do routing. So, again, that’s just the breakdown of that particular type of frame and what the temporal key is made up of.

And hopefully, you remember all of the benefits that I just talked about with temporal keys as to how it was a replacement with WEP. And now you’re kind of getting an idea of how these are formed. So here, if you ever wanted to do your own packet sniffing, you could capture these frames, if you’re close enough with some sort of packet sniffer. Wireshark is one that’s free. You just need to have a wireless card that you can put into Promiscuous mode so you can just capture that. And you could watch the back and forth and actually look at this information. And even though you could look at it and maybe even try to alter it and retransmit something else, but because of sequence numbers, replay capabilities that we’ve stopped, it would do nothing more for you than just let you be able to verify the back and forth communications.