The Cable Guy - November 2004
Wi-Fi Protected Access Data Encryption and Integrity
Wi-Fi Protected Access (WPA), as described in the Wi-Fi Protected Access (WPA) Overview Cable Guy article, is an interim industry standard that makes 802.11 wireless LAN networking secure through a firmware upgrade to 802.11-based wireless network adapters and wireless access points (APs).
WPA replaces Wired Equivalent Privacy (WEP) with the combination of the Temporal Key Integrity Protocol (TKIP), which provides data confidentiality through encryption, and Michael, which provides data integrity. This article describes the details of TKIP and Michael and the WPA encryption and decryption processes.
Cryptographic Features of TKIP and Michael
WEP in the original IEEE 802.11 standard has the following cryptographic weaknesses:
The initialization vector (IV) is too small
WEP uses the IV along with the WEP encryption key as the input to the RC4 pseudo-random number generator (PRNG), which produces a key stream that is used to encrypt the 802.11 frame payload. With a 24-bit WEP IV, it is easy to capture multiple WEP frames with the same IV value, making real-time decryption easier.
Weak data integrity
WEP data integrity consists of performing the Cyclic Redundancy Check-32 (CRC-32) checksum calculation on the bytes in the unencrypted 802.11 payload and then encrypting its value with WEP. Even encrypted, it is relatively easy to change bits in the encrypted payload and then properly update the encrypted CRC-32 result, preventing the receiving node from detecting that the frame contents have changed.
Uses the master key rather than a derived key
The WEP encryption key, either manually configured or determined through 802.1X authentication, is the only available keying material. Therefore, the WEP encryption key is the master key. Using the master key to encrypt data is less secure than using a key derived from the master key.
WEP does not provide for a method to refresh the encryption keys.
No replay protection
WEP does not provide any protection against replay attacks, in which an attacker sends a series of previously captured frames in an attempt to gain access or modify data.
The following table shows how TKIP and Michael address the cryptographic weaknesses of WEP.
|How weakness is addressed by WPA
|IV is too short
|In TKIP, the IV has been doubled in size to 48 bits.
|Weak data integrity
|The WEP-encrypted CRC-32 checksum calculation has been replaced with Michael, an algorithm that is designed to provide strong data integrity. The Michael algorithm calculates a 64-bit message integrity code (MIC) value, which is encrypted with TKIP.
|Uses the master key rather than derived key
|TKIP and Michael use a set of temporal keys that are derived from a master key and other values. The master key is derived from the Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) or Protected EAP (PEAP) 802.1X authentication process. Additionally, the secret portion of the input to the RC4 PRNG is changed with each frame through a packet mixing function.
|WPA rekeys automatically to derive new sets of temporal keys.
|No replay protection
|TKIP uses the IV as a frame counter to provide replay protection.
WPA Temporal Keys
Unlike WEP, which uses a single key for unicast data encryption and typically a separate key for multicast and broadcast data encryption, WPA uses a set of four different keys for each wireless client-wireless AP pair (known as the pairwise temporal keys) and a set of two different keys for multicast and broadcast traffic.
The set of pairwise keys used for unicast data and EAP over LAN (EAPOL)-Key messages consist of the following:
- Data encryption key A 128-bit key used for encrypting unicast frames.
- Data integrity key A 128-bit key used for calculating the MIC for unicast frames.
- EAPOL-Key encryption key A 128-bit key used for encrypting EAPOL-Key messages.
- EAPOL-Key integrity key A 128-bit key used for calculating the MIC for EAPOL-Key messages.
To derive the pairwise temporal keys, WPA uses the following values:
- Pairwise Master Key (PMK) A 256-bit key derived from the EAP-TLS or PEAP authentication process.
- Nonce 1 A random number determined by the wireless AP.
- MAC 1 The MAC address of the wireless AP.
- Nonce 2 A random number determined by the wireless client.
- MAC 2 The MAC address of the wireless client.
For 802.1X authentication using a RADIUS server, the PMK is mutually determined by the wireless client and the RADIUS server, which conveys the PMK to the wireless AP in the RADIUS Access-Accept message. After receiving the PMK, the wireless AP initiates the temporal key message exchange, which consists of the following:
- EAPOL-Key message sent by the wireless AP that contains Nonce 1 and MAC 1. Because the temporal unicast keys are not yet determined, this message is sent as clear text and without message integrity protection. The wireless client now has all the elements needed to calculate the pairwise temporal keys.
- EAPOL-Key message sent by the wireless client that contains Nonce 2, MAC 2, and a MIC. Because the wireless client has calculated the pairwise temporal keys, it calculates a MIC using the derived EAPOL-Key integrity key. The wireless AP uses the Nonce 2 and MAC 2 values to derive the pairwise temporal keys and to validate the value of the MIC.
- EAPOL-Key message sent by the wireless AP that contains a MIC and a starting sequence number, indicating that the wireless AP is ready to start sending encrypted unicast and EAPOL-Key frames.
- EAPOL-Key message sent by the wireless client that contains a MIC and a starting sequence number, indicating that the wireless client is ready to start sending encrypted unicast and EAPOL-Key frames.
This set of messages exchanges the values needed to determine the pairwise temporal keys, verifies that each wireless peer has knowledge of the PMK (by verifying the value of the MIC), and indicates that each wireless peer is ready to begin encrypting and providing message integrity protection for subsequent unicast data frames and EAPOL-Key messages.
For multicast and broadcast traffic, the wireless AP derives a 128-bit group encryption key and a 128-bit group integrity key and sends these values to the wireless client using an EAPOL-Key message, encrypted with the EAPOL-Key encryption key and integrity-protected with the EAPOL-Key integrity key. The wireless client acknowledges the receipt of the EAPOL-Key message with an EAPOL-Key message.
WPA Encryption and Decryption Process
WPA needs the following values to encrypt and integrity-protect a wireless data frame:
- The IV, which starts at 0 and increments for each subsequent frame
- The data encryption key (for unicast traffic) or the group encryption key (for multicast or broadcast traffic)
- The destination address (DA) and source address (SA) of the wireless frame
- The value of a Priority field, which is set to 0 and reserved for future purposes
- The data integrity key (for unicast traffic) or the group integrity key (for multicast or broadcast traffic)
The following figure shows the WPA encryption process for a unicast data frame.
If your browser does not support inline frames, click here to view on a separate page.
- The IV, the DA, and the data encryption key are input into a WPA key mixing function, which calculates the per-packet encryption key.
- The DA, SA, Priority, the data (the unencrypted 802.11 payload), and the data integrity key are input into the Michael data integrity algorithm to produce the MIC.
- The ICV is calculated from the CRC-32 checksum.
- The IV and per-packet encryption key are input into the RC4 PRNG function to produce a key stream that is the same size as the data, the MIC, and the ICV.
- The key stream is exclusively ORed (XORed) with the combination of the data, the MIC, and the ICV to produce the encrypted portion of the 802.11 payload.
- The IV is added to the encrypted portion of the 802.11 payload in the IV and Extended IV fields, and the result is encapsulated with the 802.11 header and trailer.
The following figure shows the WPA decryption process for a unicast data frame.
If your browser does not support inline frames, click here to view on a separate page.
- The IV value is extracted from the IV and Extended IV fields in the 802.11 frame payload and input along with the DA and data encryption key into the key mixing function, producing the per-packet encryption key.
- The IV and the per-packet encryption key are input into the RC4 PRNG function to produce a key stream that is the same size as the encrypted data, MIC, and ICV.
- The key stream is XORed with the encrypted data, MIC, and ICV to produce the unencrypted data, MIC, and ICV.
- The ICV is calculated and compared to the value of the unencrypted ICV. If the ICV values do not match, the data is silently discarded.
- The DA, SA, data, and the data integrity key are input into the Michael integrity algorithm to produce the MIC.
- The calculated value of the MIC is compared to the value of the unencrypted MIC. If the MIC values do not match, the data is silently discarded. If the MIC values match, the data is passed to the upper networking layers for processing.
For More Information
For more information about WPA and 802.11 wireless LAN security, consult the following resources:
- Wi-Fi Protected Access (WPA) Overview, the March 2003 Cable Guy article
- IEEE 802.11 Wireless LAN Security with Microsoft Windows XP
- Microsoft Wireless Networks Web site
For a list of all The Cable Guy articles, click here.