Editing Temporal Key Integrity Protocol

{{Short description|Security protocol in wireless networking}}
{{Infobox encryption method
| name           = Temporal Key Integrity Protocol
| image          = 
| caption        = 
| designers      = [[Wi-Fi Alliance]]
| publish date   = {{start date and age|2002|10|31}}
| series         = 
| derived from   = [[Wired Equivalent Privacy]]
| derived to     = 
| related to     = 
| certification  = 
| digest size    = <!--(hash functions)-->
| key size       = 128 bits
| security claim = 
| block size     = <!--(block ciphers)-->
| state size     = <!--(stream ciphers)-->
| structure      = 
| rounds         = 
| speed          = 
| cryptanalysis  = Deprecated
}}

'''Temporal Key Integrity Protocol''' ('''TKIP''' {{IPAc-en|t|iː|ˈ|k|ɪ|p}}) is a [[security protocol]] used in the [[IEEE 802.11]] wireless networking standard. TKIP was designed by the [[IEEE 802.11i]] task group and the [[Wi-Fi Alliance]] as an interim solution to replace [[Wired Equivalent Privacy|WEP]] without requiring the replacement of legacy hardware. This was necessary because the breaking of WEP had left Wi-Fi networks without viable [[Data link layer#Logical link control sublayer|link-layer]] security, and a solution was required for already deployed hardware. However, TKIP itself is no longer considered secure, and was deprecated in the 2012 revision of the 802.11 standard.<ref name=deprecate />

== Background ==
On October 31, 2002, the Wi-Fi Alliance endorsed TKIP under the name [[Wi-Fi Protected Access|Wi-Fi Protected Access (WPA)]].<ref name=WPA_announcement>{{cite web |url=http://wi-fi.org/pressroom_overview.php?newsid=55 |date=2002-10-31 |accessdate=2007-12-21 |work=[[Wi-Fi Alliance]] |title=Wi-Fi Alliance Announces Standards-Based Security Solution to Replace WEP |url-status=dead |archiveurl=https://web.archive.org/web/20080103110456/http://wi-fi.org/pressroom_overview.php?newsid=55 |archivedate=2008-01-03 }}</ref>  The IEEE endorsed the final version of TKIP, along with more robust solutions such as [[802.1X]] and the [[Advanced Encryption Standard|AES]] based [[CCMP (cryptography)|CCMP]], when they published IEEE 802.11i-2004 on 23 July 2004.<ref name=80211i>{{cite web|url=http://standards.ieee.org/getieee802/download/802.11i-2004.pdf |archive-url=https://web.archive.org/web/20050517043501/http://standards.ieee.org/getieee802/download/802.11i-2004.pdf |url-status=dead |archive-date=May 17, 2005 |title=IEEE 802.11i-2004: Amendment 6: Medium Access Control (MAC) Security Enhancements |date=2004-07-23 |publisher=[[IEEE Standards]] |accessdate=2007-12-21}}</ref>  The Wi-Fi Alliance soon afterwards adopted the full specification under the marketing name [[WPA2]].<ref name=WPA2_announcement>{{cite web |url=http://wi-fi.org/pressroom_overview.php?newsid=31 |date=2004-09-01 |accessdate=2007-12-21 |work=[[Wi-Fi Alliance]] |title=Wi-Fi Alliance Introduces Next Generation of Wi-Fi Security |url-status=dead |archiveurl=https://web.archive.org/web/20080103105842/http://wi-fi.org/pressroom_overview.php?newsid=31 |archivedate=2008-01-03 }}</ref>

TKIP was resolved to be deprecated by the IEEE in January 2009.<ref name=deprecate>{{cite web|url=https://mentor.ieee.org/802.11/file/08/11-08-1127-12-000m-tgmb-issues-list.xls|title=802.11mb Issues List v12 |date=20 January 2009|format=excel|page=CID 98|quote=The use of TKIP is deprecated. The TKIP algorithm is unsuitable for the purposes of this standard}}</ref>

== Technical details ==
TKIP and the related WPA standard implement three new security features to address security problems encountered in WEP protected networks. First, TKIP implements a key mixing function that combines the secret root key with the [[initialization vector]] before passing it to the [[RC4| RC4 cipher]] initialization. WEP, in comparison, merely concatenated the initialization vector to the root key, and passed this value to the RC4 routine. This permitted the vast majority of the RC4 based WEP [[related key attack]]s.<ref name=edney>{{cite book| first=Jon| last=Edney|author2=Arbaugh, William A.  | title=Real 802.11 Security: Wi-Fi Protected Access and 802.11i| publisher=[[Addison Wesley|Addison Wesley Professional]]| date=2003-07-15 |isbn=978-0-321-13620-6}}</ref> Second, WPA implements a sequence counter to protect against replay attacks. Packets received out of order will be rejected by the access point. Finally, TKIP implements a 64-bit [[Message Integrity Code#Message integrity codes|Message Integrity Check (MIC)]] and re-initializes the sequence number each time when a new key (Temporal Key) is used.<ref>IEEE-SA Standards Board. Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications. ''Communications Magazine'', IEEE, 2007.</ref>

To be able to run on legacy WEP hardware with minor upgrades, TKIP uses [[RC4]] as its cipher. TKIP also provides a [[rekeying (cryptography)|rekeying]] mechanism. TKIP ensures that every data [[Packet (information technology)|packet]] is sent with a unique [[encryption key]](Interim Key/Temporal Key + Packet Sequence Counter).{{Citation needed|date=August 2013}}

Key mixing increases the complexity of decoding the keys by giving an attacker substantially less data that has been encrypted using any one key. WPA2 also implements a new message integrity code, MIC. The message integrity check prevents forged packets from being accepted. Under WEP it was possible to alter a packet whose content was known even if it had not been decrypted.

==Security==
TKIP uses the same underlying mechanism as WEP, and consequently is vulnerable to a number of similar attacks. The message integrity check, per-packet key [[Hash function|hashing]], broadcast key rotation, and a sequence counter discourage many attacks. The key mixing function also eliminates the WEP key recovery attacks.

Notwithstanding these changes, the weakness of some of these additions have allowed for new, although narrower, attacks.

===Packet spoofing and decryption===
TKIP is vulnerable to a [[Message Integrity Code#Message integrity codes|MIC key]] recovery attack that, if successfully executed, permits an attacker to transmit and decrypt arbitrary packets on the network being attacked.<ref name="vanhoef-piessens">{{cite book |doi=10.1145/2484313.2484368 |first1=Mathy |last1=Vanhoef |first2=Frank |last2=Piessens |title=Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security |chapter=Practical verification of WPA-TKIP vulnerabilities |date=May 2013 |series=ASIA CCS '13 |pages=427–436 |url=https://lirias.kuleuven.be/bitstream/123456789/401042/1/wpatkip.pdf|isbn=9781450317672 |s2cid=7639081 }}</ref> The current publicly available TKIP-specific attacks do not reveal the Pairwise Master Key or the Pairwise Temporal Keys. On November 8, 2008, Martin Beck and Erik Tews released a paper detailing how to recover the MIC key and transmit a few packets.<ref name="beck-tews">Martin Beck & Erik Tews, "Practical attacks against WEP and WPA", available at [http://dl.aircrack-ng.org/breakingwepandwpa.pdf].</ref> This attack was improved by Mathy Vanhoef and Frank Piessens in 2013, where they increase the amount of packets an attacker can transmit, and show how an attacker can also decrypt arbitrary packets.<ref name="vanhoef-piessens"/>

The basis of the attack is an extension of the [[Wired Equivalent Privacy|WEP]] [[chop-chop attack]]. Because WEP uses a cryptographically insecure checksum mechanism ([[CRC32]]), an attacker can guess individual bytes of a packet, and the [[wireless access point]] will confirm or deny whether or not the guess is correct. If the guess is correct, the attacker will be able to detect the guess is correct and continue to guess other bytes of the packet. However, unlike the chop-chop attack against a WEP network, the attacker must wait for at least 60 seconds after an incorrect guess (a successful circumvention of the CRC32 mechanism) before continuing the attack. This is because although TKIP continues to use the CRC32 checksum mechanism, it implements an additional [[MIC code]] named Michael. If two incorrect Michael MIC codes are received within 60 seconds, the access point will implement countermeasures, meaning it will rekey the TKIP [[session key]], thus changing future keystreams. Accordingly, attacks on TKIP will wait an appropriate amount of time to avoid these countermeasures. Because [[address resolution protocol|ARP]] packets are easily identified by their size, and the vast majority of the contents of this packet would be known to an attacker, the number of bytes an attacker must guess using the above method is rather small (approximately 14 bytes). Beck and Tews estimate recovery of 12 bytes is possible in about 12 minutes on a typical network, which would allow an attacker to transmit 3–7 packets of at most 28 bytes.<ref name="beck-tews"/> Vanhoef and Piessens improved this technique by relying on [[Fragmented distribution attack|fragmentation]], allowing an attacker to transmit arbitrarily many packets, each at most 112 bytes in size.<ref name="vanhoef-piessens"/> The Vanhoef–Piessens attacks also can be used to decrypt arbitrary packets of the attack's choice.

An attacker already has access to the entire ciphertext packet. Upon retrieving the entire plaintext of the same packet, the attacker has access to the keystream of the packet, as well as the MIC code of the session. Using this information the attacker can construct a new packet and transmit it on the network. To circumvent the WPA implemented replay protection, the attacks use [[Quality of service|QoS]] channels to transmit these newly constructed packets. An attacker able to transmit these packets may be able to implement any number of attacks, including [[ARP poisoning]] attacks, denial of service, and other similar attacks, with no need of being associated with the network.

===Royal Holloway attack===

A group of security researchers at the Information Security Group at Royal Holloway, University of London reported a theoretical attack on TKIP which exploits the underlying [[RC4]] encryption mechanism. TKIP uses a similar key structure to WEP with the low 16-bit value of a sequence counter (used to prevent replay attacks) being expanded into the 24-bit "IV", and this sequence counter always increments on every new packet. An attacker can use this key structure to improve existing attacks on RC4. In particular, if the same data is encrypted multiple times, an attacker can learn this information from only 2<sup>24</sup> connections.<ref>{{cite web|url=http://www.isg.rhul.ac.uk/tls/RC4biases.pdf|title=On the Security of RC4 in TLS and WPA|author=AlFardan|publisher=Information Security Group, Royal Holloway, University of London|date=2013-07-08|display-authors=etal|access-date=2015-01-04|archive-date=2013-09-22|archive-url=https://web.archive.org/web/20130922170155/http://www.isg.rhul.ac.uk/tls/RC4biases.pdf|url-status=dead}}</ref><ref>{{cite web|url=http://eprint.iacr.org/2013/748.pdf|title=Plaintext Recovery Attacks Against WPA/TKIP|author=Paterson|publisher=Information Security Group, Royal Holloway, University of London|date=2014-03-01|display-authors=etal}}</ref><ref>{{cite book|author=Paterson|title = Advances in Cryptology – ASIACRYPT 2014|volume = 8874|pages = 398–419|publisher=Information Security Group, Royal Holloway, University of London|date=2014-03-01|display-authors=etal|doi=10.1007/978-3-662-45611-8_21|series = Lecture Notes in Computer Science|isbn = 978-3-662-45607-1|chapter = Big Bias Hunting in Amazonia: Large-Scale Computation and Exploitation of RC4 Biases (Invited Paper)}}</ref> While they claim that this attack is on the verge of practicality, only simulations were performed, and the attack has not been demonstrated in practice.

===NOMORE attack===

In 2015, security researchers from KU Leuven presented new attacks against RC4 in both TLS and WPA-TKIP. Dubbed the Numerous Occurrence MOnitoring & Recovery Exploit (NOMORE) attack, it is the first attack of its kind that was demonstrated in practice. The attack against WPA-TKIP can be completed within an hour, and allows an attacker to decrypt and inject arbitrary packets.<ref>{{Cite web|url=https://www.rc4nomore.com/|title=RC4 NOMORE|website=www.rc4nomore.com|access-date=2019-05-21}}</ref>

== Legacy ==
[[ZDNET|ZDNet]] reported on June 18, 2010, that WEP & TKIP would soon be disallowed on Wi-Fi devices by the Wi-Fi alliance.<ref>[https://www.zdnet.com/topic/hardware/?tag=nl.e539 Wi-Fi Alliance to dump WEP and TKIP ... not soon enough]</ref>
However, a survey in 2013 showed that it was still in widespread use.<ref name="vanhoef-piessens"/>

The IEEE 802.11n standard prohibits the data rate exceed 54 Mbps if TKIP is used as the Wi-Fi cipher.<ref>{{cite web | url=https://www.intel.com/content/www/us/en/support/articles/000006697/wireless.html | title=Data Rate Won't Exceed 54 MBPS when WEP or TKIP Encryption is }}</ref>

==See also==
* [[Wireless network interface controller]]
* [[CCMP (cryptography)|CCMP]]
* [[Wi-Fi Protected Access]]
* [[IEEE 802.11i-2004]]

==References==
{{reflist}}

[[Category:Broken cryptography algorithms]]
[[Category:Cryptographic protocols]]
[[Category:Key management]]
[[Category:Secure communication]]
[[Category:Wireless networking]]
[[Category:IEEE 802.11]]