September 2009

Special Issue: TKIP Cracked?

When you use wireless LAN or Wi-Fi® technology to connect medical devices to a network, you need to ensure that all data transmitted over the air is viewed only by the intended recipient. A key part of protecting transmitted data is scrambling, or encrypting, it.

The original method of Wi-Fi data encryption is called Wired Equivalent Privacy, or WEP. WEP makes use of the RC4 stream cipher, which in 2001 was deemed vulnerable to attacks. Tools for deciphering or "cracking" WEP-encrypted data and determining which keys were used to encrypt that data were developed during the first half of this decade and are widely available today. As a result, WEP is not a viable element of a strong Wi-Fi security scheme.

In 2003, a successor to WEP called Wi-Fi Protected Access® (WPA®) was introduced, and most Wi-Fi products picked up WPA support via software upgrades. Recently, two Japanese researchers reported that they have devised a way to mount a successful attack on the Temporal Key Integrity Protocol (TKIP) encryption scheme used with WPA. Their report has received a lot of media attention, with some articles claiming that TKIP can be cracked in less than one minute.

TKIP: Better than WEP
TKIP was designed to be supported by all Wi-Fi radios that support WEP. While both TKIP and WEP employ RC4, TKIP was designed to address all known vulnerabilities of WEP by providing these enhancements:

• A longer initialization vector, which minimizes the chance that a key will be reused during a session
• Key hashing, which results in a different key for each data packet
• A message integrity check (MIC), which ensures that the message is not altered in transit between sender and receiver

In addition, while WEP typically relies on static keys that are entered on every client device and Wi-Fi infrastructure endpoint (such as an access point or router), the key used for TKIP encryption and decryption is derived dynamically from the information exchanged between a Wi-Fi client and a Wi-Fi infrastructure endpoint during the authentication process that proceeds the client’s connecting to the Wi-Fi infrastructure.

Is TKIP Vulnerable?
Summit has analyzed the paper published by the two Japanese researchers who created the new scheme for attacking TKIP. Here are some highlights of the paper:

• The paper heavily leverages a paper written by German students in the fall of 2008. The new attack is simply a refined and practical version of a theoretical attack proposed by the German students.
• The attack described by the German students works only when the Wi-Fi router supports 802.11e. The approach by the Japanese scientists uses a man-in-the-middle (MITM) attack to overcome that limitation.
• Both attacks work with both the Personal and Enterprise versions of WPA because the attacks focus on encrypted packets and are oblivious to the authentication scheme that generates the encryption key used for TKIP.
• The attack by German students can obtain from an encrypted ARP packet the message integrity check (MIC) key and the plain text of the packet. The execution time of this attack is 12-15 minutes.
• The attack by the Japanese scientists can obtain from an encrypted ARP packet the same information but in less time (reportedly as little as one minute) and without the restriction of 802.11e support on the router.
• Neither attack can decipher the TKIP encryption key.

While the contents of an ordinary data packet are relatively unpredictable, all bytes of an ARP packet are fixed or known values except the last byte of the source and destination IP addresses. In other words, only two bytes of an ARP packet are unknown. The attack “cracks” those two bytes. It also “cracks” the eight bytes of the MIC and four bytes of the checksum by using an attack called chopchop 12 times.

In summary, the Japanese researchers improved an existing attack that enables a tool to decrypt the unknown two bytes of an ARP packet as well as the MIC and checksum used in conjunction with TKIP. The researchers provided no evidence that a practical tool for cracking an actual TKIP key or deciphering TKIP-encrypted data packets is imminent.

Recommendations
A few years after it was introduced, WPA was succeeded by WPA2®. This more robust security standard, which is required for any product that wants to bear the Wi-Fi CERTIFIED™ seal, replaces TKIP with a stronger encryption method known as AES-CCMP. The vast majority of Wi-Fi products introduced in the past three years support WPA2. As soon as all of the Wi-Fi devices in your facility support WPA2, you should implement the Enterprise version of WPA2 on all of your Wi-Fi networks. For more information on WPA2-Enterprise, see part 2 of Summit's three-part series on Wi-Fi security.

If you have older Wi-Fi devices that support WPA but not WPA2, then don’t panic. TKIP continues to accomplish its primary objective, which is to provide a stronger encryption mechanism than WEP for devices with Wi-Fi radios that lack support for AES-CCMP. Consider accelerating your plans to replace older devices with newer ones that support AES-CCMP. Until you can reach the goal of implementing WPA2-Enterprise everywhere, be sure to use the Enterprise version of WPA on all of your Wi-Fi networks.