Académique Documents
Professionnel Documents
Culture Documents
225
Abstract
Temporal Key Integrity Protocol (TKIP) is a provisional
solution for Wired Equivalent Privacy (WEP) security
loopholes present in already widely deployed legacy 802.11
wireless devices. In this work, we model and analyze
the computational complexity of TKIP security mechanism and propose an optimized implementation, called
LOTKIP, to decrease processing overhead for better energy efficient security performance. The LOTKIP improvements are based on minimizing key mixing redundancy and a novel frame encapsulation with low overhead.
We simulate and compare LOTKIP with baseline TKIP
in terms of complexity and energy consumption for ad
hoc wireless network security. From simulation results,
we demonstrate that LOTKIP executes with lower computational complexity, hence, with faster encryption time
and more energy-efficient.
Keywords: Complexity overhead, energy consumption
model, wireless security, TKIP
Introduction
Related Work
226
TKIP Algorithm
3.1
TKIP Basics
227
key for each frame through key mixing process to mit- generated from one MSDU are encrypted under the same
igate attacks against weak WEP keys. The increased temporal key by TKIP.
length of the IV makes it possible to generate a larger
TKIP employs non-reusable IVs as TKIP sequence
number of different keys.
counters (TSC) to prevent replay attacks [16]. With the
same temporal or session key (TK), TSC is a monoton4) Lastly, a rekeying mechanism is included to defeat ically increasing counter from 0x000 to 0xFFFF which
key collisions. TKIP is also equipped with key man- starts from first packet transmission. The receiver rejects
agement operations.
every packet that has a TSC less than or equal to the
Another important constraint in the design of security previous packet. When an IV sequence counter roll-over
mechanism for 802.11b and 802.11g mobile devices is the (0xFFFF to 0x0000) is detected, the extended IV will be
low-speed embedded CPUs which cannot support compu- incremented.
A total of 20 bytes headers are associated with TKIP
tationally intensive security operations. We node here the
idea behind TKIP is compatibility with existing hardware IEEE 802.11 frame. The extended IV (4 bytes) and the
while minimizing the impact of enhancement operations MIC (8 bytes) amounts an overhead of 12 bytes. The setback of the TKIP sequence counter approach is related
on the device performance.
In Figure 1, the TKIP encryption/decryption process to IEEE 802.11 burst-acknowledgements, which indicates
between two wireless stations, A and B, is shown. At sta- that up to 16 packets could be sent at once and then be action A, a MIC is generated for the data and appended to knowledged by one packet. The concept of replay window
the message which is fragmented if greater than MPDU is used to monitor the counters. The receiver keeps track
size. Next, the MAC Header is added and the whole of the highest TSC and the last 16 TSC values and when
packet is encrypted. Before de-encapsulating a received a new frame arrives it checks and classifies it as one of
MAC Protocol Data Unit (MPDU) at station B, TKIP the following types: ACCEPT if TSC is larger than the
extracts the TKIP sequence counter (TSC), WEP IV largest seen so far, or REJECT if TSC is less than the
and Key ID from the packet. However, TKIP discards value of the largest 16, or adjust the WINDOW if TSC
received MPDU that violates the sequencing rules, and is less than the largest, but more than the lower limit.
otherwise uses the mixing function to reconstruct a WEP Consequently, the sequence counter memorizes the last
seed. The TKIP WEP seed is represented as a concatena- 16 IV values to guarantee that all packets have been cortion of WEP IV and RC4 key and passes on these with the rectly received. Frames are fragmented in the band from
MPDU to WEP engine for de-encapsulation/decryption. 256 to 2346 bytes threshold with the purpose to increase
If integrity check value (ICV) test is successful, the imple- the transfer reliability. Larger frame size increases likelimentation reassembles the MPDU into a MAC Protocol hood of interference and therefore higher retransmission
Service Unit (MSDU). Upon successful MSDU reassem- rate. Small frame rate gives excessive overhead during
bly, the receiver station B performs MIC verification step the transmission and throughput reduction.
by recomputing the MIC over the MSDU source address,
destination address, and MSDU data (but not the MIC 3.2 TKIP Countermeasures
field), and bit-wise comparing the resultant MIC against
the received MIC. Successful MIC verification means the MIC detects active attacks (unlike WEPs Integrity Check
MSDU can be delivered to the upper level. If two MICs Value (ICV)) and countermeasures are employed to prediffer in any bit position (interpreted as MIC failure), the vent persistent message forgery attacks. However, TKIP
receiver will discard the packet and will engage in appro- still uses ICV in conjunction with the MIC to prevent
priate countermeasures.
false detection of MIC failures, and therefore thwart false
As specified in [9], TKIP MPDU is extended by 4 bytes countermeasure initiation. TKIP takes active counterto accommodate the new Extended IV (ExtIV) field and measures when two MIC failures are detected in less than
the MSDU format is expanded by 8 bytes, to accommo- one minute [9]. For MIC failure rate above one per
date the new MIC field. The simplified layout of the en- minute, the station basically deletes all keys and attempts
crypted MPDU format is depicted in Figure 1. When to re-associate (re-keying the connection) once more afthe MSDU-with-MIC cannot be encoded within a single ter a waiting period. However, this also implies that the
WEP-encapsulated MDPU, it is fragmented into appro- attacker needs only two MIC-invalid packets per minute
priately sized MPDUs. The 4 bytes of ExtIV are added to completely prevent Wi-Fi users accessing the network.
after the existing IV/Key ID Field, i.e. the IV and Key Although, normal network operation can resume at least
ID of 4 bytes is retained in the form as defined with base- 60s after the second MIC failure, to prevent this counline WEP. If the ExtIV bit is 0 only the WEP style termeasure from being used as a pedestal for a denial
non-extended IV is transferred. When the ExtIV bit is of service attack, the MIC is checked last in the TKIP
set and the Extended IV field is supplied for TKIP, this de-encapsulation/decryption process. The risk of false
indicates presence of extended mode to the receiver. The alarms is minimized when MIC is verified after the CRC,
transmitting/receiving station keeps track of the IV value IV and other checks have been performed [9]. Frames
of to detect key exhaustion. As noted in Figure 1, the with invalid ICV and TSC are discarded before the MIC
extended IV field is not encrypted [9]. All the MPDUs is verified. Thus, ICV ensures that noise and transmission
228
229
4.1
Algorithm 2 b(L, R)
1: rotates, little-Endian additions, bit swaps
2: R R (L <<< 17)
3: L (R + L)mod23 2
4: R RXSW AP (L)
5: L (R + L) mod 23 2
6: R R (L <<< 3)
7: L (R + L)mod 23 2
8: R R(L >>> 2)
9: L (R + L)mod 23 2
10: return (L, R)
(n (4bytesXOR)) +
[n {(4 (4bytesXOR))
+(4 (4bytesADD) + (4 (XSW AP ))
+(22 bit wiseROT ) + (4 M OD))}].
= 52n(XOR) + 19n(SHIF T ).
Considering Tand , Tor , and Tshif t to denote the numbers of processing cycles required for performing basic
operations of a byte-wise AND, a byte-wise OR, and a
byte-wise SHIFT respectively. The equation is:
TM ICCALC
52n(2Tand + T ) + 19nTshif t ,
4.2
230
4.3
keyM x
= 2570(2Tand + Tor )
+ 2590L(2Tand + Tor ) + 10L(Tmem ).
And, if L = 8, we obtain:
Tphase1
keyM x
keyM x
= 9341Tand + 4671Tor
P P K0 + RotRi(P P K5
M K16 (T K1 3, T K1 2)
16:
P P K1
P P K1
+
RotRi(P P K0 8M K16(T K15 , T K14 )
17:
P P K2 P P K2 + RotRi(P P K1 )
18:
P P K3 P P K3 + RotRi(P P K2 )
19:
P P K4 P P K4 + RotRi(P P K3 )
20:
P P K5 P P K5 + RotRl(P P K4 ) + i
21: end for
22: PHASE2 STEP3 applies last T K bits and assigns 24bit IV
23: W EP Seed0 T SC1
24: W EP Seed1 (T SC1 I0x20)&Ox7F
25: W EP Seed2 T S0
26: W EP Seed3
LoB((P P K5
M K16(T K1 , T K0 )) >> 1)
27: for i = O to 5 do
28:
W EP Seed4+(2.i) Lo8(P P Ki )
29:
W EP Seed5+(2,i) Hi8(P P Ki )
30: end for
31: Output W EP Seed0 . . . W EP Seed15
of key mixing computation, without Phase 1 intermediate key caching, is expressed as:
Tboth
keyM x /perbyteencryption
+ 12Tmean + 12Trot .
In baseline TKIP, Phase Loop Count value is chosen
as 8, this maintains a balance between robustness in
key mixing and complexity of key generation.
231
keyM x /perbyteencryption
=
3495Tand + 1748Tor + 6Tmem + 12Trot .
keyM x /perbyteencryption
=
584Tand + 292Tor + 1Tmem + 1Trot .
4.4
232
= 6AN D + 3OR + SW AP + SU B;
= 6Tand + 3Tor + Tswap + Tsub .
256 (3ADD + M OD + SW AP ).
Assuming Tand , Tor , and Tswap denote the number of TRC 4/perbyte = TKSA + TP RGA /perbyte + XOR/byte.
processing cycles required for performing basic operations
Total number of processing cycles for m bytes of data
of a byte wiseAN D, a byte wiseOR, and a byte
encryption
is,
wiseSW AP from, respectively. Thus, we have:
TKSA
TRC 4 =
Message
size (M)
in bytes
16
32
48
64
80
96
112
128
4.5
Case 1
TT KIP
88063
173291
258519
343747
428975
514203
599431
684659
Case 2
TT KIP
88063
89993
91923
93853
95763
97713
99643
101573
TKIP Packet Transmission Overhead work, we assume that it is possible to set pre-shared key
TKIP does extra computation for per packet key generation. MIC check accounts for additional computation and
increases the payload by 8 bytes. WEP appends only 8
bytes extra (i.e. 3 bytes for IV, 6 bits zero reserved, 2
bits key ID and 4 bytes ICV) in an IEEE 802.11 frame,
whereas there are a total of 20 bytes (i.e. 4 bytes IV and
key ID, 4 bytes extended IV, 8 bytes MIC and 4 bytes
ICV) associated with TKIP in an IEEE 802.11 frame, as
summarized in Table ??. Hence, TKIP extends the total
length of a WEP encrypted MPDU by 12 bytes. IEEE
802.11 MSDU maximum size is explicitly 2304 bytes. The
maximum MAC header and FCS overhead is 34 bytes, but
only frames between access points over a wireless distribution system use all MAC header fields.
4.6
233
234
sequence number. However, when wireless channel conditions degrade during transmission, the ACK message
may not be received due to LOTKIP packets loss or ACK
packet loss. An adaptive transmission control can be
used, such that in the case of lost packets, data packet
transmission stops and the source instead sends probes
(short packets). Once acknowledgement of a probe is received, the sender resumes to normal transmission again
with an initial LOTKIP packet type A, and then continues with LOTKIP packet type B. Further, LOTKIP
encapsulation uses special flag bits for specific control purpose. The LOTKIP is particularly applicable for ad hoc
wireless networks with short transmission range and low
interference.
Next, in LOTKIP the MIC also includes the IV part in
its tag computation. The transmitter computes a keyed
cryptographic message integrity code over the MSDU
source and destination addresses, the priority bits, the
MSDU plaintext data and the 48-bit Extended IV also.
LOTKIP appends the computed new MIC to the MSDU
data prior to fragmentation into MPDUs. The receiver
obviously has to verify the MIC after decryption with
Extended IV, ICV checking, and reassembly of the MPDUs into an MSDU. Invalid MIC means discarding of
corresponding MSDUs, and this defends against forgery
attacks and replay attacks.
In the traditional baseline TKIP approach, the key reason why the IV is transmitted in the clear is because the
802.11 standard assumes that an adversary does not gain
any useful information from its knowledge. The IV is
meant to introduce randomness to the key, and appending
the clear IV in the transmitted packet helps the receiver
to decrypt the information sent from the transmitter station. However, it has been proved that various types of
attacks are possible using the IV knowledge as described
in [2, 25, 26]. The proposed LOTKIP heals this problem,
as well minimizes packet overhead and thus potentially
saving on transmission energy.
Size (Bytes)
4
4
8
4
20
6.2
6
6.1
802.11 WLAN device usually operate in one of the following modes: Transmit or Receive or Idle. When data bits
are transmitted on the channel, the power consume is PT
watts. When data bits are received and processed from
235
236
Therefore, LOTKIP could be a better scheme to transmit larger packets securely at lower network energy cost.
The simple and efficient optimization scheme in LOTKIP
shows lower overhead and energy saving. Since all packets
depend of the first LOTKIP packet which contained the
IV part, this packet is of high importance. In our simulation we assumed that this critical packet is not lost or
intercepted by adversaries. In real network transmissions,
the first LOTKIP packet can be treated in priority and
delivered securely by VNP tunnelling techniques.
However, we have not studied the energy consumption
of WLAN attacks, such as denial of service attacks, related security countermeasures of LOTKIP. One approach
to measure the efficiency of LOTKIP, and study how to
Figure 4: Network energy cost comparison
minimize energy drain due to wireless LAN attacks, is
to gauge its resilience to cryptanalysis attacks, such as
brute-force attack, differential cryptanalysis and linear
inter-station distance |uv|: if |uv| R then a link ex- cryptanalysis.
ists between wireless station at u and v in the network;
if |uv| > R then stations at u and v are not within direct transmission/reception range; and if R < |uv| R 7
Conclusion
then stations at u and v is connected probabilistically.
We simulate 100 different scenarios of randomly selected TKIP encryption/decryption is one of the persistent overtransmitter-receiver pairs among the 49 nodes in the ad head in wireless security for the entire communication seshoc wireless network and the results are averaged. In this sion. In this paper, we have described, LOTKIP, a simple
simulation, we assumed the receiver node cannot be com- and optimized wireless security protocol that carries out
promised and there is an existing key management system power-efficient encryption and decryption. A mathematical complexity model of TKIP has been derived in terms
as described previously.
of processing cycles of its basic operations and adapted
to study the performance of LOTKIP. LOTKIP decreases
6.4 Results and Discussions
complexity of wireless encryption while making LOTKIP
The maximum IEEE 802.11 MSDU size is 2312 octets be- frame transmission energy efficient.
fore the frame body is encrypted. Frames are fragmented
and tested from 256 to 2312 bytes length. 10,000 packets of size (P ) are transmitted from randomly selected Acknowledgements
sources and destinations in the 49 nodes ad hoc network.
End-to-end baseline TKIP (without key caching) encryp- The authors thank anonymous reviewers for their comtion/decryption is applied to secure communication. The ments to improve the paper.
simulation is run for grid distribution and random distribution ad hoc nodes. 20 bytes header is appended to the
packets P to form the TKIP encapsulated frames. The to- References
tal energy consumption by all nodes in the network (Network Energy Consumption/Joules) is plotted in Figure 4. [1] M. Bechler, H. J. Hof, D. Kraft, F. Pahlke, L.
and Wolf, A cluster-based security architecture for
The dotted lines represent the results for random ad hoc
ad hoc networks, Proceedings of IEEE INFOCOM
wireless network.
2004, pp. 2393-2403, Hong Kong, 2004.
Dividing the Network Consumption Energy by the
[2]
N. Borisov, I. Goldberg, D. and Wagner, Internumber of nodes/stations in the network, e.g. 49 nodes
cepting mobile communications: the insecurity of
in our case, gives the average energy spent (Joules) per
802.11, 7th Annual Intl. Conference on Mobile
node/station. For brevity, we do not show the graph of
Computing and Networking, Rome, Italy, July 2001.
average energy spent per node, since the overall trend is
similar to Figure 4. As shown in the same figure, the [3] S. Capkun, L. Buttyan, and J. P. Hubaux, Self organized public key management for mobile ad hoc
network energy consumption increase linearly with larger
networks, IEEE Transactions on Mobile Computpacket size, assuming all other simulation parameters reing, vol. 2, no. 1, pp. 52-64. 2003.
main constant. The energy efficiency factor gained by
LOTKIP is given as {2.33 + (P 0.00028)}, where P is [4] A. P. Charndrakasan, J. and Goodman, An energyefficient reconfigurable public key cryptography prothe packet size (256 P 2048bytes). The network encessor, IEEE Journal of Solid-state Circuits, vol. 36,
ergy consumption of baseline TKIP augments at a faster
no. 11, pp. 175-190, 2001.
rate compare to LOTKIP as the packet size gets bigger.
[18]
[19]
[20]
[21]
[22]
[23]
[24]
[25]
[26]
237
ternational Journal of Computer Science and Network Security (IJCSNS), vol. 6, no. 5b, pp. 138-156,
2006.
J. N. Jr, Analysis of Venkaiah et al.s AES design,
International Journal of Network Security, vol. 9, no.
3, pp. 285-289, 2009.
F. C. C. Osorio, E. Agu, and K. McKay, Comparison of security protocols in mobile wireless environments: Tradeoffs between level of security obtained
and battery life, First IEEE/Create-Net Workshop
on Security and QoS in Communication Networks,
pp. 4-12, Athens, Greece, Sep. 2005.
N. R. Potlapally, S. Ravi, A. Raghunathan, and N. K.
Jha, Analyzing the energy consumption of security
protocols, Proceedings Intlernational Symposium on
Low Power Electronics and Design, pp. 30-35. 2003.
N. R. Potlapally, S. Ravi, A. Raghunathan, and N.
K. Jha, A study of the energy consumption characteristics of cryptographic algorithms and security
protocols, IEEE Transactions on mobile computing,
vol. 5, no. 2, pp. 128-143. 2006.
J. Rijmen, V. Feldhofer, and M. Wolkerstorfer, AES
implementation on a grain of sand, IEEE Proceeding
Information Security, vol. 152, no. 1, pp. 13-20. 2005.
K. Srinivasan, and S. Michell, Performance of state
based key hop (SBKH) protocol for security on
wireless networks, IEEE 60th Vehicular Technology
Confernce, vol. 7, pp. 5214-5218. 2004.
E. Taqieddin, S. Jagannathan, and A. Miller, Optimal energy-delay routing protocol with trust levels
for wireless ad hoc networks, International Journal
of Network Security, vol. 7, no. 2, pp. 207-217, 2008.
J. Walker, 802.11 Security Series. Part I: The Wired
Equivalent Privacy (WEP), Intel Technical Report,
2004.
J. Walker, 802.11 Security Series. Part II: The Temporal Key Integrity Protocol (TKIP), Intel Technical
Report, 2004.