Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50
225
Wireless LAN – WLAN
a new component (green), however, besides the CRC, the unencrypted
package also has a so-called Michael-MIC attached. This is a hash algorithm
developed especially for WLAN, which was designed so that it can be
computed on older WLAN hardware with reasonable overhead. Since in
contrast to the CRC a second key (the Michael key) must be agreed in this
hash, it can neither be calculated nor used to falsify a data packet without
detection by the receiver. This is only remains true if an attacker doesn't break
the Michael hash with brute force techniques. Due to the requirement of high
run-time efficiency, Michael makes a few compromises: although a 64-bit key
is used, the effective strength of Michael is only about 40 bits. This was still
seen as sufficient, since a potential attacker would have to break the TKIP
components in the first place in order to generate data packets which would
get past the CRC check of the WEP/RC4 components.
TKIP (red) takes care of the calculation of the actual key for the RC4 engine.
In contrast to WEP, the actual key and the IV contained in the packet are never
used directly as the RC4 key, but rather it runs through two so-called key
mixing phases along with the IV—so an attacker can draw no direct
conclusions about the RC4 key from the IV contained in clear text, which
solves the problem of 'weak' IVs in WEP (the key mixing itself is designed so
that weak RC4 keys can never occur).
Furthermore, the internally incremented IV transmitted in clear text in the
packet is 48 bi ts long instead of 24 - so a s ender can now tr ansmit some 280
trillion packets before the 128-bit TKIP key must be changed. Even in a
modern WLAN with a net 108 Mbps, which achieves a net rate of around 50
Mbps, using the same assumptions made above for WEP, this would
correspond to about 2000 years.
It must still be noted that the IV is split into two parts for reasons of
optimisation: a 16-bit low part and a 32-bit high part. The background for
this is that the key mixing proceeds in two phases, as shown in the illustration:
For the first (computationally intensive) phase, only the upper part is
needed, so it only needs to be performed once for every 65,536 packets.
The second, relatively simple phase of the key mixing uses the result of the
first phase along with the low part of the IV (which changes with each
packet) in order to create the actual RC4 key.
In contrast to WEP, it is additionally determined in TKIP that the IVs to be used
from packet to packet must increase in a strictly monotone manner, so the
receiver only has to perform phase 1 for every 65,536 received packets. The