HMAC Algorithm

The following operation is performing that to compute a MAC of the data “text” by using the HMAC algorithm.

MAC(text)t = HMAC(K, text)t = H((K0 opad)||H((K0 ipad) ||

text))t

Figure 2.3 and Table 2.2 describe the step by step process in the HMAC algorithm.

Figure 2.4 Illustrates Construction of HMAC.

K₀ ipad

Steps Description of each step

Step1~Step3 Determine the pre-processing of K0

Step4 Exclusive Or K0 with ipad

Step5 Append the text to the result of Step4 Step6 Using the result of Step5 as input of H Step7 Exclusive Or K0 with opad

Step8 Append the result of Step6 to the result of Step7 Step9 Using the result of Step8 as input of H

Step10 The MAC is the leftmost t bytes of the result of Step9

Table 2.3 The HMAC algorithm

HMAC Examples

Text "Sample #3"

Key

50515253 54555657 58595a5b 5c5d5e5f

60616263 64656667 68696a6b 6c6d6e6f

70717273 74757677 78797a7b 7c7d7e7f

90919293 94959697 98999a9b 9c9d9e9f

a0a1a2a3 a4a5a6a7 a8a9aaab acadaeaf

b0b1b2b3

Hash (Key)

a4aabe16 54e78da4 40d2a403 015636bf

4bb2f329

K0

a4aabe16 54e78da4 40d2a403 015636bf

4bb2f329 00000000 00000000 00000000

00000000 00000000 00000000 00000000

00000000 00000000 00000000 00000000

K0 ⊕ ipad

929c8820 62d1bb92 76e49235 37600089

7d84c51f 36363636 36363636 36363636

36363636 36363636 36363636 36363636

(Key ⊕ ipad)||text

929c8820 62d1bb92 76e49235 37600089

7d84c51f 36363636 36363636 36363636

36363636 36363636 36363636 36363636

36363636 36363636 36363636 36363636

53616d70 6c652023 33

Hash ((Key ⊕ ipad) ||text):

d98315c4 2152bea0 d057de97 84427676

2a1a5576

K0 ⊕ opad

f8f6e24a 08bbd1f8 1c8ef85f 5d0a6ae3

17eeaf75 5c5c5c5c 5c5c5c5c 5c5c5c5c

5c5c5c5c 5c5c5c5c 5c5c5c5c 5c5c5c5c

(K0 ⊕ opad) || Hash ((Key ⊕ ipad) ||text):

f8f6e24a 08bbd1f8 1c8ef85f 5d0a6ae3

17eeaf75 5c5c5c5c 5c5c5c5c 5c5c5c5c

5c5c5c5c 5c5c5c5c 5c5c5c5c 5c5c5c5c

5c5c5c5c 5c5c5c5c 5c5c5c5c 5c5c5c5c

d98315c4 2152bea0 d057de97 84427676

2a1a5576

HMAC (Key, Text) = Hash ((K0 ⊕ opad) || Hash ((Key ⊕ ipad)

||text)):

bcf41eab 8bb2d802 f3d05caf 7cb092ec

f8d1a3aa

20-byte HMAC (Key, Text):

bcf41eab 8bb2d802 f3d05caf 7cb092ec

f8d1a3aa

In general, the type of SHA hash functions is not designed for MAC. These hash functions can’t use to MAC directly because they don’t rely on secret key. Up to now, the HMAC algorithm is widely used to add secret key to hash function. And it also included in several national standards such as RFC 2104, IP security, SSL, and NIPS 198.

A Limitation of MAC Algorithms

The successful verification of a MAC does not completely guarantee that the accompanying message is authentic There is a chance that a source with no knowledge of the key can present a purported MAC on the plaintext message that will pass the verification procedure. For example, an arbitrary purported MAC of t bits on an arbitrary plaintext message may be successfully verified with an excepted probability of (1/2) ^t. this limitation is inherent in any MAC algorithm.

Design goal of HMAC

HMAC uses a secret key for the calculation and verification of the MAC. The main goals behind the HMAC construction are

To use available hash functions without modifications.

If needs more efficient hash functions, it is easy to replace hash function which inlays.

without incurring a significant degradation.

To use and handle secret keys in a simple way.

To have a well-understood cryptographic analysis of the strength of the authentication mechanism.

First two items are the reasons that HMAC algorithm is widespread using. If the original hash function has not secured, we can replace the one by another secure hash function to improve the security of HMAC. The last item is a vital excuse that HMAC superior to other method. If the security of hash function is power enough, the security of HMAC can be proved.

Chapter 3 Technicalities Overview of WEP

3.1 WEP Weakness

Previous chapter has introduced the step processing of WEP, and in this section we are going to make a discussion on WEP weaknesses.

Security Holes Analysis

The WEP packets are encrypted by RC4 algorithm. And designers specified the use of RC4, which is extensively accepted as a cryptographic algorithm. However, attackers can attack any weak points in the cryptographic system. The techniques of defeating WEP come from all angles. Once the RC4 secret text is decrypted, there is no security service can be guaranteed. In general, CRC is not verified by source. Thus attacker can decrypt and then arbitrarily modify or forge the original message.

All WEP security holes can define as four main conception flaws

(1). First, the 24 bits initialization vector is transmitted as plain text

corresponds the specific RC4 weak secret key to start the attack.

(2). Second, data source authentication

The WEP has not designed a mechanism to guarantee data source authentication. WEP uses the CRC check to ensure integrity of transmitted data. If the check of integrity is not complete, these transmission messages have the possibility to be able to forge by the attacker in the transmission process. Then attackers may recomputed the integrity check value (is called ICV) but was not realized.

(3). Third, reuse secret keystream

Stream ciphers are vulnerable to analysis when the keystream is reused. WEP selects IV method, lets attacker be able to discover something in the repetition use secret keystream. Two packets that share the same IV almost certainly use the same secret key and keystream. As WEP selects 24 bits IV (2²⁴ 16,“““,216), by the birthday attack law knew that every 4,096 packets will have the redundant situation to be bigger than one half.

(4). Fourth, using Cyclic Redundancy Check

Due to CRC check value decrypted by RC4 keystream, CRC still has not security in cryptography. If data integrity can not assured by CRC, attackers could modify frames and not realized. 802.11 standard defines retransmission when frames lost occur, and attackers could retransmit the modified packets to make receivers accept them.

RC4 Key Recovery against WEP

In 2001, Scott Fluhrer, Itsik Mantin and Adi Shamir present several weaknesses in the key scheduling algorithm of RC4, and describe their cryptanalytic significance. They identify a large number of weak keys, in which knowledge of a small number of key bits suffices to determine many state and output bits with non-negligible probability. They also use these weak keys to construct new distinguishers for RC4, and to mount related key attacks with practical complexities. And show that RC4 is completely insecure in a common mode of operation which is used in the widely deployed WEP.

The Fluhrer, Mantin and Shamir (FMS) attack takes advantage of a weakness in the RC4 key scjeduling algorithm to reconstruct the key from a number of collected encrypted messages. The FMS attack gained popularity in tools such as AirSont and aircrack[4], both of which attack WEP encrypted wireless networks. For this discussion, they use the blow RC4 key scheduling algorithm (KSA) and pseudo-random generation algorithm (PRGA).

Key scheduling algorithm (KSA)

begin ksa(with int keylength, with byte key[keylength]) for i from 0 to 255

S[i] := i end for j := 0

j := ( j + S[i] + key[i mod keylength]) mod 256 swap(S[i] , S[j])

end for end

Pseudo-Random Generation Algorithm (PRGA)

begin prga(with byte S[256]) i := 0

j := 0

while GenerationOutput i := ( i + 1 ) mod 256 j := ( j + S[i] ) mod 256 swap( S[i], S[j])

output S[( S[i] + S[j] ) mod 256]

end while end

Key Recovery Defense

Longer secret keys can not defend against key recovery attacks.

The time required to recovery a secret key can be broken up into the gathering time required to collect enough packets for the attack, and the computational time required to run the program and get the secret key.

computational time is only a few seconds. Longer keys require slightly more computational time, but gathering time still maintained invariably. As the key length increase, more weak IVs are caught.

Many vendors adopt the defense is to avoid using weak IVs.

Most vendors have changed their products for each IV to be checked, and all weak IVs are replaced non-weak IVs. However, reducing the size of the IV space may cause IV reuse earlier.

3.2 Brief Review of eWEP Scheme

The eWEP scheme is proposed by Hani Ragab Hassan. eWEP [6]

aims to solve WEP flows without hardware modification while keeping a good interoperability with existing WEP.

Encryption principle of eWEP

eWEP is similar to WEP. The difference between them is that eWEP encrypts the concatenation of the message and IV with RC4.

Encrypting IV aims to avoid eavesdropping. As shown in Figure 3.1 and Figure 2.2, let’s focus on Mi. In WEP, IV transmitted as plaintext and concatenate after C_i. Eavesdrops can use the security hole to gather enough initial vector and then crash the whole WEP secure mechanism. In order to eliminate the secure hole, the authors of eWEP

and CRC check value and then XOR with keystream.

We can see step5 of Figure 3.1, include message and IV are send as cipher text. Now, eavesdrops try to gather IV is not easy. They have to decrypt each packet before gather initial vector. That can increase mostly security of WEP.

Figure 3.1 Encryption process of eWEP.

As shown in Figure 3.2, eWEP sender uses IVi to encrypt the concatenation of Mi and IVi+1. Thus, it is sufficient for the receiver to know the initial IV (e.g. IV1) to decrypt the first packet which contains IV2 used to decrypt second packet and so on. The dependency between frame and frame is a vital property. This means that remote end has to receive first initial packet and then the following packet could be decrypted.

On the other hand, attacker attempts to modify or forge frame

lost during transmission process; the following packet can’t be decrypted, either. We can also achieve the replay detection by verifying whether the received packet is decrypt able or not. If the packet is a replay, it can’t be decrypted by the current IV because it changes for every packet.

Figure 3.2 cipher principle of eWEP.

eWEP Analysis

We compare WEP with eWEP according three criteria. The first is level of security; the second is the packet format and finally the

(1). Security

Security mechanism of WEP has already broken, as shown Figure 3.1 and Figure 3.2, privacy of eWEP is resistant against instructors.

(2). Packet Format

According to eWEP packets, the format of eWEP is different from original WEP packet. In fact, the difference of packet format will impact the performance of interoperability between WEP and eWEP.

(3). Computational Overhead

In general, using keystream allows separate computation in two different sections. The first one is generating keystream and it is done off-line. The second is the XOR of the message to the keystream.

Although eWEP maintains the principle, it still needs to encrypt additional 24 bits initial vectors.

From all of the above, we have a conclusion on eWEP. It could improve the secure level, but packet format and computational overhead are new problems. Next chapter we are going to provide a new scheme called Optimized WEP Protocol (O-WEP). O-WEP is able to resolve the WEP threats and avoid these new problems.

Chapter 4 Optimized WEP Scheme (O-WEP)

The protection offered by WEP enables users to have the convenience and the security. However, the paper described Weakness in the Key Scheduling Algorithm of RC4 was published in 2001 August. The paper presents the famous FMS attack against WEP. In this chapter, we provide the new WEP scheme is called Optimized WEP Protocol (O-WEP).

4.1 Notation and Nomenclature in O-WEP

In order to enhance the performance (security) of WEP, we provide the O-WEP mechanism. O-WEP aims to resolve the problem of WEP without changing or adding hardware but merely software updating. O-WEP also keeps original packet format to have a great interoperability with WEP. In this section, all components of O-WEP are described in the following Table 4.1.

k The secret key of WEP.

HMAC_k Keyed-Hash Message Authentication Code and k

MS_i MS_i is similar to IV_i of WEP. it also used to generate key stream (KSi) dynamically.

KS_i The dynamical key stream that is produced by MSi and IVi.

Mi The i^th transmitted message.

C_i The i^th encrypted packet.

CRC Cyclic Redundancy Check widely used in network protocol.

Table 4.1 Notation in O-WEP

MS_i and KS_i can be written as following functions

MS₀ = HMAC_k(IV₀) (1)

MS_i = HMAC_k(IV_i, MS_i−1) ∀i ≥ 1 (2)

KSi = RC4(k, MS_i) ∀i ≥ 0 (3)

C_i = M_i ⊕ KS_i (4)

The HMAC_k used in the function (1) and function (2) is a message authentication code (MAC) that constructed by secure hash algorithms. The purpose of using HMAC is computing the M_i (see the function (1) and (2), MS can be computed by HMAC algorithm). In addition, the k of HMAC is a secure key (In initial, the secret key is setup by users).

The HMAC has included in several international standard such as SSL protocol and NIST. Besides, IP security also requests that MAC must implement by HMAC algorithm. In addition, HMAC can use embedded hash functions without any revision. (In this paper, we recommend using the SHA2 hash function) The function (3) means that secret key k and MS_i (MS_i replaces the original IV_i in WEP) produce key stream KSi by RC4 algorithm. The function (4) explains that how to produce cipher text C_i by M_i and KS_i.

Figure 4.1 transmission processes of O-WEP packets.

C₀ CRCCRC IV₀

Sender Receiver

C_i CRCCRC IV_i

Transmitted the 0_thpacket

Transmitted the i_th packet

C₀ CRCCRC IV₀

Sender Receiver

C_i CRCCRC IV_i

Transmitted the 0_thpacket

Transmitted the i_th packet

Figure 4.2 explains the process of packets transmitted between sender and receiver. The transmitted packet can be distinguished into the initial packet and non-initial packets. The initial packet uses MS0

to encrypt packet and others use MS_i to do. The detailed encryption and decryption processes will make a discussion in the following section.

4.2 O-WEP Cryptographic Operations

In this section, we will show the detailed process of O-WEP. See the Figure 4.3, the encryption process of O-WEP is similar to WEP.

O-WEP has the same encryption processing as WEP except that O-WEP replaces IVi with MSi as the input of RC4 (MS is defined in function (1) and function (2)). In the following words, we are going to consider two different situations of O-WEP encryption and decryption process between sender and receiver. First, the encrypted packet is initial packet, and the second is that the encrypted packet is non-initial packet.

Figure 4.2 Encryption process in O-WEP.

First, to encrypt the initial packet

When sender transmits the initial packet, he is able to acquire MS₀ by function (2) and then computes RC4 algorithm to acquire KS0 by function (3) and secret key. Using KS₀ to encrypt transmitted packet and then concatenate the IV0 that has used in function (2) to encrypted packet and transmit together. If remote end receives the encrypted packet, receiver uses IV0 to acquire MS0 by function (1) and computes the KS₀ to decrypt the packet.

Second, to encrypt the non-initial packet

If sender transmits the non-initial packet (e.g. i > 0), MSi is going to generate by function (2) then. However, to produce MS_i needs IV_i and MSi-1(which used by previous packet). This means that each computed MS_i has to keep for next transmitted packet to encrypt. Similarly,

receiver should keep least continuous two MS to generate later MS.

Figure 4.3 The dependency between O-WEP packets

According to the special mechanism, we can observe the rule of the packet encryption. Figure 4.4 is showing that the dependency around O-WEP packets. The relation of packets that links with each other is like chain architecture. Due to the chain architecture of O-WEP, each packet needs the packet previous to itself to encrypt and decrypt. The advantages of this chain architecture are going to have a detailed conclusion in the following chapter.

HMAC

_k

Chapter 5 Security Analyze

In the above chapter, we use HMAC to improve the security of WEP, and the following content of this chapter is going to show that the security analysis of O-WEP.

5.1 Security Improved

We point out that several weakness in the chapter three such as initialization vector is transmitted as plain text, data source authentication, reuse secret key stream ,and using Cyclic Redundancy Check and so on. Now, we are going to have the conclusion in the following words.

(1). Initialization vector is transmitted as plain text Although packets still transmitted as plain text in the O-WEP, the key stream (KS_i) used to encrypt packets is not produce by IV_i and k but MSi-1 and IVi. Considering that attackers attempt to deliver FMS attack to gather lots packets, and try to analyze the encrypted key stream for guessing the original secret key.

However, FMS attack still needs MS_i-1 to find initial vector in the decryption processing. Comparing to WEP, O-WEP can improve the weakness of WEP. Due to this, attacker is much difficult to

(2). Data source authentication According to Figure 4.4, we can observe that the dependency around O-WEP packets. When O-WEP suffers reply attack, the resend or fake packets can not be decrypted and verified CRC check value. Due to this, the process of illegal deliver could be detected.

(3). Reuse secret key stream WEP uses 24 bits initial vector (about 16 millions types) and secret key to produce key stream. In a busy network transmission process, the 24 bits IV too easy to cause repeated use. (By birthday attack law known that every 4,096 packets will have the redundant situation to be bigger than one half) In addition, O-WEP uses the MS_i that generate by HMACk (MSi-1, IVi) to produce secret key. If HMACk adopts the SHA-256 hash function, the length of generated MS_i-1 is 256 bits.

However, the probability of repeat using key stream will drop largely. (By birthday attack law, every 2¹⁴⁰ packets will have the redundant situation to be bigger than one half)

(4). Reliability we are going to make a discussion on this part How to solve the problem that packets lose during the transmission? According to Figure 4.4 should simply realize that O-WEP has the feature of packets dependency. When occur that packet losing and then the following packet can not be decrypted.

Due to this, if the receiver R detects packets losing, R is going to return a special message M to sender. After the sender S

receives the special message, S is going to retransmit the packet.

According to above analysis, the security strength of O-WEP merely depends on the hash function which HMAC_k adopted. As to SHA-256, when attacker uses birthday attack to crack 256 bits

Figure 5.1 the comparison between WEP and O-WEP

message digest, it needs 2^(256+24)/2 time complexity to meet one collision. This makes attackers pay the very great price if they attempt k RC4

In addition, from Figure 5.1 knows that the packet format of O-WEP is the same as WEP and the only difference between them is that WEP uses IV_i and k to produce KS_i but O-WEP uses MS_i and k to do. In addition, O-WEP does not add any extra fields. Due to this, O-WEP does not use additional network band. As to additional computation quantity, O-WEP needs that is the part used by HMACk. In fact, HMAC_k is included in lots international standard such as RFC 2104, IP security, SSL, and NIPS 198. Besides, HMACk is a special algorithm that could be support by most hardware. Due to this, the extra computation is the available scope of common computer system.

Chapter 6 Conclusion and future work

6.1 Conclusion

In this paper, we describe the security holes of WEP working architecture. In order to eliminate the security holes, we offer the optimized WEP security mechanism called O-WEP. The great advantage of O-WEP is that O-WEP does not need any other hardware renew. Due to this, O-WEP can be the optimized replacement case of WEP. To compare to original WEP, O-WEP has the great improvement in security. Although O-WEP increases neglected additional computation, the extra computation overhead is the available scope of computer system.

6.2 Future work

Future works should focus on the problem of interoperability.

Indeed, deploying mixed networks will be an unavoidable step towards deploying O-WEP. Thus, security threat in this case is the basis issue.

Reference

[1] S. Fluhrer, I. Mantin and A. Shamir, “Weaknesses in the key scheduling algorithm of RC4”, Selected Areas in Cryptography, pp.

1-24, 2001.

[2] M. S. Gast, 802.11 Wireless Networks: The Definitive Guide, 2e, 2005.

[3] H. Krawczyk, M. Bellare and R. Coretti, “The key-hash massage authentication code (HMAC)”, Federal Information Processing Standards Publication 198, 2002.

[4] E. Tews, R. Weinmann and A. Pyshkin, “Breaking 104 bit WEP in less than 60 seconds”, http://www.aircrack-ng.org.

[5] Wi-Fi Alliance, “Wi-Fi Protected Access (WPA)”, http://www.wi-fi.org.

[6] H. Ragab Hassan, and Y. Challal, “Enhanced WEP: An efficient

[6] H. Ragab Hassan, and Y. Challal, “Enhanced WEP: An efficient

在文檔中 以HMAC強化WEP加密機制 (頁 24-0)