Beruflich Dokumente
Kultur Dokumente
11i
Message Integrity Code
Jianyong Huang, Jennifer Seberry, Willy Susilo, and Martin Bunder
University of Wollongong, NSW 2522, Australia
{jyh33, jennie, wsusilo, mbunder}@uow.edu.au
Abstract. The latest IEEE 802.11i uses a keyed hash function, called
Michael, as the message integrity code. This paper describes some properties and weaknesses of Michael. We provide a necessary and sucient
condition for nding collisions of Michael. Our observation reveals that
the collision status of Michael only depends on the second last block
message and the output of the block function in the third last round.
We show that Michael is not collision-free by providing a method to nd
collisions of this keyed hash function. Moreover, we develop a method to
nd xed points of Michael. If the output of the block function in any
round is equal to any of these xed points, a packet forgery attack could
be mounted against Michael. Since the Michael value is encrypted by
RC4, the proposed packet forgery attack does not endanger the security
of the whole TKIP system.
Introduction
Wireless devices based on IEEE 802.11b standard [3] are widely in use nowadays.
The IEEE 802.11b denes an encryption scheme called Wired Equivalent Privacy
(WEP). It is well known that WEP has several serious security aws. Fluhrer,
Mantin, and Shamir [7] (FMS) proposed an attack on the WEP encryption
protocol. By exploiting weaknesses of the RC4 [8] key scheduling algorithm, the
FMS attack demonstrated that the RC4 encryption key can be easily derived
by an eavesdropper who can intercept several million encrypted WEP packets
whose rst byte of plaintext is known. Stubbleeld, Ioannidis, and Rubin [9]
practically implemented the FMS attack, and showed that the real systems could
be defeated. Borisov, Goldberg, and Wagner [5] showed that the WEP data
integrity could be compromised as encrypted messages could be modied by
an attacker without being detected. Moreover, Arbaugh, Shankar, and Wan [4]
showed that the WEP authentication mechanism is vulnerable to attack.
To address the WEP vulnerabilities, the IEEE 802.11 Task Group i (TGi) provides a short-term solution and a long-term solution. The short-term solution
has adopted the Temporal Key Integrity Protocol (TKIP). TKIP is a group of algorithms that wraps the WEP protocol to address the known weaknesses. TKIP
includes three components: a message integrity code called Michael, a packet
sequencing discipline, and a per-packet key mixing function. TKIP is considered as a temporary solution, and it is designed for legacy hardware. For the
T. Enokido et al. (Eds.): EUC Workshops 2005, LNCS 3823, pp. 423432, 2005.
c IFIP International Federation for Information Processing 2005
424
J. Huang et al.
long-term solution, the IEEE 802.11 TGi recommends two modes of operation:
WRAP (Wireless Robust Authenticated Protocol) and CCMP (Counter-ModeCBC-MAC Protocol). Both WARP and CCMP are based on AES cipher [2],
and they require new hardware.
Our contributions. In this paper, we investigate the security issues of Michael.
First, we present a necessary and sucient condition for nding collisions of
Michael, showing that the collision status of Michael only depends on the second last block message and the output of the block function in the third last
round. Second, by employing the necessary and sucient condition, we provide
a method to nd collisions of Michael and show that Michael is not collision-free.
Furthermore, we develop a method to nd xed points of Michael, and a packet
forgery attack could be mounted against Michael if the output of the block function in any round is equal to any of these xed points.
Notations. A 64-bit Michael key K is converted to two 32-bit subkeys, k0 and
k1 , written as K = (k0 , k1 ). An n-block message M is written as M = (m0 , m1 ,
..., mn1 ). Li0 , R0i , Li1 , R1i , Li2 , R2i , Li3 , R3i , Li4 , R4i , and Li5 are variables used in
the (i + 1)-th round of Michael(K, M ) procedure. For an n-round Michael(K,
M ) procedure, we represent the (i + 1)-th (0 i n 1) round output of the
Michael block function as (Li5 , R4i ), where Li5 stands for the left half of the output and R4i stands for the right half of the output. Some other notations used in
this paper are listed as follows: is left rotation, represents right rotation,
is exclusive-or, stands for addition modulo 232 , || is concatenation, and =
means imply.
Organization. The rest of this paper is organized as follows. Section 2 provides the overview of the Michael keyed hash function. Section 3 describes one
previous work on Michael, which shows that Michael is invertible. We provide a
necessary and sucient condition for nding collisions of Michael in Section 4.
In Section 5, we propose a method to nd collisions of Michael, and based on our
method, we show that Michael is not collision-free. In Section 6, we introduce
a simple method to nd xed points of Michael and propose a packet forgery
attack against Michael. Finally, we conclude this paper in Section 7.
Michael [6] is the message integrity code (MIC) of TKIP in the IEEE 802.11i
[1]. Michael is a keyed hash function, whose inputs are a 64-bit Michael key
and an arbitrarily long message, and output is a 64-bit Michael value. The
64-bit key is converted to two key 32-bit words, and the message is partitioned into 32-bit blocks. The message is padded at the end with a single
byte with the hexadecimal value 0x5a and then followed by between 4 and 7
zero bytes. The number of zero bytes is chosen so that the overall length of
the message plus the padding is a multiple of 4. We note that the last block
425
of the padded message is zero, and the second last block of the padded message is not zero. The details of Michael are described in Algorithm 2.1 and 2.2.
Algorithm 2.2: B(L, R)
Algorithm 2.1: Michael((k0 , k1 ), (m0 , ..., mn1 ))
Input : Key(k0 , k1 )
Input : Padded message (m0 , ..., mn1 )
Output : MIC value (L, R)
(L, R) (k0 , k1 )
for i 0 to n 1
L L mi
do
(L, R) B(L, R)(Algorithm2.2)
return (L, R)
Input : (L, R)
Output : (L, R)
R R (L 17)
L (L + R) mod 232
R R XSW AP (L)
L (L + R) mod 232
R R (L 3)
L (L + R) mod 232
R R (L 2)
L (L + R) mod 232
return (L, R)
Related Work
426
J. Huang et al.
We study the collision-resistance of Michael in this section. By providing Theorem 1, we prove that the collision status of Michael only depends on the second
last block message and the output of the block function in the third last round.
We would like to point out that Condition 1 and 2 in Theorem 1 are a necessary
and sucient condition for nding collisions of Michael.
Theorem 1. Given two pairs of keys and messages, (Key1 , M1 ) and (Key2 ,
M2 ), Michael(Key1 , M1 ) = Michael(Key2 , M2 ) if and only if the following two
conditions hold:
1. R4x3 = R4y3
2. Lx3
Ly3
= mx2 my2
5
5
where M1 has x 32-bit blocks, M2 has y 32-bit blocks, and both x and y are 3.
Proof. The last three rounds of Michael are illustrated in Figure 1 in Appendix
A. We provide the last round and the second last round of Michael(Key1 , M1 )
in Algorithm 4.1 and Algorithm 4.2 respectively. Similarly, the last round and
the second last round of Michael(Key2 , M2 ) are shown in Algorithm B.1 and
Algorithm B.2 in Appendix B respectively.
Algorithm 4.1: Last Round (Key1 , M1 )
m
x1
1
0
3.Lx2
= Lx2
mx2
1
0
4.R1x1 = R0x1 (Lx1
17)
x2
1
4.R1 = R0x2 (Lx2
17)
x1
x1
x1
32
1
5.L2 = (L1 + R1 ) mod 2
= (Lx2
+ R1x2 ) mod 232
5.Lx2
x1
x1
x1
2
1
6.R2 = R1 XSW AP (L2 )
6.R2x2 = R1x2 XSW AP (Lx2
)
2
= (Lx1
+ R2x1 ) mod 232
7.Lx1
3
2
= (Lx2
+ R2x2 ) mod 232
7.Lx2
x1
x1
x1
3
2
8.R3 = R2 (L3 3)
8.R3x2 = R2x2 (Lx2
3)
3
= (Lx1
+ R3x1 ) mod 232
9.Lx1
x2
4
3
= (Lx2
+ R3x2 ) mod 232
9.L
x1
x1
x1
4
3
10.R4 = R3 (L4 2)
10.R4x2 = R3x2 (Lx2
2)
4
11.Lx1
= (Lx1
+ R4x1 ) mod 232
x2
x2
5
4
=
(L
+
R
)
mod 232
11.Lx2
x1
x1
5
4
4
(N ote : M ichael(Key1 , M1 ) = (L5 , R4 ))
= Ly1
,
4
= R3y1 ,
= Ly1
,
3
= R2y1 ,
= Ly1
,
2
= R1y1 ,
427
Lx1
= Ly1
and R1x1 = R1y1 = Lx1
= Ly1
,
2
1
2
1
y1
y1
x1
x1
x1
L1 = L1
and R1 = R1
= R0 = R0y1 .
As Lx1
= Lx1
mx1 , Ly1
= Ly1
my1 , Lx1
= Lx2
, Ly1
= Ly2
,
1
0
0
5
1
0
0
5
y1
y2
y2
x1
x2
x2
= R4 , mx1 = 0 and my1 = 0, therefore L5 = L5
R0 = R4 , R0
and R4x2 = R4y2 .
Similarly, we use the same method in the second last rounds of Michael(Key1 ,
M1 ) and Michael(Key2 , M2 ).
Lx2
= Ly2
and R4x2 = R4y2 = Lx2
5
5
4
y2
x2
and R4x2 = R4y2 = R3x2
L4 = L4
Lx2
= Ly2
and R3x2 = R3y2 = Lx2
4
4
3
y2
x2
and R3x2 = R3y2 = R2x2
L3 = L3
Lx2
= Ly2
and R2x2 = R2y2 = Lx2
3
3
2
y2
x2
L2 = L2
and R2x2 = R2y2 = R1x2
= Ly2
and R1x2 = R1y2 = Lx2
Lx2
2
2
1
y2
x2
L1 = L1
and R1x2 = R1y2 = R0x2
= Ly2
,
4
= R3y2 ,
= Ly2
,
3
= R2y2 ,
= Ly2
,
2
= R1y2 ,
= Ly2
,
1
= R0y2 .
As Lx2
= Lx2
mx2 , Ly2
= Ly2
my2 , Lx2
= Lx3
and Ly2
=
1
0
0
1
0
0
5
y3
y3
x3
x2
x3
L5 , therefore L5 L5
= mx2 my2 . As R0 = R4 and R0y2 =
R4y3 , therefore R4x3 = R4y3 .
Thus, Michael(Key1 , M1 ) = Michael(Key2 ,M2 ) = R4x3 = R4y3 and Lx3
5
Ly3
= mx2 my2 .
5
Ly3
= mx2 my2
Sucient condition: If R4x3 = R4y3 and Lx3
5
5
hold, we start from Step 1 and 2 in Algorithm 4.2 and B.2.
Lx3
= Lx2
, Ly3
= Ly2
and Lx3
Ly3
= mx2 my2 =
5
0
5
5
0
5
y2
x2
L1 = L1 ,
R4x3 = R4y3 , R4x3 = R0x2 and R4y3 = R0y2 = R0x2 = R0y2 ,
Lx2
= Ly2
and R0x2 = R0y2 = R1x2 = R1y2 ,
1
1
y2
x2
L1 = L1
and R1x2 = R1y2 = Lx2
= Ly2
,
2
2
y2
y2
x2
x2
x2
and R1 = R1
= R2 = R2x2 ,
L2 = L2
Lx2
= Ly2
and R2x2 = R2x2 = Lx2
= Ly2
,
2
3
2
3
y2
x2
x2
x2
x2
L3 = L3
and R2 = R2
= R3 = R3y2 ,
= Ly2
and R3x2 = R3y2 = Lx2
= Ly2
,
Lx2
3
4
3
4
y2
y2
x2
x2
x2
L4 = L4
and R3 = R3
= R4 = R4y2 ,
= Ly2
and R4x2 = R4y2 = Lx2
= Ly2
.
Lx2
4
5
4
5
Finally, we bring the above results from the second last rounds to the last rounds.
According to the padding method, we note that mx1 = 0 and my1 = 0.
Lx2
= Ly2
, Lx1
= Lx2
and Ly1
= Ly2
= Lx1
= Ly1
,
5
0
5
0
5
0
5
0
y2
y2
y1
x2
x2
x1
x1
R4 = R4 , R4 = R0 and R4
= R0
= R0 = R0y1 ,
= Ly1
and mx1 = my1 = Lx1
= Ly1
,
Lx1
0
1
0
1
y1
y1
y1
x1
x1
x1
L1 = L1
and R0 = R0
= R1 = R1 ,
Lx1
= Ly1
and R1x1 = R1y1 = Lx1
= Ly1
,
1
2
1
2
428
J. Huang et al.
Lx1
= Ly1
and R1x1 = R1y1 = R2x1
2
2
y1
x1
L2 = L2
and R2x1 = R2y1 = Lx1
3
y1
x1
L3 = L3
and R2x1 = R2y1 = R3x1
= Ly1
and R3x1 = R3y1 = Lx1
Lx1
3
3
4
y1
x1
L4 = L4
and R3x1 = R3y1 = R4x1
Lx1
= Ly1
and R4x1 = R4y1 = Lx1
4
4
5
= R2y1 ,
= Ly1
,
3
= R3y1 ,
= Ly1
,
4
= R4y1 ,
= Ly1
.
5
Ly3
= mx2 my2 = Michael(Key1 ,
Therefore, R4x3 = R4y3 and Lx3
5
5
M1 ) = Michael(Key2 , M2 ).
Therefore, R4x3 = R4y3 and Lx3
Ly3
= mx2 my2 are a necessary
5
5
and sucient condition of Michael(Key1 , M1 ) = Michael(Key2 , M2 ).
m0
429
430
J. Huang et al.
Conclusions
Michael was designed as the message integrity code for the IEEE 802.11i. In this
paper, by providing a necessary and sucient condition for nding collisions of
Michael, we showed that the collision status of Michael only depends on the
second last block message and the output of its third last round. Therefore, to
nd collisions of Michael, we only need to focus on its two rounds: the third last
round and the second last round. In addition, we demonstrated that Michael is
not collision-free. Moreover, we proposed a simple method to nd xed points of
Michael and built a xed-point table based on our results. If the output of the
block function in any round is in the xed-point table, a packet forgery attack
could be mounted against Michael. The packet forgery attack does not endanger
security of the whole TKIP system as the Michael value is encrypted by RC4.
To make the proposed forgery attack practical to TKIP, the attacker needs to
consider the combination of Michael and RC4.
References
1. Information Technology - Telecommunications and Information Exchange Between
Systems - Local and Metropolitan Area Networks - Specic Requirements Part 11:
Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specications Amendment 6: Medium Access Control (MAC) Security Enhancements.
23 July 2004.
431
Three-Round Diagrams
q
q
q
q
q
? q
Block Function
Lx3
5
f
-?
mx2
(= 0) ?
Rx3
4
f
-?
mx1
(= 0) ?
Rx2
4
f
-?
(= 0) ?
?
x1
Lx1
5
? R4 ?
Rx3
4
Lx2
5
mx1
Ln4
Rn4
5
-?
f 4
mn3
Rx2
4
f
-?
mn2
(= 0) ?
x1
Lx1
5
? R4 ?
-?
f
mn1
(= 0) ?
Rn2
4
k0
m0-
?
f
?
m1(= 0)
?
f
?
n1
Ln1
5
? R4 ?
R0
4
Block Function
L1
5
-?
f
(=
0)
?
?
Block Function
k1
Block Function
L0
5
Rn3
4
Block Function
Ln2
5
Block Function
Block Function
Ln3
5
Block Function
f
-?
(=
0)
?
?
Block Function
Block Function
Lx3
5
mx2
Block Function
Lx2
5
q
q
? q
R1
4
m2
Block Function
L2
5
R2
4
432
J. Huang et al.
Algorithms in Section 4
Figures
L0
m0-
?
f
?
R0
Block Function
Li
i
?
f
?
- 17 - f
?
+
?
- XSWAP - f
?
+
?
-3 -f
?
+
?
-2 -f
?
+
Li+1 ?
Ri+1 ?
mi-
? qq
?
q
Li1
Ri1
f
-?
mi1
Block Function
Li
Ri q
q
q
?
f
mi
? qq
q
Ln1
mn1 -
?
f
?
q
?
Rn1
Li
mi-
?
f
?
Ri
Block Function
Li
Ri
?
f
? qqq
Li
?
mi- f
?
mi-
?
Ri
Block Function
Li
Ri ?
A Multiple of 4 Blocks of
mi Inserted
Block Function
Original Blocks