Errata : TKIP IV
Last Post: September 13, 2006:
-
Hi:
Regarding Initialization Vector (IV) lengths --
Q: How long is the IV for WEP?
A: Three octets (that vary however and whenever the vendor chooses).
Q: How long is the IV for TKIP?
A: Three octets (that vary according to IEEE rules to avoid weak values).
Q: Why is it said that the IV for TKIP is six octets?
A: We confuse the IV with the six octet TKIP sequence counter (TSC).
Typically current WEP vendors randomize the starting IV for each session, increment the IV for each MPDU, and skip over well known cryptographically weak IV values. If you want to demonstrate three minute WEP key cracking you had best bring your own old WLAN hardware that starts each session with IV=0 and increments by 1 regardless of weak IV values.
The TSC is six octets long and increments by one for each MPDU. The four most significant octets of the TSC are carried in the TKIP Extended IV field; the two least significant octets of the TSC are carried in the WEP IV field along with a third octet which is the result of a mixing function that blends the transmitter address, temporal key, and TSC.
Semantically there is a "WEP IV" but no "TKIP IV". Both WEP and TKIP use a three octet WEP IV.
IEEE 802.11: "TKIP uses a per-MPDU TKIP sequence counter (TSC) to sequence the MPDUs it sends. The receiver drops MPDUs received out of order, i.e., not received with increasing sequence numbers. This provides replay protection. TKIP encodes the TSC value from the sender to the receiver as a WEP IV and extended IV."
Nowhere does the standard say that TKIP extends the IV from 24 to 48 bits, or that the TKIP IV is six octets long. Unfortunately the TSC is encoded in two fields -- the "WEP IV" field and the "extended IV" field. This second field could have been named "TSC2-TSC5".
The bottom line is that the IV used by the encryption/decryption process of both WEP and TKIP is 24 bits long.
When encountering IV length questions on exams please be careful.
I hope this helps. Thanks. /criss hyde -
Hi:
CCMP uses almost the same 8 octet encryption header as does TKIP. Instead of an IV stored in three octets and the rest of a six octet sequence counter stored in another four (sic) octets, CCMP uses a six octet packet number (PN) stored in six octets. Much like the TKIP TSC, the CCMP PN is "incremented by a positive number for each MPDU."
IEEE 802.11 8.3.3.1 "CCM requires a fresh temporal key for every session. CCM also requires a unique nonce value for each frame protected by a given temporal key, and CCMP uses a 48-bit packet number (PN) for this purpose. Reuse of a PN with the same temporal key voids all security guarantees."
So to summarize:
IV used with WEP is three octets long, encoded in a four octet header. WEP has no sequence counter.
IV used with TKIP is three octets long, complicated by a six octet TKIP sequence counter, all encoded in an eight octet header.
PN used with CCMP is six octets long, encoded in an eight octet header. The PN is used both as a sequence counter and as one of several inputs to create "a unique nonce value for each frame protected by a given temporal key".
I hope this helps. Thanks. /criss hyde