1、13th Iranian Conference on Electrical Engineering, Zanjan, Iran, April 2005Counter Synchronization in CCMP Algorithm Anita Fadavi Roudsary Jalil Chitizadeh Saied Hosseini Khayatfadavi_r_ chitizadferdowsi.um.ac.ir shkferdowsi.um.ac.irFerdowsi University of Mashad, Mashad, Iran.Abstract: To improve th
2、e security of Wireless Local Area Networks, the IEEE has recently standardized the 802.11i protocol. The 802.11i is based on two main components. It uses a new protocol, called CCMP for data-confidentiality and IEEE 802.11Xs Key-distribution system to control access to the network. In CCMP, a packet
3、 is sent in clear for decryption possibility by the receiver. To avoid security flaws, the counter is not used more than once.This makes the protocol dependent on 802.11X standard. It also leads the performance to degrade. In this paper, a new encryption method is introduced that eliminates counter
4、transmission and based on numerical calculations this method improves the security of CCMP method.Keywords: IEEE802.11, Security, CCMP, Counter Synchronization. 1. Introduction After IEEE 802.11i ratification, the Counter mode with CBC-MAC Protocol (CCMP) has been the preferred encryption protocol i
5、n the standard 1. This protocol is based upon the Counter mode with Cipher Block Chaining Message Authentication Code (CCM) mode of the Advanced Encryption Standard (AES) encryption algorithm. The CCMP is composed of two components: The Counter mode (CTR) of the CCMP is the algorithm that provides d
6、ata privacy. The second component, the Cipher Block Chaining Message Authentication Code(CBC-MAC), provides data integrity and authentication 2.Both of these components utilize 128-bit keys, with a 48-bit packet sequence counter. As will be described, this counter is used for encryption and decrypti
7、on procedures. To enable the receiver to extract the plaintext from an encrypted packet, all the packets must contain this counter in clear. To avoid replay, message injection and message decryption attacks by 13th Iranian Conference on Electrical Engineering, Zanjan, Iran, April 2005AES1Ctr1MCAES2t
8、r2Figure 1: CCMP counter modeAESnCtrnMCintruders, counter must not be used more than once. So when counter reuse is necessary, the encryption key is changed by 802.1X standard 2, 3.Although the use of 802.1X standard makes the encrypted traffic secure enough, the key exchange process decreases the t
9、hroughput of the network. The existence of 48-bit counter in all packets also degrades the throughput. This paper introduces a new method, which eliminates counter part of each packet. Instead it sends some packets to synchronize both sender and receiver on a desired counter value. Exploiting this n
10、ew method reduces the need for key-management standards 4.The following section is devoted to an overview of CCMP. Section 3 describes the counter synchronization method and section 4 identifies some important details of it. The effect of parameters on a designed network is carried out in section 5.
11、 Section 6 compares the new method with CCMP from the security point of view. Finally, concluding remarks are given in section 7.2. CCMP ConfigurationCCMP protocol utilises AES standard for data encryption in both Counter and CBC-MAC modes. A 48-bit packet sequence counter is used in Counter mode as
12、 a state variable. To construct the CTR mode counter, the Packet sequence counter concatenates with sender MAC address, a 16-bit zero per-packet block counter, and 16-bit of other data, where the last 16 bits are used to distinguish the Counter mode counter from the CBC-MAC Initialisation Vector (IV
13、) 2.The Counter mode counter is the AES input and as shown in figure 1, this counter is encrypted by the AES algorithm and then is XORed with plaintext block to produce ciphertext. Since in CCMP, the input, the shared secret key and the output blocks are 128 bits long, the message must also be fragm
14、ented to 128 bit blocks. To enable the receiver to 13th Iranian Conference on Electrical Engineering, Zanjan, Iran, April 20052MFigure 2: CBC-MAC modennCAES1IVAES AESdecrypt the received packet, the counter must be sent in clear. Each block uses a unique counter to avoid key reuse security flaws: If
15、 a counter is sent more than once, the encrypted traffic can be decrypted based on statistical analysis. It would also be possible to inject old packets into the network 2. Whenever the counter reuse is needed, the shared secret key must be changed. This process is done by using the 802.1X standard
16、2, 3.The other component of CCMP, the CBC-MAC, uses the packet sequence counter to make an Initial Vector (IV). As figure 2 shows, in the CBC-MAC mode, the output of each block is fed forward to the next one and then XORed with the consequent message block. The first blocks input is where IV is made
17、 from the packet sequence counter and is the first )MIV(1 1M128 bits of message. The output of the last block is truncated to 64 bits and then is called Message Integrity Code (MIC). MIC is concatenated to the message and encrypted in the CTR mode to provide data integrity and authentication 2.3. Co
18、unter SynchronizationAs descried in 4, in the new encryption method the packet sequence counter is not sent in clear and also none of the encrypted packets contain the counter part. Because the receiver must know the packet sequence value to be able to decrypt the received packet, the sender encrypt
19、s the first packet sequence counter and sends it at the beginning of each transmission. Afterwards, both of the sender and the receiver are synchronized on this value of counter. Because the sender follows a table or a pre-defined agreement protocol to select the next values of counter to encrypt th
20、e other packets, it is not necessary to send counter value in these packets. The receiver must do the same work as the sender to decrypt the packets correctly. 3.1. Encryption Block In our method, the sender must initially encrypt the first packet sequence counter. Since in CCMP there is an encrypti
21、on block, it is preferable to use it for counter encryption too and 13th Iranian Conference on Electrical Engineering, Zanjan, Iran, April 2005AESShared keyParameter (Time)Plaintext(Counter info)Ciphertext Figure 3: Encryption block Figure 4: Encryption by a random timeTimeTieTimeTime Encryption alg
22、orithmCounter CiphertxtShared keyRandom tie selctionTimeTieTimeTime Encryption algorithmShared keyCheck til find te ral time CounterICICCB-MAC ?CB-MACWrongSending timeSending time1221NNavoid utilizing another configuration. So, as can be seen in figure 3, this block is similar to AES Counter mode en
23、cryption block. As in 2, a secret key is shared between the sender and the receiver which is used in encryption algorithm, AES. The output of the AES algorithm would be XORed with the plaintext, the packet sequence counter information, and produces the ciphertext. Finally the ciphertext is sent to t
24、he receiver. In CCMP protocol, the AES algorithm encrypts the counter block to produce an output that would be XORed with plaintext. In our method, to synchronize the sender and the receiver on a counter, the counter must be encrypted and sent. So the plaintext is the counter value and it cannot act
25、 as the AES input. Then the input must be replaced with another parameter and since this parameter is not sent, it must be clear to the sender and the receiver. A parameter with this specification is the sending time. The IEEE 802.11 introduces the Carrier Sense Multiple Access with Collision Avoida
26、nce (CSMA/CA) method. As the name implies, CSMA/CA attempts to avoid collisions on the wireless media by placing duration information in each frame, so that receiving stations can determine how long the frame will last. During the time that the channel is busy, the other stations activate the Networ
27、k Allocation Vector (NAV) signal till the end of that transmission. If the previous frames duration is expired and a quick check of the wireless media shows that it is not busy, the stations are permitted to transmit 5. Based on this method, all stations can distinguish the starting time of each tra
28、nsmission. In the new method, AES block input is replaced with this time, including a little correction which is named as random time selection. If the time is clear to all stations, it would also be clear to the intruders which means the weakness still exits. To improve this situation, as shown in
29、figure 4, the time is selected randomly from a time interval in which the initial sending time is 13th Iranian Conference on Electrical Engineering, Zanjan, Iran, April 2005S 31S 12nS i1S 12S 2 S 32S S j2S 13S 2 S 33S 3nS k3S 1mS 2 S 3mS mn2S lS 11S 2Figure 5: Counter space addressingthe start of th
30、e interval. The sender chooses this random time to encrypt packet sequence counter and sends it. The receiver decrypts the frame using all the times in that interval until it decrypts the packet correctly. To find out that the packet is decrypted correctly, the receiver computes the MIC part of mess
31、age and compares it with the received decrypted MIC.3.2. Increasing AmbiguityThe attacker does not know the shared key and the exact time value. Hence he can not find the time reuse and he will not be able to decrypt any messages. If the time is reused for any reasons, he has some intervals, which t
32、he same time may be selected from it. This can be an opportunity for the attacker to decrypt the packet and this means that random time selection is not a plausible remedy for time reuse problem. Time reuse can mainly occur in two situations: first, if the number of the bits used to define the time
33、is not big enough and second, if two or more hidden stations begin to send packet at the same time. Although the first problem can be solved by setting the bit numbers such that it is sufficient for long periods, e.g. 200 years, but there is no way to make two stations that are hidden from each othe
34、r, not to send simultaneously. The second problem may be less pronounced by increasing ambiguity. In this method, the sender will send more than one frame to synchronize the receiver on the desired counter. Instead of the counter value, each packet contains some information about a pointer that poin
35、ts to the relative address of the counter in the counter space. The pointer information is such that the counter value could only be found when the receiver could decrypt all of these synchronous packets. The number of bits used to describe counter value is 48 and so the counter may have different v
36、alues. To increase ambiguity, as figure 5 shows, this space is divided to 482 12n13th Iranian Conference on Electrical Engineering, Zanjan, Iran, April 2005iniSCtrP4821)(xmnmljinkljiSCtrPAlji2,. ),.(1),(4821 .(2)(1)sections and also each section is divided to subsections. This process is continued u
37、ntil 2nsubsection m is produced. The value of m depends on the security level and the traffic throughput. The i-th section numbers are labeled from 1 to . The m-th level )(iin.12section will also contain numbers. x2These numbers are used to address the counter value and are sent encrypted with a ran
38、dom time. Receiver decrypts each packet and step-by-step, he is guided to the real value of counter. After decrypting the m-th packet, the receiver must check MIC values to find the counter. x24. Parametrical calculationsDecryption of more synchronous packets enables the attacker to extract more inf
39、ormation about the counter. This situation happens when the hidden stations encrypt more synchronous packets with the same random time, but the probability of this event decreases with increasing the number of the time reuses. This means that random time selection compensates the ascending probabili
40、ty of distinguishing the counter value because of the synchronous packet decryptions and vice versa and if they are used together, counter synchronization will be done in a secure way. To find the optimum number of sections (m) and the number of values that section i contains (), it is important to
41、note that they must be computed in a way that the probability of in2distinguishing the counter is not increased when more synchronous packets are sent at the same time by hidden stations.Suppose that denotes the y-th part of the i-th section. When the attacker decrypts the ySipacket and knows y, he
42、must guess the values of other sections in order to compute the counter value. So the ambiguity would be on the un-decrypted sections. Then, the probability of computing the counter if only section is known can be computed by equation (1) in iwhich Ctr denotes the counter.The probability of counter
43、extraction if k sections are decrypted is similar to (1). ljiS,.It is obvious that to have the least information about counter, the size of all sections must be equal. So, each is equal to n as in (2). in13th Iranian Conference on Electrical Engineering, Zanjan, Iran, April 2005),.(.),.( ljilji SPAS
44、CtrPkljinpSPklji ),.(),.()21(expNhknlnp484821Using (2) and the conditional probability equation, the joint probability can be computed asThe value of A can be extracted from (2), but the probability is not known ),.(ljiSand should be calculated. This is the probability that k different synchronous p
45、ackets are decrypted and it happens when they are sent at the same time. Since all of the hidden stations send their packets independently, the events are independent. In addition, ljiS,.simultaneous transmission does not depend on the section number e.g. i, j. l. This means that all of the events a
46、re equiprobable and the joint probability can be written as (4) ljiS,.where p is the probability that at least two stations select the same random time for encryption.To compute p, it is assumed that h hidden stations send their packets uniformly in the way that all of the data frames and synchronou
47、s packets are sent in the time intervals completely similar to other hidden stations traffic. In other words, all of the hidden stations start the synchronization process in the same time. This assumption leads to the computation of probability in the worst case. Then, p is calculated using birthday
48、 paradox: p is the probability of at least two stations select similar times from an interval which contains N different times 6. Now, all the values of equation (3) are known and can be substituted. Returning to the first basic assumption, the probability of finding the counter must not increase wh
49、en more synchronous packets are sent at the same time. The value of n would be computed based on this idea. This means that the joint probability of knowing counter and l synchronous packets must be less than the joint probability of knowing counter and k packets if , or kAfter simplifying inequality (6), the upper margin of n is obtained from equation 7.(3)(4)(5)(6)21(explog2Nhn(7)13th Iranian Conference on Electrical Engineering, Zanjan, Iran, April 2005Figure 6: Effect of t
