Paper 2006/129

Some Remarks on the TKIP Key Mixing Function of IEEE 802.11i

Wei Han, Dong Zheng, and Ke-fei Chen

Abstract

Temporal Key Integrity Protocol (TKIP) is a sub-protocol of IEEE 802.11i. TKIP remedies some security flaws in Wired Equivalent Privacy (WEP) Protocol. TKIP adds four new algorithms to WEP: a Message Integrity Code (MIC) called Michael, an Initialization Vector (IV) sequencing discipline, a key mixing function and a re-keying mechanism. The key mixing function, also called temporal key hash, de-correlates the IVs from weak keys. Some cryptographic properties of the S-box used in the key mixing function are investigated in this paper, such as regularity, avalanche effect, differ uniform and linear structure. V.Moen, H.Raddum and K.J.Hole point out that there exists a temporal key recovery attack in TKIP key mixing function. In this paper a method is proposed to defend against the attack, and the resulting effect on performance is also discussed.

Note: Many conclusions in this paper are drawn from the test by running programs. So we include the source codes in the appendix for verification. Doug Whiting, one of the original authors of TKIP, sent me an email to point out my misunderstanding about the word hash in the term temporal key hash in the draft paper. He indicated that TKIP was not intended in any sense to be a cryptographic hash function. TKIP is a hash only in the computer science sense, not in the cryptographic sense. While it is certainly interesting to look at TKIP on its own, the research on the combination of TKIP+RC4 has more significance. So the improper use of the term one-wayness in the draft is excluded according to his suggestions.