TKIP provides a 48 bit (6 bytes) monotonically increasing Transmit Sequence Counter (TSC) which it appends to each packet. If any TKIP packet is received wherein the TSC value is lesser than or equal to current Replay counter value – the frame is silently discarded.
The 802.11 standard defines a set of rules for TKIP Replay protection and is provided (from the standard) below
- Each MPDU shall have a unique TKIP TSC value.
- Each transmitter shall maintain a single TSC (48-bit counter) for each PTKSA, GTKSA, and STKSA.
- The TSC shall be implemented as a 48-bit monotonically incrementing counter, initialized to 1 when the corresponding TKIP temporal key is initialized or refreshed.
- The WEP IV format carries the 16 LSBs of the 48-bit TSC, as defined by the TKIP mixing function (Phase 2, STEP3). The remainder of the TSC is carried in the Extended IV field.
- A receiver shall maintain a separate set of TKIP TSC replay counters for each PTKSA, GTKSA, and STKSA.
- TKIP replay detection takes place after the MIC verification and any reordering required by ACK processing. Thus, a receiver shall delay advancing a TKIP TSC replay counter until an MSDU passes the MIC check, to prevent attackers from injecting MPDUs with valid ICVs and TSCs, but invalid MICs.
NOTE—This works because if an attacker modifies the TSC, then the encryption key is modified and hence both the ICV and MIC decrypt incorrectly, causing the received MPDU to be dropped.
- For each PTKSA, GTKSA, and STKSA, the receiver shall maintain a separate replay counter for each frame priority and shall use the TSC recovered from a received frame to detect replayed frames. A replayed frame occurs when the TSC extracted from a received frame is less than or equal to the current replay counter value for the frame’s priority. A transmitter shall not reorder frames with different priorities without ensuring that the receiver supports the required number of replay counters. The transmitter shall not reorder frames within a replay counter, but may reorder frames across replay counters. One possible reason for reordering frames is the IEEE 802.11 MSDU priority.
- A receiver shall discard any MPDU that is received out of order and shall increment the value of dot11RSNAStatsTKIPReplays for this key.
- For MSDUs sent using the Block Ack feature, reordering of received MSDUs according to the Block Ack receiver operation is performed prior to replay detection.
The 802.11 Security Task Group was developing the AES standard and TKIP was to be superseded by the AES encryption mechanism which is what that transpired. We shall have a brief look at the AES Encryption scheme in the coming articles