• United States

Explaining TKIP

Oct 04, 20043 mins
Cellular NetworksEncryptionNetwork Security

Temporal Key Integrity Protocol (TKIP), as defined by the IEEE 802.11i specification, addresses the encryption part of the wireless security equation. (A different part of 802.11i addresses the per-message integrity problem)   TKIP was designed with a very difficult constraint in place: it had to operate on existing hardware, and therefore it could not require computationally advanced encryption.

TKIP is a “wrapper” that goes around the existing WEP encryption.  TKIP comprises the same encryption engine and RC4 algorithm defined for WEP.  However, the key used for encryption in TKIP is 128 bits long.  This solves the first problem of WEP: a too-short key length.

Cracking the wireless security code

Security picks

What we tested

WEP: Stick a fork in it

Subscribe to the Product Review newsletter

An important part of TKIP is that it changes the key used for each packet.  This is the “Temporal” part of the picture.  The key is created by mixing together a combination of things, including a base key (called a Pairwise Transient Key in TKIP parlance), the MAC address of the transmitting station, and the serial number for the packet.   The mixing operation is designed to put a minimum demand on the stations and access points, yet have enough cryptographic strength so that it cannot easily be broken. 

Each packet transmitted using TKIP has a unique 48-bit serial number that is incremented every time a new packet is transmitted and used both as the Initialization Vector and part of the key.  Putting a sequence number into the key ensures that the key is different for every packet.  This solves another problem of WEP, called “collision attacks,” which can occur when the same key is used for two different packets.  With different keys, there are no collisions.

Having the serial number of the packet also be the initialization vector helps to reduce yet another WEP problem, called “replay attacks.”  Because a 48-bit sequence number will take thousands of years to repeat itself, no one can replay old packets from a wireless connection—they will be detected as out of order because the sequence numbers won’t be right. 

The last, and most important, piece that is mixed into the TKIP key is the base key.  Without a way to generate unique base keys, TKIP would solve many of WEP’s problems, but not its worst one: the constant reuse of a well-known key by everyone on the wireless LAN.  To deal with this, TKIP generates the base key that is mixed into the per-packet key.  Each time a wireless station associates to an access point, a new base key is created.  This base key is built by hashing together a special session secret with some random numbers (called nonces) generated by the access point and the station as well as the MAC address of the access point and the station.   With 802.1X authentication, the session secret is unique and transmitted securely to the station by the authentication server; when using TKIP with pre-shared keys, the session secret is the same for everyone and never changes—hence the vulnerability of using TKIP with pre-shared keys.

Rodney Thayer is a private network security consultant in Mountain View, California. His practice includes exploit analysis, architecting secure networks, and cryptography. His background is in the development and deployment of network security devices, having participated in the development of various implementations of IPsec, SSL (TLS), and digital certificate systems. He has also worked in the area of security network management. He can be reached at

More from this author