Professional Documents
Culture Documents
Overview
History
Weaknesses of RC4
History
RC4 was designed by Ron Rivest of RSA Security in 1987. While it is officially termed Rivest Cipher 4.
RC4 was initially a trade secret, but in September 1994 a description of it was anonymously posted to the Cypherpunks mailing list.
and from there to many sites on the Internet. RC4 has become part of some commonly used encryption protocols and standards, including WEP and WPA for wireless cards. The main factors in RC4's success over such a wide range of applications are its speed and simplicity: efficient implementations in both software and hardware are very easy to develop.
Analysis of RC4
Advantages
Faster than DES Enormous key space (average of 1700 bits) RC4 is used in popular protocols such as Secure Sockets Layer (SSL) (to protect Internet traffic) SSL and In 802.11 WEP(to secure wireless networks).
Disadvantages
Large number of weak keys 1 of 256 Weak keys can be detected and exploited with a high probability
Weaknesses of RC4
Almost all weaknesses are in the KSA since attacking the PRGA is fairly infeasible due to the huge effective key. The fastest known method requires 2700 time. The KSA can be attacked with several methods mainly because of the simple initialization permutation used.
RC4 Description
Symmetric
Stream Cipher
RC4 Description
Encryption
Decryption
RC4 Example
Simple 4-byte example
S = {0, 1, 2, 3}
K = {1, 7, 1, 7} Set i = j = 0
KSA
S[0]
K = {1, 7, 1, 7}
K[0]
First Iteration (i = 0, j = 0, S = {0, 1, 2, 3}): j = (j + S[ i ] + K[ i ]) = (0 + 0 + 1) = 1 Swap S[ i ] with S[ j ]: S = {1, 0, 2, 3} Second Iteration (i = 1, j = 1, S = {1, 0, 2, 3}):
S[i] S = {0,1, 2, 3} S[j]
j = (j + S[ i ] + K[ i ]) = (1 + 0 + 7) = 0 (mod 4)
Swap S[ i ] with S[ j ]: S = {0, 1, 2, 3}
KSA
S[0]
K = {1, 7, 1, 7}
K[0]
First Iteration (i = 0, j = 0, S = {0, 1, 2, 3}): j = (j + S[ i ] + K[ i ]) = (0 + 0 + 1) = 1 Swap S[ i ] with S[ j ]: S = {1, 0, 2, 3} Second Iteration (i = 1, j = 1, S = {1, 0, 2, 3}):
S[i] 1 S = {0 ,1 , 2, 3} 0 S[j]
j = (j + S[ i ] + K[ i ]) = (1 + 0 + 7) = 0 (mod 4)
Swap S[ i ] with S[ j ]: S = {0, 1, 2, 3}
KSA
S[0]
K = {1, 7, 1, 7}
K[0]
First Iteration (i = 0, j = 0, S = {0, 1, 2, 3}): j = (j + S[ i ] + K[ i ]) = (0 + 0 + 1) = 1 Swap S[ i ] with S[ j ]: S = {1, 0, 2, 3} Second Iteration (i = 1, j = 1, S = {1, 0, 2, 3}):
1 S = { 1, 0 , 2, 3} 0
j = (j + S[ i ] + K[ i ]) = (1 + 0 + 7) = 0 (mod 4)
Swap S[ i ] with S[ j ]: S = {0, 1, 2, 3}
KSA
First Iteration (i = 0, j = 0, S = {0, 1, 2, 3}): j = (j + S[ i ] + K[ i ]) = (0 + 0 + 1) = 1 Swap S[ i ] with S[ j ]: S = {1, 0, 2, 3}
S[1]
K = {1, 7, 1, 7}
K[1]
j = (j + S[ i ] + K[ i ]) = (1 + 0 + 7) = 0 (mod 4)
Swap S[ i ] with S[ j ]: S = {0, 1, 2, 3}
KSA
S[2]
K = {1, 7, 1, 7}
K[2]
Third Iteration (i = 2, j = 0, S = {0, 1, 2, 3}): j = (j + S[ i ] + K[ i ]) = (0 + 2 + 1) = 3 Swap S[ i ] with S[ j ]: S = {0, 1, 3, 2} Fourth Iteration (i = 3, j = 3, S = {0, 1, 3, 2}):
j = (j + S[ i ] + K[ i ]) = (3 + 2 + 7) = 0 (mod 4)
Swap S[ i ] with S[ j ]: S = {2, 1, 3, 0}
KSA
Third Iteration (i = 2, j = 0, S = {0, 1, 2, 3}): j = (j + S[ i ] + K[ i ]) = (0 + 2 + 1) = 3 Swap S[ i ] with S[ j ]: S = {0, 1, 3, 2}
S[3]
K = {1, 7, 1, 7}
K[3]
j = (j + S[ i ] + K[ i ]) = (3 + 2 + 7) = 0 (mod 4)
Swap S[ i ] with S[ j ]: S = {2, 1, 3, 0}
PRGA
For this example we use plaintext HI
0100 1000
XOR 0000 0011 0100 1011
j = j + S[ i ] = 1 + 3 = 4 (mod 4) = 0
Swap S[ i ] and S[ j ]: S = {3, 1, 2, 0} Output z = S[ S[ i ] + S[ j ] ] = S[1] = 1
Z = 3 ( 0000 0001 )
I 0100 1001 XOR 0000 0001
0100 1000
Result : Plaint Text : 0100 1000 0100 1001 Cipher Text: 0100 1011 0100 1000
Resources
Fluhrer, Mantin, Shamir - Weakness in the Key Scheduling Algorithm of RC4.
http://www.drizzle.com/~aboba/IEEE/rc4_ksaproc.pdf
Stubblefield, Loannidis, Rubin Using the Fluhrer, Mantin, and Shamir Attack to Break WEP.
http://www.cs.rice.edu/~astubble/wep/wep_attack.pdf
Rivest RSA Security Response to Weakness in the Key Scheduling Algorithm of RC4.
http://www.rsasecurity.com/rsalabs/technotes/wep.html
http://www.ncat.edu/~grogans/algorithm_breakdown.htm