DOCSLIB.ORG

Weaknesses in the Key Scheduling Algorithm Of

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Weaknesses in the Key Scheduling Algorithm Of Weaknesses in the Key Scheduling Algorithm of RC Scott Fluhrer Itsik Mantin and Adi Shamir Cisco Systems Inc West Tasman Drive San Jose CA sfluhrerciscocom Computer Science department The Weizmann Institute Rehovot Israel fitsikshamirgwisdomweizman nac il Abstract In this pap er we presentseveral weaknesses in the key schedul ing algorithm of RC and describ e their cryptanalytic signicance We identify a large number of weak keys in which knowledge of a small number of key bits suces to determine many state and output bits with nonnegligible probability We use these weak keys to construct new distinguishers for RC and to mount related key attacks with prac tical complexities Finallywe show that RC is completely insecure in a common mo de of op eration which is used in the widely deployed Wired EquivalentPrivacy proto col WEP which is part of the standard in which a xed secret key is concatenated with known IV mo diers in order to encrypt dierent messages Our new passive ciphertextonly at tack on this mo de can recover an arbitrarily long key in a negligible amount of time which grows only linearly with its size b oth for and bit IV mo diers Intro duction RC is the most widely used stream cipher in software applications It was designed by Ron Rivest in and kept as a trade secret until it leaked out in n RC has a secret internal state whichisapermutation of all the N p ossible n bits words along with two indices in it In practical applications n and thus RC has a huge state of log bits In this pap er we analyze the Key Scheduling Algorithm KSA whichderives the initial state from a variablesizekey and describ e two signicantweaknesses of this pro cess The rst weakness is the existence of large classes of weak keys in which a small part of the secret key determines a large number of bits of the initial permutation KSA output In addition the Pseudo Random Gen eration Algorithm PRGA translates these patterns in the initial p ermutation into patterns in the prex of the output stream and thus RC has the undesir able prop erty that for these weak keys its initial outputs are disprop ortionally aected by a small number of key bits These weak keys have length which is q divisible by some nontrivial p ower of two ie m for some q When Here and in the rest of the pap er is the number of words of K where eachword contains n bits RC uses suchaweak key of words xing n q bits of K as a n particular pattern determines qN bits of the initial p ermutation with prob ability of one half and determines various prexes of the output stream with various probabilities dep ending on their length The second weakness is a related key vulnerability which applies when part of the key presented to the KSA is exp osed to the attacker It consists of the observation that when the same secret part of the key is used with numerous dierent exp osed values an attacker can rederive the secret part by analyzing the initial word of the keystreams with relatively little work This concatena tion of a long term secret part with an attacker visible part is a commonly used mo de of RC and in particular it is used in the WEP Wired Equivalent Pri vacy proto col which protects many wireless networks Our new attackonthis mo de is practical for anykey size and for any mo dier size including the bit recommended in the original WEP and the bit recommended in the revised version WEP The pap er is organized in the following way In Section we describ e RC and previous results ab out its security In Section we consider a slightly mo d ied variant of the Key Scheduling Algorithm called KSA and provethat a particular pattern of a small number of key bits suces to completely determine a large numb er of state bits Afterwards weshow that this weakness of KSA which we denote as the invariance weakness exists in a weaker form also in the original KSA In Section weshow that with high probability the patterns of initial states asso ciated with these weak keys also propagate into the rst few outputs and thus a small number of weak key bits determine a large num b er of bits in the output stream In Section we describ e several cryptanalytic applications of the invariance weakness including a new typ e of distinguisher In Sections and we describ e the second weakness which we denote as the IV weakness and show that a common metho d of using RC is vulnerable to a practical attack due to this weakness In Section weshowhow b oth these weaknesses can separately b e used in a related key attack In the app endices we examine how the IV weakness can b e used to attack a real system app endix A how the invariance weakness can b e used to construct a ciphertextonly distin guisher and to prove that RC has low sampling resistance app endices B and C and how to derive the secret key from an early p ermutation state app endix D RC and Its Security Description of RC RC consists of two parts describ ed in Figure Akey scheduling algorithm KSA whichturnsarandomkey whose typical size is bits into an initial p ermutation S of f N g and an output generation part PRGA which uses this p ermutation to generate a pseudorandom output sequence The PRGA initializes two indices i and j to and then lo ops over four simple op erations which increment i as a counter increment j pseudo randomly exchange the twovalues of S pointed to by i and j and output the value of S p ointed to by S i S j Notethatevery entry of S is swapp ed at least once p ossibly with itself within any N consecutive rounds and thus the p ermutation S evolves fairly rapidly during the output generation pro cess The KSA consists of N lo ops that are similar to the PRGA round op eration It initializes S to b e the identity p ermutation and i and j to and applies the PRGA round op eration N times stepping i across S and up dating j by adding S i and the next word of the key in cyclic order Wewillcalleach round of KSA a step KSAK PRGAK Initialization Initialization For i N i S ii j j Generation lo op Scrambling i i For i N j j S i j j S iK i mo d SwapS iSj SwapS iSj Output z S S iS j Fig The Key Scheduling Algorithm and the PseudoRandom Generation Algorithm Previous Attacks on RC Due to the huge eectivekey of RC attacking the PRGA seems to b e infea sible the b est known attack on this part requires time that exceeds The only practical results related to the PRGA deal with the construction of dis tinguishers Fluhrer and McGrew describ ed in FM how to distinguish RC outputs from random strings with data A b etter distinguisher which re quires data was describ ed by Mantin and Shamir in MS However this distinguisher could only b e used to mount a partial attackonRC in broadcast applications The fact that the initialization of RC is very simple stimulated considerable researchonthismechanism of RC In particular Ro os discovered in Ro oa class of weak keys that reduces their eective size byve bits and Grosul and Wallachshowed in GW that for large keys whose size is close to N words RC is vulnerable to a related key attack More analysis of the securityofRC can b e found in KMP Goland MT Here and in the rest of the pap er all the additions are carried out mo dulo N The Invariance Weakness Due to space limitations weprove here the invariance weakness only for a sim plied variant of the KSA whichwe denote as KSA and describ e in Figure The only dierence between them is that KSA up dates i at the beginning of the lo op whereas KSA up dates i at the end of the lo op After formulating and proving the existence of this weakness in KSA we describ e the mo dications required to apply this analysis to the real KSA a KSAK KSA K For i N For i N S ii S ii i i j j Rep eat N times Rep eat N times j j S iK i mo d i i SwapS iSj j j S iK i mo d i i SwapS iSj a KSA is rewritten in a waywhich claries the relation to KSA Fig KSA vs KSA Denitions Denition Let S bea permutation of f N g t be an index in S and mo d b b be some integer Then if S t t the permutation S is said to bconserve the index t Otherwise the permutation S is said to bunconserve the index t Denote the p ermutation S and the indices i and j after round t of KSA as S i t t and j resp ectively Denote the numb er of indices that a p ermutation bconserves t as I S For the sake of simplicitywe often write I instead of I S b t b t Denition Apermutation S of f N g is bconserving if I S N b and is almost bconserving if I S N b Denition Let b be integers and let K bean words key Then K is cal led a bexact key if for any index tKt mo d t mo d bIncase K and msbK K is cal ledasp ecial bexact key Notice that for this condition to hold it is necessary but not sucient that b j The Weakness def q Theorem Let q n and be integers and b Suppose that b j and let K be a bexact key of words Then the permutation S KSA K is bconserving Before getting to the pro of itself wewillprove an auxiliary lemma Lemma If i j mo d bthenI I t t t t Pro of The only op eration that might aect S and mayb e I istheswapping op eration However when i and j are equivalent mo d b S bconserves t t t i j if and only if S bconserved j i Thus the number of indices S t t t t t bconserves remains the same ut Pro ofof Theorem Wewillproveby induction on t that for any t N it turns out that I S N and i j mo d b This in particular implies that b t t t I N which makes the output p ermutation bconserving N For t b efore the rst round the claim is trivial b ecause i j and S is the identity
Load more

Recommended publications
  • Key Differentiation Attacks on Stream Ciphers
    Key differentiation attacks on stream ciphers Abstract In this paper the applicability of differential cryptanalytic tool to stream ciphers is elaborated using the algebraic representation similar to early Shannon’s postulates regarding the concept of confusion. In 2007, Biham and Dunkelman [3] have formally introduced the concept of differential cryptanalysis in stream ciphers by addressing the three different scenarios of interest. Here we mainly consider the first scenario where the key difference and/or IV difference influence the internal state of the cipher (∆key, ∆IV ) → ∆S. We then show that under certain circumstances a chosen IV attack may be transformed in the key chosen attack. That is, whenever at some stage of the key/IV setup algorithm (KSA) we may identify linear relations between some subset of key and IV bits, and these key variables only appear through these linear relations, then using the differentiation of internal state variables (through chosen IV scenario of attack) we are able to eliminate the presence of corresponding key variables. The method leads to an attack whose complexity is beyond the exhaustive search, whenever the cipher admits exact algebraic description of internal state variables and the keystream computation is not complex. A successful application is especially noted in the context of stream ciphers whose keystream bits evolve relatively slow as a function of secret state bits. A modification of the attack can be applied to the TRIVIUM stream cipher [8], in this case 12 linear relations could be identified but at the same time the same 12 key variables appear in another part of state register.
    [Show full text]
  • Related-Key Cryptanalysis of 3-WAY, Biham-DES,CAST, DES-X, Newdes, RC2, and TEA
    Related-Key Cryptanalysis of 3-WAY, Biham-DES,CAST, DES-X, NewDES, RC2, and TEA John Kelsey Bruce Schneier David Wagner Counterpane Systems U.C. Berkeley kelsey,schneier @counterpane.com [email protected] f g Abstract. We present new related-key attacks on the block ciphers 3- WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA. Differen- tial related-key attacks allow both keys and plaintexts to be chosen with specific differences [KSW96]. Our attacks build on the original work, showing how to adapt the general attack to deal with the difficulties of the individual algorithms. We also give specific design principles to protect against these attacks. 1 Introduction Related-key cryptanalysis assumes that the attacker learns the encryption of certain plaintexts not only under the original (unknown) key K, but also under some derived keys K0 = f(K). In a chosen-related-key attack, the attacker specifies how the key is to be changed; known-related-key attacks are those where the key difference is known, but cannot be chosen by the attacker. We emphasize that the attacker knows or chooses the relationship between keys, not the actual key values. These techniques have been developed in [Knu93b, Bih94, KSW96]. Related-key cryptanalysis is a practical attack on key-exchange protocols that do not guarantee key-integrity|an attacker may be able to flip bits in the key without knowing the key|and key-update protocols that update keys using a known function: e.g., K, K + 1, K + 2, etc. Related-key attacks were also used against rotor machines: operators sometimes set rotors incorrectly.
    [Show full text]
  • CIT 380: Securing Computer Systems
    CIT 380: Securing Computer Systems Symmetric Cryptography Topics 1. Modular Arithmetic 2. What is Cryptography? 3. Transposition Ciphers 4. Substitution Ciphers 1. Cæsar cipher 2. Vigènere cipher 5. Cryptanalysis: frequency analysis 6. Block Ciphers 7. AES and DES 8. Stream Ciphers Modular Arithmetic Congruence – a = b (mod N) iff a = b + kN – ex: 37=27 mod 10 b is the residue of a, modulo N – Integers 0..N-1 are the set of residues mod N Modulo 12 number system What is Cryptography? Cryptography: The art and science of keeping messages secure. Cryptanalysis: the art and science of decrypting messages. Cryptology: cryptography + cryptanalysis Terminology Plaintext: message P to be encrypted. Also called Plaintext cleartext. Encryption: altering a Encryption message to keep its Procedure contents secret. Ciphertext: encrypted message C. Ciphertext Cæsar cipher Plaintext is HELLO WORLD Change each letter to the third letter following it (X goes to A, Y to B, Z to C) – Key is 3, usually written as letter ‘D’ Ciphertext is KHOOR ZRUOG ROT 13 Cæsar cipher with key of 13 13 chosen since encryption and decryption are same operation Used to hide spoilers, punchlines, and offensive material online. Kerckhoff’s Principle Security of cryptosystem should only depend on 1. Quality of shared encryption algorithm E 2. Secrecy of key K Security through obscurity tends to fail ex: DVD Content Scrambling System Cryptanalysis Goals 1. Decrypt a given message. 2. Recover encryption key. Threat models vary based on 1. Type of information available to adversary 2. Interaction with cryptosystem. Cryptanalysis Threat Models ciphertext only: adversary has only ciphertext; goal is to find plaintext, possibly key.
    [Show full text]
  • (SMC) MODULE of RC4 STREAM CIPHER ALGORITHM for Wi-Fi ENCRYPTION
    InternationalINTERNATIONAL Journal of Electronics and JOURNAL Communication OF Engineering ELECTRONICS & Technology (IJECET),AND ISSN 0976 – 6464(Print), ISSN 0976 – 6472(Online), Volume 6, Issue 1, January (2015), pp. 79-85 © IAEME COMMUNICATION ENGINEERING & TECHNOLOGY (IJECET) ISSN 0976 – 6464(Print) IJECET ISSN 0976 – 6472(Online) Volume 6, Issue 1, January (2015), pp. 79-85 © IAEME: http://www.iaeme.com/IJECET.asp © I A E M E Journal Impact Factor (2015): 7.9817 (Calculated by GISI) www.jifactor.com VHDL MODELING OF THE SRAM MODULE AND STATE MACHINE CONTROLLER (SMC) MODULE OF RC4 STREAM CIPHER ALGORITHM FOR Wi-Fi ENCRYPTION Dr.A.M. Bhavikatti 1 Mallikarjun.Mugali 2 1,2Dept of CSE, BKIT, Bhalki, Karnataka State, India ABSTRACT In this paper, VHDL modeling of the SRAM module and State Machine Controller (SMC) module of RC4 stream cipher algorithm for Wi-Fi encryption is proposed. Various individual modules of Wi-Fi security have been designed, verified functionally using VHDL-simulator. In cryptography RC4 is the most widely used software stream cipher and is used in popular protocols such as Transport Layer Security (TLS) (to protect Internet traffic) and WEP (to secure wireless networks). While remarkable for its simplicity and speed in software, RC4 has weaknesses that argue against its use in new systems. It is especially vulnerable when the beginning of the output key stream is not discarded, or when nonrandom or related keys are used; some ways of using RC4 can lead to very insecure cryptosystems such as WEP . Many stream ciphers are based on linear feedback shift registers (LFSRs), which, while efficient in hardware, are less so in software.
    [Show full text]
  • A Practical Attack on Broadcast RC4
    A Practical Attack on Broadcast RC4 Itsik Mantin and Adi Shamir Computer Science Department, The Weizmann Institute, Rehovot 76100, Israel. {itsik,shamir}@wisdom.weizmann.ac.il Abstract. RC4is the most widely deployed stream cipher in software applications. In this paper we describe a major statistical weakness in RC4, which makes it trivial to distinguish between short outputs of RC4 and random strings by analyzing their second bytes. This weakness can be used to mount a practical ciphertext-only attack on RC4in some broadcast applications, in which the same plaintext is sent to multiple recipients under different keys. 1 Introduction A large number of stream ciphers were proposed and implemented over the last twenty years. Most of these ciphers were based on various combinations of linear feedback shift registers, which were easy to implement in hardware, but relatively slow in software. In 1987Ron Rivest designed the RC4 stream cipher, which was based on a different and more software friendly paradigm. It was integrated into Microsoft Windows, Lotus Notes, Apple AOCE, Oracle Secure SQL, and many other applications, and has thus become the most widely used software- based stream cipher. In addition, it was chosen to be part of the Cellular Digital Packet Data specification. Its design was kept a trade secret until 1994, when someone anonymously posted its source code to the Cypherpunks mailing list. The correctness of this unofficial description was confirmed by comparing its outputs to those produced by licensed implementations. RC4 has a secret internal state which is a permutation of all the N =2n possible n bits words.
    [Show full text]
  • RC4 Encryption
    Ralph (Eddie) Rise Suk-Hyun Cho Devin Kaylor RC4 Encryption RC4 is an encryption algorithm that was created by Ronald Rivest of RSA Security. It is used in WEP and WPA, which are encryption protocols commonly used on wireless routers. The workings of RC4 used to be a secret, but its code was leaked onto the internet in 1994. RC4 was originally very widely used due to its simplicity and speed. Typically 16 byte keys are used for strong encryption, but shorter key lengths are also widely used due to export restrictions. Over time this code was shown to produce biased outputs towards certain sequences, mostly in first few bytes of the keystream generated. This led to a future version of the RC4 code that is more widely used today, called RC4-drop[n], in which the first n bytes of the keystream are dropped in order to get rid of this biased output. Some notable uses of RC4 are implemented in Microsoft Excel, Adobe's Acrobat 2.0 (1994), and BitTorrent clients. To begin the process of RC4 encryption, you need a key, which is often user-defined and between 40-bits and 256-bits. A 40-bit key represents a five character ASCII code that gets translated into its 40 character binary equivalent (for example, the ASCII key "pwd12" is equivalent to 0111000001110111011001000011000100110010 in binary). The next part of RC4 is the key-scheduling algorithm (KSA), listed below (from Wikipedia). for i from 0 to 255 S[i] := i endfor j := 0 for i from 0 to 255 j := (j + S[i] + key[i mod keylength]) mod 256 swap(S[i],S[j]) endfor KSA creates an array S that contains 256 entries with the digits 0 through 255, as in the table below.
    [Show full text]
  • Implementation of Symmetric Encryption Algorithms
    Computer Engineering and Intelligent Systems www.iiste.org ISSN 2222-1719 (Paper) ISSN 2222-2863 (Online) Vol.8, No.4, 2017 Implementation of Symmetric Encryption Algorithms Haider Noori Hussain *1 Waleed Noori Hussein *2 1.Department of Computer science , College of Education for Pure Science, University of Basra, Iraq 2.Department of Mathematics , College of Education for Pure Science, University of Basra, Iraq Abstract Cryptography considered being the most vital component in information security because it is responsible for securing all information passed through networked computers. The discussions in this paper include an overview of cryptography and symmetric encryption. This paper also discusses some of the algorithms used in our research. This paper aims to design an application that consist of some symmetric encryption algorithms which allow users to encrypt and decrypt different size of files, also the application can be used as a test field to compare between different symmetric algorithms. Keywords: Cryptography, symmetric, encryption 1. Introduction In today's technology, every second data are generated on the internet due to the online transaction. Cryptography is a necessary part of network security which allows the virtual world to be more secure. In many applications of our daily life information security plays a key role (Kumar and Munjal 2011). This applies even stronger for ubiquitous computing applications where a multitude of sensors and actuators observe and control our physical environment (Kumar and Munjal 2011). When developing such applications a software engineer usually relies on well-known cryptographic mechanisms like encryption or hashing. However, due to the multitude of existing cryptographic algorithms, it can be challenging to select an adequate and secure one (Masram, Shahare et al.
    [Show full text]
  • RC4-2S: RC4 Stream Cipher with Two State Tables
    RC4-2S: RC4 Stream Cipher with Two State Tables Maytham M. Hammood, Kenji Yoshigoe and Ali M. Sagheer Abstract One of the most important symmetric cryptographic algorithms is Rivest Cipher 4 (RC4) stream cipher which can be applied to many security applications in real time security. However, RC4 cipher shows some weaknesses including a correlation problem between the public known outputs of the internal state. We propose RC4 stream cipher with two state tables (RC4-2S) as an enhancement to RC4. RC4-2S stream cipher system solves the correlation problem between the public known outputs of the internal state using permutation between state 1 (S1) and state 2 (S2). Furthermore, key generation time of the RC4-2S is faster than that of the original RC4 due to less number of operations per a key generation required by the former. The experimental results confirm that the output streams generated by the RC4-2S are more random than that generated by RC4 while requiring less time than RC4. Moreover, RC4-2S’s high resistivity protects against many attacks vulnerable to RC4 and solves several weaknesses of RC4 such as distinguishing attack. Keywords Stream cipher Á RC4 Á Pseudo-random number generator This work is based in part, upon research supported by the National Science Foundation (under Grant Nos. CNS-0855248 and EPS-0918970). Any opinions, findings and conclusions or recommendations expressed in this material are those of the author (s) and do not necessarily reflect the views of the funding agencies or those of the employers. M. M. Hammood Applied Science, University of Arkansas at Little Rock, Little Rock, USA e-mail: [email protected] K.
    [Show full text]
  • Hardware Implementation of the Salsa20 and Phelix Stream Ciphers
    Hardware Implementation of the Salsa20 and Phelix Stream Ciphers Junjie Yan and Howard M. Heys Electrical and Computer Engineering Memorial University of Newfoundland Email: {junjie, howard}@engr.mun.ca Abstract— In this paper, we present an analysis of the digital of battery limitations and portability, while for virtual private hardware implementation of two stream ciphers proposed for the network (VPN) applications and secure e-commerce web eSTREAM project: Salsa20 and Phelix. Both high speed and servers, demand for high-speed encryption is rapidly compact designs are examined, targeted to both field increasing. programmable (FPGA) and application specific integrated circuit When considering implementation technologies, normally, (ASIC) technologies. the ASIC approach provides better performance in density and The studied designs are specified using the VHDL hardware throughput, but an FPGA is reconfigurable and more flexible. description language, and synthesized by using Synopsys CAD In our study, several schemes are used, catering to the features tools. The throughput of the compact ASIC design for Phelix is of the target technology. 260 Mbps targeted for 0.18µ CMOS technology and the corresponding area is equivalent to about 12,400 2-input NAND 2. PHELIX gates. The throughput of Salsa20 ranges from 38 Mbps for the 2.1 Short Description of the Phelix Algorithm compact FPGA design, implemented using 194 CLB slices to 4.8 Phelix is claimed to be a high-speed stream cipher. It is Gbps for the high speed ASIC design, implemented with an area selected for both software and hardware performance equivalent to about 470,000 2-input NAND gates. evaluation by the eSTREAM project.
    [Show full text]
  • Weak Keys for AEZ, and the External Key Padding Attack
    Weak Keys for AEZ, and the External Key Padding Attack Bart Mennink1;2 1 Dept. Electrical Engineering, ESAT/COSIC, KU Leuven, and iMinds, Belgium [email protected] 2 Digital Security Group, Radboud University, Nijmegen, The Netherlands [email protected] Abstract. AEZ is one of the third round candidates in the CAESAR competition. We observe that the tweakable blockcipher used in AEZ suffers from structural design issues in case one of the three 128-bit sub- keys is zero. Calling these keys \weak," we show that a distinguishing attack on AEZ with weak key can be performed in at most five queries. Although the fraction of weak keys, around 3 out of every 2128, seems to be too small to violate the security claims of AEZ in general, they do reveal unexpected behavior of the scheme in certain use cases. We derive a potential scenario, the \external key padding," where a user of the authenticated encryption scheme pads the key externally before it is fed to the scheme. While for most authenticated encryption schemes this would affect the security only marginally, AEZ turns out to be com- pletely insecure in this scenario due to its weak keys. These observations open a discussion on the significance of the \robustness" stamp, and on what it encompasses. Keywords. AEZ, tweakable blockcipher, weak keys, attack, external key padding, robustness. 1 Introduction Authenticated encryption aims to offer both privacy and authenticity of data. The ongoing CAESAR competition [8] targets the development of a portfolio of new, solid, authenticated encryption schemes. It received 57 submissions, 30 candidates advanced to the second round, and recently, 16 of those advanced to the third round.
    [Show full text]
  • Generic Attacks on Stream Ciphers
    Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs Distinguishing Attacks Guess-and-Determine attacks Correlation Attacks Algebraic Attacks Sidechannel Attacks Summary Generic Attacks on Stream Ciphers 3/22 What is a stream cipher? Input: Secret key (k bits) Public IV (v bits). Output: Sequence z1, z2, … (keystream) The state (s bits) can informally be defined as the values of the set of variables that describes the current status of the cipher. For each new state, the cipher outputs some bits and then jumps to the next state where the process is repeated. The ciphertext is a function (usually XOR) of the keysteam and the plaintext. Generic Attacks on Stream Ciphers 4/22 Classification of attacks Assumed that the attacker has knowledge of the cryptographic algorithm but not the key. The aim of the attack Key recovery Prediction Distinguishing The information available to the attacker. Ciphertext-only Known-plaintext Chosen-plaintext Chosen-chipertext Generic Attacks on Stream Ciphers 5/22 Exhaustive Key Search Can be used against any stream cipher. Given a keystream the attacker tries all different keys until the right one is found. If the key is k bits the attacker has to try 2k keys in the worst case and 2k−1 keys on average. An attack with a higher computational complexity than exhaustive key search is not considered an attack at all. Generic Attacks on Stream Ciphers 6/22 Time Memory Tradeoffs (state) Large amounts of precomputed data is used to lower the computational complexity.
    [Show full text]
  • A Practical Attack on the Fixed RC4 in the WEP Mode
    A Practical Attack on the Fixed RC4 in the WEP Mode Itsik Mantin NDS Technologies, Israel [email protected] Abstract. In this paper we revisit a known but ignored weakness of the RC4 keystream generator, where secret state info leaks to the gen- erated keystream, and show that this leakage, also known as Jenkins’ correlation or the RC4 glimpse, can be used to attack RC4 in several modes. Our main result is a practical key recovery attack on RC4 when an IV modifier is concatenated to the beginning of a secret root key to generate a session key. As opposed to the WEP attack from [FMS01] the new attack is applicable even in the case where the first 256 bytes of the keystream are thrown and its complexity grows only linearly with the length of the key. In an exemplifying parameter setting the attack recov- ersa16-bytekeyin248 steps using 217 short keystreams generated from different chosen IVs. A second attacked mode is when the IV succeeds the secret root key. We mount a key recovery attack that recovers the secret root key by analyzing a single word from 222 keystreams generated from different IVs, improving the attack from [FMS01] on this mode. A third result is an attack on RC4 that is applicable when the attacker can inject faults to the execution of RC4. The attacker derives the internal state and the secret key by analyzing 214 faulted keystreams generated from this key. Keywords: RC4, Stream ciphers, Cryptanalysis, Fault analysis, Side- channel attacks, Related IV attacks, Related key attacks. 1 Introduction RC4 is the most widely used stream cipher in software applications.
    [Show full text]