1
KSAm – An Improved RC4 Key-Scheduling Algorithm for Securing WEP Bogdan Crainicu
Florian Mircea Boian
“Petru Maior” University of Targu Mures N. Iorga, No. 1 Targu Mures, MS 540088, ROMANIA
[email protected]
“Babeş-Bolyai” University of Cluj-Napoca M. Kogălniceanu, No. 1 Cluj-Napoca, CJ 400084, ROMANIA
[email protected]
Abstract— RC4 is one of the most widely used stream cipher. In this paper we propose a new variant of RC4 Key-Scheduling Algoritm, called KSAm, whose primary goal is to address the FMS (Fluhrer-Mantin-Shamir) weakness of WEP-like cryptosystems, where IV precedes the secret key. Security analysis of KSAm reveals that the FMS IV weakness is removed by destroying the FMS resolved condition. KSAm has a huge internal state of ≈ 3748 bits and provides a better distribution of the state table elements than original KSA. Further, based on the Roos’ experimental observation, we also found a weaker probabilistic correlation between the first three words of the secret key and the first three entries of the state table after KSAm, which causes a negligible bias of the first word of the RC4KSAm output stream towards the sum of the first three words of the secret key. The effect of this negligible bias can be easily avoided by discarding only the first word from the RC4KSAm output stream. Index Terms—FMS attack, FMS resolved condition, IV weakness, KSA, KSAm, RC4KSA, RC4KSAm, weak keys, WEP
R
I. INTRODUCTION
C4 is a stream cipher which was designed by Ron Rivest in 1987 and kept as a trade secret until it was anonymously posted to the Cypherpunks mailing list in 1994. A variable-length key is used to initialize a state table S, which is a permutation of all the N = 2n possible n bits words, along with two n-bits indices i and j (in practical applications n = 8). Because of its simplicity and speed, RC4 is the most widely used stream cipher; for example, it is used in the SSL/TLS (Secure Socket Layer/Transport Layer Security) standards, WEP (Wired Equivalent Privacy), and it can be also found in email encryption products. There have been performed many critical analyses of RC4 and RC4-based WEP implementations, and have, therefore, been discovered significant weaknesses: states that RC4 can never enter [6], correlations between the secret and the known parts of the RC4 state [16], weak IVs/keys [2], [8], [14], [18], [19], [22], [23], [30], [31], [37], [45], invariance weakness [8], bias in the second output [25], related key attack [8], [13],
state recovery attack [20], [29], [32], [40], distinguishing attack [7], [11], [25]-[28], [33], [34], ciphertext-only attack [9], key-recovery attack [17], [27], [44], active attack [3], [43], fragmentation attack [3], biased distribution of RC4 initial permutation [24], [28], flaws in the IEEE 802.11 access control mechanism [1], [4]. The most incisive attack on RC4 was described by Fluhrer, Mantin and Shamir in [8] (also known as FMS attack), where RC4 was proved to be completely insecure in mod of operation which is used in WEP protocol, in which a secret key is concatenated with known Initialization Vectors (IVs) in order to encrypt the plaintext. Stubblefield, Ioannidis and Rubin exploit this design failure and implement in [41] and [42] a passive attack against WEP; they were able to recover the 128 bit secret key used in a production network. This WEP’s mode of operation can be addressed by discarding the first N = 2n outputs or by using a secure hash function to build the session key from the IV and the secret key. Based also on own results [8], Fluhrer, Mantin and Shamir show in [9] the details of a passive ciphertext-only attack which can find an arbitrarily long key in negligible time. In the last years, a number of proposals for modifying RC4 algorithm have been advanced, all of them aiming to address the most critical weaknesses of RC4: Paul and Preneel present in [34] a new pseudorandom bit generator called RC4A, Zoltak proposes in [46] the VMPS stream cipher, and Gong, Gupta, Hell and Nawaz also propose in [12] a new 32/64-bit RC4-like keystream generator. In this paper, we analyze the Key-Scheduling Algorithm (KSA) and propose a modified version of KSA, called KSAm 1 , which fortifies the WEP protocol against FMS IV weakness, where IV precedes the secret key. The KSAm adds a new secret key-dependent scrambling loop (Scrambling 1) between the initialization stage and the original scrambling (Scrambling 2), with a view to leaving the array S scrambled “as far as possible” from the identity permutation. This feature has impact not only on practical WEP implementations, but also in constructing ciphertext only distinguishers. From 1 Here and in the rest of the paper RC4KSA means the original RC4, and RC4KSAm means RC4 with KSAm as key-scheduling algorithm. PRGA remains the same in both RC4 versions.
2 another standpoint, by holding two swap operations in KSAm, every entry of state table is swapped at least twice and thereby the probability of getting the FMS resolved condition with known values for S[1], S[S[1]] and S[S[1] + S[S[1]]] becomes very small. Thus, we demonstrate that the attacker has no possibilities to manipulate KSAm permutation in order to reach the FMS resolved condition. Besides the KSAm’ effect on the FMS IV weakness, the paper investigates the randomness of the permutation after KSAm. Based on the Diehard battery of tests of randomness [5], the results show a better distribution of state table entries after KSAm than that provided by the original KSA. KSAm has a huge internal state of ≈ 3748 bits and therefore it is much harder to reconstruct its internal state in the event of a “branch and bound” attack like that analyzed in [20]. On the other hand, KSAm is slower than KSA since there is an additional scrambling procedure; it takes almost twice as long as KSA, but this extra computation time is negligible – a specific feature of RC4KSA is that it is very fast in software implementations. Our analyses of KSAm reveal a weaker probabilistic correlation between the first three words of the secret key and the first three entries of the state table after KSAm, which causes a negligible bias of the first word produced by RC4KSAm towards the sum of the first three words of the secret key. Moreover, we test the Roos class of weak keys [37] for RC4KSAm, and we ascertain that for these keys the first output is equal to 2K[2] +3 with a mean probability of 2-7.4. In comparison with the value of 2-2.85 obtained by Roos, our value is a real gain, since it is very close to the ideal value of 2-8. In order to mitigate these vulnerabilities and make RC4KSAm cryptographically secure, it is sufficient to drop only the first byte from the RC4KSAm keystream output, and not 256 as in RC4KSA. Anyway, we suggest a number of 32 bytes to be dumped, as precaution 2 . The rest of the paper is organized as follows. In Section 2 we propose the KSAm, which is a modified version of the original RC4 key-scheduling algorithm. We analyze here the resistance of KSAm against FMS known IV attack (when IV preceeds the secret key), followed by a performance analysis in terms of resources needed and time consumption. Further in this section, we also analyze the distribution of state table entries after KSAm, a probabilistic correlation between words of the secret key and words produced by RC4KSAm, and we test the effect of the Roos weak keys [37] on RC4KSAm. We conclude in Section 3, providing some future cryptanalitic directions for KSAm research. Due to space limitations, we do not present neither the RC4 and WEP algorithms nor FMS IV attack (we presume that the reader is familiar with these concepts).
2 In general, the total number of RC4 outputs that have to be dropped depends on the weaknesses discovered and the exeprimental data. For RC4KSA, the recommendations range from 128 bytes to 3072. Mironov states in [27]: ”…discarding the initial 12 × 256 bytes most likely eliminates the posibility of a strong attack” and “dumping several times more than 256 bytes from the
output stream appears to be just as reasonable a precaution.”
II. KSAM A. Description We now propose a modified version of the original KSA, which we denote as KSAm and describe it in Fig. 1. The KSAm encompasses an additional scrambling loop (Scrambling 1 – lines (a), (b), (c) and (d)): it takes the secret key and initializes a vector of indices u0, u1, …, uN-1; the values of indices ui are not necessarily unique within the vector of indices, and they are kept secret. Then, it swaps the two values of S pointed to by i and ui, so that the Scrambling 1 stage of KSAm ends with a secret state, which is different from the identity permutation with a very high probability. The rest of operations (Scrambling 2) remain the same as in the original KSA: it applies the scrambling rounds N = 2n times, stepping i across S, updating j by adding the previous value of j, S[i] and the next word of the key. KSA(K, S)
KSAm(K, S)
Initialization: for i = 0 to N – 1 S[i] = i; j = 0; Scrambling: for i = 0 to N – 1 j = (j + S[i] + K[i mod l]) mod N; swap(S[i], S[j]);
Initialization: for i = 0 to N – 1 S[i] = i; Scrambling 1: for i = 0 to N – 1 (a) ui = (S[i] + K[i mod l]) mod N; (b) for i = 0 to N – 1 (c) (d) swap(S[i], S[ui]); j = 0; Scrambling 2: for i = 0 to N – 1 j = (j + S[i] + K[i mod l])mod N; swap(S[i], S[j]);
Fig. 1 KSA vs KSAm
B. Security Analysis of KSAm At a glance, the first observation is that there are now two different scrambling processes, both of them based on the same secret key. Consequently, one of the questions is whether the original scrambling process (Scrambling 2) could be eliminated. First of all, since the Scrambling 1 generates also non-uniform distributions of the state table entries, the coupling of these two scrambling processes provides a stronger randomness to the RC4’s state than each of them taken separately (based on the Diehard battery of tests of randomness [5]). Obviously, the computation time needed to execute KSAm is almost twice as much as that used to execute KSA; but even that, the additional time is insignificant. Secondly, we are trying to outdistance the identity permutation, before the PRGA takes place, as far as possible, in a such a way that FMS IV/invariance weaknesses [8] are diminished. Thirdly, a level of compatibility with the original KSA is still required. 1) Identity Permutation With KSAm, we have two independent scrambling processes; therefore, after running consecutively both of them, each element of the state table will be swapped at least twice (possibly with itself).
3
Theorem 1: The probability that a particular single entry S[i] remains unchanged after completion of one of the two scrambling process is: P(SN[a] = a) =
1 1⎞ ⎛ + ⎜1 − ⎟ N ⎝ N⎠
N -1
(1)
Proof: At a some point, the index i touches the value a. In this round, with probability 1/N, i = j = a, and therefore S[a] will be swapped with itself. For the rest of the (N – 1) rounds we have i ≠ a, and j ≠ a with probability (1 – 1/N). For N = 256, P(SN[a] = a) can be modeled as: P(SN[a] = a)
≈
1 + e-1 256
≈
(2)
0,3637
The probability that all entries N of table S remain unchanged after completion of one of the two scrambling process (that is, the identity permutation) is: N -1⎤ ⎡ 1 ⎛ 1⎞ ⎥ P(SN=identity_permutation) = ⎢ + ⎜⎜1 − ⎟⎟ ⎢N ⎝ N⎠ ⎥ ⎣ ⎦
N
(3)
The tests 3 reveal that none of the 8, 16, 24 and 32-bits keys K produce the identity permutation after completion of KSAm (measured running times of tests were TK=8 ≈ 0.003 sec, TK=16 ≈ 0.63 sec, TK=24 ≈ 157.84 sec, TK=32 ≈ 39337 sec). 2) Internal State of KSAm The security of KSAm comes also from its huge internal state. The internal state of RC4KSA is approximately 1700 bits for 8-bits words. KSAm provides a much larger size and, as a result, it is much harder to reconstruct its internal state (the values of indices ui are not necessarily unique; therefore, the number of all possibilities of distributing 2n elements into 2n n
cells where repetitions are allowed is (2n) 2 ): LRC4-KSAm = log2(2n! × (2n) 2 LRC4-KSAm, n=8 ≈ 3748 bits
n
× (2n)2)] = [log2(2n!) + (n × 2n) + 2n]
In comparison with KSA, KSAm needs only additional 256 bytes of memory for the indices ui (n = 8). Also, the tests show that the additional computational time of the KSAm is negligible – a mod256 operation can be performed with a bitwise AND with 255 (or simple addition of bytes ignoring overflow), while the loop of updating the indices ui (Fig. 1 – lines (a) and (b)) can be parallelized on a multi-core machine, considering the independence of these updating operations.
3
The test programs were written in C and were run under Linux (kernel 2.6.18-92.1.6.el5xen), on a machine with the following hardware configuration: 1 Intel Xeon 2.33 GHz Dual-Core CPU, 8192 KB Cache, 8 GB RAM.
3) KSAm and FMS IV Weakness The proposed KSAm aims to minimize the FMS IV weakness by destroying the FMS resolved condition, and by increasing the randomness of the distribution of the state table entries, including those whose values are pointed out by S[1], S[S[1]] and S[S[1] + S[S[1]]]. Since the key is also used in the first scrambling procedure of the KSAm, where every state table entry is swapped at least once, the attacker will not know the entries S[1], S[S[1] and S[S[1] + S[S[1]]] after one iteration of the second scrambling procedure. Therefore, examining messages with specific IV values such that, at some stage in the second scrambling loop, the KSAm is in a resolved condition as defined in [8], and where the value of S[S[1] + S[S[1]]] reveals informations about the secret key, is useless. The idea behind the FMS IV attack was first published by Wagner in [45], and involves only looking for IVs that match (A + 3, N – 1, X), for approximately 60 different values for X; the attacker knows the first A words of the secret key K[3], …, K[A + 2], with A = 0 initially, and he/she tries to find the next word K[A + 3]. When the IV is prepended to the secret key, the input of KSA and KSAm is as follows: • • •
Initialization Vector (IV) of size I: IV[0]IV[1]…IV[I – 1]. Secret Key (SK) of size L: SK[0]SK[1]…SK[L – 1]. RC4 Key (K) of size l = I + L: K[0…l] = IV[0]… IV[I – 1]SK[0]…SK[L – 1] = IV[0]…IV[I – – 1]SK[0]…SK[l –I – 1].
Considering now a series of IVs of the form (A + 3, N – 1, X) which precede the secret key, we simulate the following scenario for A = 0 (all the additions are carried out modulo N): KSAm – Scrambling 1: Building vector ui: i = 0: u0 = S[0] + IV[0] = 0 + 3 = 3, where IV[0] = K[0]; i = 1: u1 = S[1] + IV[1] = 1 + (N – 1) = 0, where IV[1] = K[1]; i = 2: u2 = S[2] + IV[2] = 2 + X, where IV[2] = K[2]; i = 3: u3 = S[3] + SK[0] = 3 + SK[0], where SK[0] = K[3] … i = m: um = (S[m] + K[m mod l] … Swapping: swap(S[0], S[3]) ⇒ S[0] = 3, S[3] = 0 (known results)
swap(S[1], S[0])
⇒
swap(S[2], S[2 + X])
S[0] = 1, S[1] = 3 (known results)
⇒
swap(S[3], S[3 + K[3]]) unknown) …
S[2] = 2 + X, S[2 + X] = 2 (known results)
⇒
S[3] = 3 + K[3], S[3 + K[3]] = 0 (3 + K[3] is
With probability greater then e-2 ≈ 0.1353 none of the values at S[0] = 1 and S[1] = 3 will be disturbed in any further swaps of the first scrambling. At this point, the required inequality S3[1] < 3 does not hold, because S3[1] = 3. KSAm – Scrambling 2: i = 0: j = S[0] + 3 = 4, swap(S[0], S[4]) unknown);
⇒
S[0] = M1, S[4] = 1 (M1 is
4 i = 1: j = 4 + S[1] + (N – 1) = 6, swap(S[1], S[6]) ⇒ S[1] = M2, S[6] = 3 (M2 is unknown); i = 2: j = 6 + S[2] + X = 8 + 2X, swap(S[2], S[8 + 2X]), where S[2] = 2 + X with probability e-1 ≈ 0.3678, before swap, and S[8 + 2X] = M3 (M3 is unknown) ⇒ S[2] = M3, S[8 + 2X] = 2 + X; i = 3: j = 8 + 2X + S[3] + K[3] = 11 + 2(X + 2K[3]), swap(S[3], S[11 + 2(X + 2K[3])]), where S[3] = 3 + K[3] with probability e-1 ≈ 0.3678, before swap, and S[11 + 2(X + 2K[0])] = M4 (M4 is unknown) ⇒ S[3] = M4, S[11 + 2(X + 2K[3])] = 0; …
Next, PRGA takes place: i = 1: j = S[1] = M2 with probability e-1 Z = Out = S[S[M2] + S[1]]
≈
0.3678, swap(S[1], S[M2]),
At this moment, Z = Out will be output as the first PRGA word. We assume that the attacker knows this word and he/she aims to reverse it back into the first word SK[0] of the secret key SK. Based on the details of the IV attack described in [8], we test now whether we can predict the value of SK[0]: −1
SK[0] = K[3] = S 2 [Out] – j2 – S2[3]
(4)
Fluhrer, Mantin and Shamir recommend in [8] the use of the following equations immediately after the KSA to determine whether a particular IV is weak. So, for B = 0, we have: X = S3[1] < 3 X + S3[X] = 3
(5) (6)
Since the entry S[1] is already affected by a secret keydependent swapping procedure during the second scrambling (S1[1] = M2), searching for IV values that, after the first 3 steps, set up the permutation S such that S3[1] + S3[S3[1]] = 3 (SI[1] + SI[SI[1]] = I + B, where I = 3 and B = 0), is pointless. Moreover, taking into account that the first scrambling leaves S in a relatively random state, we have at least one unknown value in the right member of the Equation (4), namely the last term (S2[3] = 3 + K[3]) whose value depends on the secret key K. Consequently, the attacker has no possibilities to manipulate KSAm in order to reach the resolved condition as it is defined in [8]. 4) Considerations about Randomness of the Permutation after KSAm and Roos Weak Keys Another goal of KSAm is to provide a better distribution of the state table elements than KSA. In order to achieve this goal, KSAm comprises two scrambling loops, called Scrambling 1 and Scrambling 2. Scrambling 1 loop makes the difference between the original RC4KSA and RC4KSAm. The design of KSAm tries to follow the Knuth’s obervation [21]: instead of swapping S[i] with a random entry, it must be swapped with an entry randomly chosen from S[i] to S[N – 1]. Although the implementation of this concept is quite problematic because of randomness of key K, the algorithm behind Scrambling 1 is relatively simple: a (roughly) linear “growing” of ui values so that, at least for the first entries, S[ui] ∈ [i, N-1]. As we stated previously, Scrambling 1 alone
did not pass all of the Marsaglia’s Diehard battery of tests [5]; instead, by preceding Scrambling 2, they form together a scrambling block which successfully gets over ten Marsaglia’s Diehard battery of tests. Within these tests, we give special attention to the values of entries S[1], S[S[1]] and S[S[1] + + S[S[1]]]. Since the most important biases found in RC4 are related to the first output words, our analysis is also focused on the value prediction of the first state table entries after both of the KSAm scramblings. When starting with the first steps of the original KSA swapping, we have a high probability that the entries pointed to by the index j have not themselves been involved yet in any previous shuffles. Roos observes in [37]: Result 1 [37]: Given a key length of K bytes, and E < K, there is a 37 % probability that element E of the state table depends only on elements 0…E (inclusive) of the key. Result 2 [37]: The most likely value for element E of the state table is: S[E] = X(E) + E(E+1)/2, where X(E) is the sum of bytes 0…E (inclusive) of the key. We consider Result 2 [37] for KSAm: Theorem 2: Probability that the value for the first few elements E of the state table after KSAm is S[E] = 2X[E] + E(E+1)/2, where X(E) is the sum of bytes 0…E (inclusive) of the key and E < K, is: P(S[E] = 2X[E] + E(E+1)/2) = [1/N + (1 – 1/N)N-1)] p = N(E+2) + [E(E-1) – 4]/2
× (1 – 1/N)p,
Proof: KSAm – Scrambling 1: Building vector ui: i = 0: u0 = S[0] + K[0] = 0 + K[0]; i = 1: u1 = S[1] + K[1] = 1 + K[1]; i = 2: u2 = S[2] + K[2] = 2 + K[2]; i = 3: u3 = S[3] + K[3] = 3 + K[3]; … Swapping: swap(S[0], S[K[0]]) ⇒ S[0] = K[0]; with probability (1 – 1/N)N-1 the value referenced by S[0] will not participate in any further swaps of Scrambling 1; swap(S[1], S[1 + K[1]]) ⇒ S[1] = 1 + K[1]; with probability (1 – 1/N)N-1 the value referenced by S[1] will not participate in any further swaps of Scrambling 1; …
KSAm – Scrambling 2: i = 0: j = S[0] + K[0] = K[0] + K[0] = 2K[0] (only if S[0] = K[0]), swap(S[0], S[2K[0]]); S[2K[0]] = 2K[0] with probability [1/N + (1 – 1/N)N-1] ⇒ P(Safter-Scrambling1+Scrambling2[0]=2X[0]=2K[0] ) = P(Safter-Scrambling1[2K[0]]=2K[0] ) × P(Safter-Scrambling1[0]=K[0] ) × × P(Safter-Scrambling2[0]=2K[0]) = [1/N + (1 – 1/N)N-1] × [(1 – 1/N)N-1] × × [(1 – 1/N)N-1] = [1/N + (1 – 1/N)N-1] × (1 – 1/N)2N-2; i = 1: j = j + S[1] + K[1] = 2K[0] +(1 + K[1]) + K[1] = 2K[0] +2K[1] +1 (only if j0 = 2K[0] and S[1] = 1 + K[1]), swap(S[1], S[2K[0] + 2K[1] +1]); S[2K[0] +2K[1] +1] = 2K[0] +2K[1] +1 with probability [1/N + (1 – 1/N)N] ⇒ P(Safter-Scrambling1+Scrambling2[1]=2X[1]+1=2K[0]+2K[1]+1) = = P(Safter-Scrambling1-and-first-round-of-Scrambling2[2K[0]+2K[1]+1]= = 2K[0]+2K[1]+1) × P(j0 = 2K[0] ) ×
5
× P(Safter-Scrambling1-and-first-round-of-Scrambling2[1]=1+K[1]) × × P(Safter-Scrambling2[1]=2K[0] +2K[1]+1) = [[1/N + (1 – 1/N)N-1] × × (1 – 1/N)] × [(1 – 1/N)N-1] × [(1 – 1/N)N] × [(1 – 1/N)N-2] = = [1/N + (1 – 1/N)N-1] × (1 – 1/N)3N-2; …
The probability P(S[E]=2X[E]+E(E+1)/2) decreases exponentially with respect to N. We can also approximate the relation between probabilities of two adjacent entries as follows: P(S[E+1= 2X[E+1]+(E+1)(E+2)/2) =
N+E ⎤ ⎡ 1⎞ ⎛ ⎥ = ⎢⎜1 − ⎟ ⎢⎝ ⎥ N⎠ ⎣ ⎦
× P(S[E]=2X[E]+E(E+1)/2)
The results of a practical evaluation of these probabilities are given in Table 1 for the first three entries generated by a number of 1000000 64-bit random keys. For the rest of the state table entries, we consider the asymptotic value of 0.39. TABLE 1 PRACTICAL EVALUATION OF P(S[E]=2X[E]+E(E+1)/2)
State table entries S[0] S[1] S[2]
Percentage of correct predictions 3,97 1,65 0,54
RC4KSAm has a huge internal state of ≈ 3748 bits (for n = 8), and establishes a truly permutation’s randomness (tested with Marsaglia’s Diehard battery of tests [5]), which therefore causes a uniform distribution of output Z. We discovered a negligible bias of the first word of the RC4KSAm output stream towards the sum of the first three words of the secret key. We also analyzed the effect of the Roos weak keys [37] on RC4KSAm: our results reveal that the first output of RC4KSAm is equal to 2K[2] + 3 with probability of 2-7.4. Therefore, the Roos keys are not “so weak” for RC4KSAm anymore. Discarding only the first output byte seems to be the right solution in order to protect against above mentioned weaknesses, but our suggestion is still to discard at least 32 bytes. Since RC4 remains one of the most widely-used stream cipher, being very popular due to its simplicity, protective measures have to be provided against its vulnerabilites. We believe that KSAm can be a viable replacement for KSA, especially to WEP-like cryptosystems, where the secret key is concatenated with an 24-bits Initialization Vector. The future work should focus, first of all, on KSAm effects on FMS IV weakness, where IV follows the secret key, and then on finding, if any, another classes of weak keys and possible statistical biases in the output words which could be used to construct strong distinguisher. And, of course, ideas about general behaviour of RC4KSAm are welcome to be expressed. REFERENCES
Roos describes in [37] a class of RC4KSA weak keys: for keys which have K[0] + K[1] =0, the first output is equal to K[2] + 3 with probability 2-2.85. Paul, Rathi and Maitra theoretically prove in [35] the Roos’ experimental observation related to these keys. Accordingly, applying these weak keys to RC4KSAm, the first word generated by RC4KSAm will be Output = Z1 = S[2] = 2K[2] +3 with a mean probability of 2-7.4. The probability obtained is very promising since it is so close to the value of 2-8. Even that, as further safety precautions, in order to thwart against a prefix atack, our recommendation remains as stated in many RC4 related research papers [8], [9], [24]-[28],[38], namely discarding the initial bytes of PRGA outputs or generating the session key by a secure hash function. For RC4KSA the suggestion is to drop at least 256 bytes (Mironov even suggests in [28] dropping the initial 12 × 256 bytes), while for RC4KSAm discarding only the first byte will make RC4KSAm cryptographically secure. Nevertheless, we recommend a number of 32 bytes to be dumped, as a reasonable prudence. III. CONCLUSIONS AND FUTURE WORK We showed a modified version of KSA, called KSAm, whose main goal is to address FMS IV weakness, where IV precedes the secret key, of WEP-like cryptosystems. We proved that KSAm removes FMS IV Weakness (IV precedes the secret key) and there are no means to manipulate KSAm in order to reach the resolved condition as it is defined in [8].
[1]
W. A. Arbaugh, N. Shankar, and Y. C. Justin Wan, “Your 802.11 Wireless Network has No Clothes”, IEEE Wireless Communications, Vol. 9, No. 6, pp. 44-51, 2002. Available: http://www.cs.umd.edu/~waa/wireless.pdf [2] A. Bittau, “Additional weak IV classes for the FMS attack”, Department of Computer Science, University College London, 2003. Available: http://www.cs.ucl.ac.uk/staff/a.bittau/sorwep.txt [3] A. Bittau, M. Handley, and J. Lackey, “The Final Nail in WEP’s Coffin”, in Proc. 2006 IEEE Symposium on Security and Privacy, S&P’06, pp. 386-400, 2006. Available: http://tapir.cs.ucl.ac.uk/bittauwep.pdf [4] N. Borisov, I. Goldberg, and D. Wagner, “Intercepting mobile communications: The insecurity of 802.11”, in. Proc. 7th Annual International Conference on Mobile Computing and Networking, Rome, pp. 180–189, 2001. Available: MobiCom '01, http://www.cypherpunks.ca/~iang/pubs/wep-mob01.pdf [5] Diehard Battery of Tests of Randomness, G. Marsaglia, 1995. Available: http://stat.fsu.edu/pub/diehard/ [6] H. Finney, “An RC4 cycle that can’t happen”, Post in sci.crypt, September 1994 [7] S. Fluhrer and D. McGrew, “Statistical analysis of the alleged RC4 keystream Generator”, in. Proc. 7th International Workshop, FSE 2000, New York, Lecture Notes in Computer Science, Vol. 1978, SpringerVerlag, pp. 66-71, 2001. [8] S. Fluhrer, I. Mantin, and A. Shamir, “Weaknesses in the key scheduling algorithm of RC4”, in Proc. 8th Annual International Workshop, SAC 2001, Toronto, Lecture Notes in Computer Science, Vol. 2259, SpringerVerlag, pp. 1-24, 2001. [9] S. Fluhrer, I. Mantin, and A. Shamir, “Attacks on RC4 and WEP”, CryptoBytes (RSA Laboratories), Vol. 5, No. 2, pp. 26–34, 2002. Available: http://www.rsa.com/rsalabs/cryptobytes/cryptobytes_v5n2.pdf [10] D. Goldstein and D. Moews, “The identity is the most likely exchange shuffle for large n”, Aequationes Mathematicae, Vol. 65, No. 1-2, pp. 330, 2003.
6 [11] J. Dj. Golic, “Linear statistical weakness of alleged RC4 keystream generator”, in. Proc. International Conference on the Theory and Application of Cryptographic Techniques, EUROCRYPT ’97, Konstanz, Lecture Notes in Computer Science, Vol. 1233, Springer-Verlag, pp. 226-238, 1997. [12] G. Gong, K. C. Gupta, M. Hell, and Y. Nawaz, “Towards a General RC4-like Keystream Generator”, in Proc. First SKLOIS Conference, CISC 2005, Beijing, Lecture Notes in Computer Science, Vol. 3822, Springer-Verlag, pp. 162-174, 2005. [13] A. Grosul and D. Wallach, “A related key cryptanalysis of RC4”, Technical Report TR-00-358, Department of Computer Science, Rice University, 2000. Available: www.weizmann.ac.il/mathusers/itsik/RC4/Papers/GrosulWallach.ps [14] D. Hulton, “Practical exploitation of RC4 weaknesses in WEP environments”, 2001. Available: http://www.datastronghold.com/security-articles/hackingarticles/practical-exploitation-of-rc4-weaknesses-in-wepenvironments.html [15] IEEE Standard for Information Technology-Telecommunications and information exchange between systems-Local and metropolitan area networks-Specific requirements, Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications, ANSI/IEEE Std 802.11, 1999 Edition (R2003). Available: http://standards.ieee.org/reading/ieee/std/lanman/ Jenkins, “Isaac and RC4”, 1998. Available: [16] R. http://burtleburtle.net/bob/rand/isaac.html [17] A. Klein, “Attacks on the RC4 stream cipher”, Designs, Codes and Cryptography, Vol. 48, No. 3, Springer-Verlag, pp. 269-286, 2008. Available: http://cage.ugent.be/~klein/RC4/RC4-en.ps Need security pointers, 2004. Available: [18] KoreK, http://www.netstumbler.org/showthread.php?postid=89036#post89036 [19] KoreK, Next generation of WEP attacks?, 2004. Available http://www.netstumbler.org/showpost.php?p=93942&postcount=35 [20] L. R. Knudsen, W. Meier, B. Preneel, V. Rijmen, and S. Verdoolaege, “Analysis Methods for (Alleged) RC4”, in Proc. International Conference on the Theory and Application of Cryptology and Information Security, ASIACRYPT’98, Beijing, Lecture Notes in Computer Science, Springer-Verlag, Vol.1514, pp.327–341, 1998. [21] D. E. Knuth, “The Art of Computer Programming”, Third edition, Volume 2, Addison-Wesley, 1997. [22] K. Kobara and H. Imai, “Key-Dependent Weak IVs and Weak Keys in WEP – How to Trace Conditions Back to Their Patterns –“, IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, Vol. E89-A, No. 8, pp. 2198-2206, 2006. [23] K. Kobara and H. Imai, “IVs to Skip for Immunizing WEP against FMS Attack”, IEICE Transactions on Communications, Vol.E91–B, No.1, pp. 218-227, 2008. [24] I. Mantin, “The Security of the Stream Cipher RC4”, Master Thesis, The Weizmann Institute of Science, 2001. [25] I. Mantin and A. Shamir, “A practical attack on broadcast RC4”, in Proc. 8th International Workshop, FSE 2001, Yokohama, Lecture Notes in Computer Science, Springer-Verlag, Vol. 2355, pp. 87-104, 2002. [26] I. Mantin, “Predicting and Distinguishing Attacks on RC4 Keystream Generator”, in. Proc. 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT 2005, Aarhus, Lectures Notes in Computer Science, Vol. 3494, Springer-Verlag, pp. 491-506, 2005. [27] I. Mantin, “A Practical Attack on the Fixed RC4 in the WEP Mode”, in Proc. 11th International Conference on the Theory and Application of Cryptology and Information Security, ASIACRYPT 2005, Chennai, Lecture Notes in Computer Science, Springer-Verlag, Vol. 3788, pp. 395-411, 2005. [28] I. Mironov, “(Not So) Random Shuffles of RC4”, in Proc. 22nd Annual International Cryptology Conference, Advances in Cryptology, CRYPTO 2002, Santa Barbara, Lecture Notes in Computer Science, SpringerVerlag, Vol. 2442, pp. 304–319, 2002. [29] S. Mister and S. E. Tavares, “Cryptanalysis of RC4-like Ciphers”, in Proc. 5th Annual International Workshop, SAC 1998, Kingston, Lecture Notes in Computer Science, Springer-Verlag, Vol.1556, pp. 131–143, 1999. [30] T. Ohigashi, Y. Shiraishi, and M. Morii, “Most IVs of FMS AttackResistant WEP Implementation Leak Secret Key Information”, in Proc.
[31]
[32]
[33]
[34]
[35]
[36] [37] [38] [39] [40]
[41] [42]
[43]
[44]
[45] [46]
2005 Symposium on Cryptography and Information Security, Maiko, Vol. 4, pp. 1957–1962, 2005. T. Ohigashi, Y. Shiraishi, and M. Morii, “FMS Attack-Resistant WEP Implementation Is Still Broken – Most IVs Leak a Part of Key Information – “, in Proc. International Conference, CIS 2005, Xi’an, Lecture Notes in Computer Science, Springer-Verlag, Vol. 3802, pp. 1726, 2005. T. Ohigashi, Y. Shiraishi, and M. Morii, “New Weakness in the KeyScheduling Algorithm of RC4”, IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, Vol. E91-A, No. 1, pp. 3-11, 2008. S. Paul and B. Preneel, “Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator”, in Proc. 4th International Conference on Cryptology in India, INDOCRYPT 2003, New Delhi, Lecture Notes in Computer Science, Springer-Verlag, Vol. 2904, pp. 52-67, 2002. S. Paul and B. Preneel, “A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher”, in Proc. 11th International Workshop, FSE 2004, Delhi, Lecture Notes in Computer Science, Springer-Verlag, Vol. 3017, pp. 245–259, 2004. G. Paul, S. Rathi, and S. Maitra, “On non-negligible bias of the first output bytes of RC4 towards the first three bytes of the secret key”, Designs, Codes and Cryptography, Vol. 49, No. 1-3, Springer-Verlag, pp. 123-134, 2008. D. Robbins and E. Bolker, “The bias of three pseudo-random shuffles”, Aequationes Mathematicae, Vol. 22, pp. 268-292, 1981. A. Roos, “Class of weak keys in the RC4 stream cipher”, Two posts in sci.crypt, message-id
[email protected] and
[email protected], 1995. R. Rivest, “RSA security response to weaknesses in key scheduling algorithm of RC4”, Tech Notes, RSA Laboratories, 2001. Available: http://www.rsasecurity.com/rsalabs/node.asp?id=2009 F. Schmidt and R. Simion, “Card shuffling and a transformation on Sn”, Aequationes Mathematicae, Vol. 44, pp. 11-34, 1992. Y. Shiraishi, T. Ohigashi, and M. Morii, “An improved Internal-State Reconstruction Method of a Stream Cipher RC4”, in Proc. IASTED International Conference on Communication, Network, and Information Security, CNIS 2003, New York, pp. 132-135, 2003. A. Stubblefield, J. Ioannidis, and A. Rubin, “Using the Fluhrer, Mantin, and Shamir attack to Break WEP”, Technical Report TD-4ZCPZZ, AT&T Labs, 2001. A. Stubblefield, J. Ioannidis, and A. Rubin, “A key recovery attack on the 802.11b wired equivalent privacy protocol (WEP)”, ACM Transactions on Information and System Security (TISSEC), Vol. 7, No. 2, pp. 319–332, 2004. E. Tews, R. P. Weinmann, and A. Pyshkin, “Breaking 104 bit WEP in less than 60 seconds”, in Proc. 8th International Workshop, WISA 2007, Jeju Island, Lecture Notes in Computer Science, Vol. 4867, SpringerVerlag, pp. 188-202, 2008. Available: http://eprint.iacr.org/2007/120.pdf S. Vaudenay and M. Vuagnoux, “Passive-only Key Recovery Attacks on RC4”, in Proc. 14th International Workshop, SAC 2007, Ottawa, Lecture Notes in Computer Science, Vol. 4876, Springer-Verlag, pp. 344-359, 2007. Available: http://infoscience.epfl.ch/record/115086/files/VV07.pdf D. Wagner, “My RC4 weak keys”, Post in sci.crypt, message-id
[email protected], 1995. Available: http://www.cs.berkeley.edu/~daw/my-posts/my-rc4-weak-keys B. Zoltak, “VMPC One-Way Function and Stream Cipher”, in Proc. 11th International Workshop, FSE 2004, Delhi, Lectures Notes in Computer Science, Vol. 3017, Springer-Verlag, pp. 210–225, 2004.
