Designs, Codes and Cryptography

, Volume 77, Issue 1, pp 231–253 | Cite as

Proving TLS-attack related open biases of RC4

  • Santanu Sarkar
  • Sourav Sen Gupta
  • Goutam Paul
  • Subhamoy Maitra
Article

Abstract

After a series of results on RC4 cryptanalysis in flagship cryptology conferences and journals, one of the most significant recent attacks on the cipher has been the discovery of vulnerabilities in the SSL/TLS protocol, by AlFardan et al. (USENIX 2013). Through extensive computations, they identified some new significant short-term single-byte biases in RC4 keystream sequence, and utilized those, along-with existing biases, towards the TLS attack. The current article proves these new and unproved biases in RC4, and in the process discovers intricate non-randomness within the cipher. In this connection, we also prove the anomaly in the 128th element of the permutation after the key scheduling algorithm. Finally, the proof for the extended key-length dependent biases in RC4 keystream sequence, a problem attempted and partially solved by Isobe et al. in FSE 2013, has also been completed in this work.

Keywords

Anomaly Biases RC4 Pseudo-randomness Sequence Stream Cipher TLS 

Mathematics Subject Classification

94A60 

References

  1. 1.
    AlFardan, N.J., Bernstein, D.J., Paterson, K.G., Poettering, B., Schuldt, J.C.N.: On the security of RC4 in TLS. In: King, S.T. (ed.) Proceedings of the 22th USENIX Security Symposium, Washington, DC, August 14–16, 2013, pp. 305–320. USENIX Association (2013)Google Scholar
  2. 2.
    AlFardan, N., Bernstein, D., Paterson, K., Poettering, B., Schuldt, J.: Distribution of RC4 keystream bytes. http://www.isg.rhul.ac.uk/tls/RC4_keystream_dist_2_45.txt. Accessed 20 July 2014
  3. 3.
    Basu, R., Ganguly, S., Maitra, S., Paul, G.: A complete characterization of the evolution of RC4 pseudo random generation algorithm. J. Math. Cryptol. 2(3), 257–289 (2008)Google Scholar
  4. 4.
    Bernstein, D.: Failures of secret-key cryptography. Invited talk at FSE 2013, session chaired by Bart Preneel. http://cr.yp.to/talks/2013.03.12/slides.pdf. Accessed 20 July 2014
  5. 5.
    Fluhrer, S.R., McGrew, D.A.: Statistical analysis of the alleged RC4 keystream generator. In: Schneier, B. (ed.) FSE. Lecture Notes in Computer Science, vol. 1978. Springer, Heidelberg (2000)Google Scholar
  6. 6.
    Golic, J.D.: Linear statistical weakness of alleged RC4 keystream generator. In: Fumy, W. (ed.) EUROCRYPT. Lecture Notes in Computer Science, vol. 1233, pp. 226–238. Springer, Heidelberg (1997)Google Scholar
  7. 7.
    Golic, J.D.: Linear models for a time-variant permutation generator. IEEE Trans. Inf. Theory 45(7), 2374–2382 (1999)Google Scholar
  8. 8.
    Isobe, T., Ohigashi, T., Watanabe, Y., Morii, M.: Full plaintext recovery attack on broadcast RC4. In: Moriai, S. (ed.) Fast Software Encryption—20th International Workshop (FSE 2013), Singapore, March 11–13, 2013. Lecture Notes in Computer Science, vol. 8424, pp. 179–202. Springer (2014)Google Scholar
  9. 9.
    Isobe, T., Ohigashi, T., Watanabe, Y., Morii, M.: Comprehensive analysis of initial keystream biases of RC4. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. E97–A(1), 139–151 (2014)Google Scholar
  10. 10.
    Jenkins R.J.: ISAAC and RC4. (1996). http://burtleburtle.net/bob/rand/isaac.html. Accessed 20 July 2014
  11. 11.
    Lv, J., Lin, D.: L-P states of RC4 stream cipher. IACR Cryptology ePrint Archive, no. 266 (2013)Google Scholar
  12. 12.
    Lv, J., Zhang, B., Lin, D.: Distinguishing attacks on RC4 and a new improvement of the cipher. IACR Cryptology ePrint Archive, no. 176 (2013)Google Scholar
  13. 13.
    Maitra, S., Paul, G., Sen Gupta, S.: Attack on broadcast RC4 revisited. In: Joux, A. (ed.) FSE. Lecture Notes in Computer Science, vol. 6733, pp. 199–217. Springer, Heidelberg (2011)Google Scholar
  14. 14.
    Maitra, S., Paul, G., Sarkar, S., Lehmann, M., Meier, W.: New results on generalization of Roos-type biases and related keystream of RC4. In: Youssef, A., Nitaj, A., Hassanien, A.E. (eds.) Africacrypt. Lecture Notes in Computer Science, vol. 7918, pp. 222–239. Springer, Heidelberg (2013)Google Scholar
  15. 15.
    Mantin, I.: Analysis of the stream cipher RC4. Master’s thesis, The Weizmann Institute of Science, Israel (2001). http://www.wisdom.weizmann.ac.il/itsik/RC4/RC4.html. Accessed 20 July 2014
  16. 16.
    Mantin, I.: Predicting and distinguishing attacks on RC4 keystream generator. In: Cramer, R. (ed.) Lecture Notes in Computer Science. EUROCRYPT, vol. 3494, pp. 491–506. Springer, Heidelberg (2005)Google Scholar
  17. 17.
    Mantin, I., Shamir, A.: A practical attack on broadcast RC4. In: Matsui, M. (ed.) FSE. Lecture Notes in Computer Science, vol. 2355, pp. 152–164. Springer, Heidelberg (2001)Google Scholar
  18. 18.
    Mironov, I.: (Not so) random shuffles of RC4. In: Yung, M. (ed.) CRYPTO. Lecture Notes in Computer Science, vol. 2442, pp. 304–319. Springer, Heidelberg (2002)Google Scholar
  19. 19.
    Orumiehchiha, M.A., Pieprzyk, J., Shakour, E., Steinfeld, R.: Cryptanalysis of RC4\((n, m)\) stream cipher. IACR Cryptology ePrint Archive, no. 178 (2013)Google Scholar
  20. 20.
    Paul, G., Maitra, S., Srivastava, R.: On non-randomness of the permutation after RC4 key scheduling. In: Boztas, S., Lu, H.F. (eds.) AAECC. Lecture Notes in Computer Science, vol. 4851, pp. 100–109. Springer, Heidelberg (2007)Google Scholar
  21. 21.
    Roos, A.: A class of weak keys in the RC4 stream cipher. Two posts in sci.crypt, message-id 43u1eh\({\$}\)1j3@hermes.is.co.za and 44ebge\({\$}\)llf@hermes.is.co.za. (1995). http://www.impic.org/papers/WeakKeys-report.pdf. Accessed 20 July 2014
  22. 22.
    Sarkar, S.: Further non-randomness in RC4, RC4A and VMPC. In: International Workshop on Coding and Cryptography (WCC) (2013)Google Scholar
  23. 23.
    Sen Gupta, S., Maitra, S., Paul, G., Sarkar, S.: Proof of empirical RC4 biases and new key correlations. In: Miri, A., Vaudenay, S. (eds.) Selected Areas in Cryptography. Lecture Notes in Computer Science, vol. 7118, pp. 151–168. Springer, Heidelberg (2011)Google Scholar
  24. 24.
    Sen Gupta, S., Maitra, S., Paul, G., Sarkar, S.: (Non-)random sequences from (non-)random permutations—analysis of RC4 stream cipher. J. Crypt. 27(1), 67–108 (2014)Google Scholar
  25. 25.
    Sepehrdad, P.: Statistical and Algebraic Cryptanalysis of Lightweight and Ultra-lightweight Symmetric Primitives. PhD thesis No. 5415, École Polytechnique Fédérale de Lausanne (EPFL) (2012). http://lasecwww.epfl.ch/sepehrdad/Pouyan_Sepehrdad_PhD_Thesis.pdf. Accessed 20 July 2014
  26. 26.
    Sepehrdad, P., Vaudenay, S., Vuagnoux, M.: Discovery and exploitation of new biases in RC4. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) Selected Areas in Cryptography. Lecture Notes in Computer Science, vol. 6544, pp. 74–91. Springer, Heidelberg (2010)Google Scholar
  27. 27.
    Sepehrdad, P., Vaudenay, S., Vuagnoux, M.: Statistical attack on RC4: distinguishing WPA. In: Paterson, K.G. (ed.) EUROCRYPT. Lecture Notes in Computer Science, vol. 6632, pp. 343–363. Springer, Heidelberg (2011)Google Scholar
  28. 28.
    Sepehrdad, P., Susil, P., Vaudenay, S., Vuagnoux, M.: Smashing WEP in a passive attack. Fast Software Encryption (FSE) (2013)Google Scholar
  29. 29.
    Striömbergson, J., Josefsson, S.: The perils of repeating patterns: observation of some weak keys in RC4. IACR Cryptology ePrint Archive, vol. 241 (2013)Google Scholar

Copyright information

© Springer Science+Business Media New York 2014

Authors and Affiliations

  • Santanu Sarkar
    • 1
  • Sourav Sen Gupta
    • 2
  • Goutam Paul
    • 2
  • Subhamoy Maitra
    • 3
  1. 1.Chennai Mathematical InstituteChennaiIndia
  2. 2.Cryptology and Security Research Unit, R. C. Bose Centre for Cryptology and SecurityIndian Statistical InstituteKolkataIndia
  3. 3.Applied Statistics UnitIndian Statistical InstituteKolkataIndia

Personalised recommendations