Discovery and Exploitation of New Biases in RC4

  • Pouyan Sepehrdad
  • Serge Vaudenay
  • Martin Vuagnoux
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6544)


In this paper, we present several weaknesses in the stream cipher RC4. First, we present a technique to automatically reveal linear correlations in the PRGA of RC4. With this method, 48 new exploitable correlations have been discovered. Then we bind these new biases in the PRGA with known KSA weaknesses to provide practical key recovery attacks. Henceforth, we apply a similar technique on RC4 as a black box, i.e. the secret key words as input and the keystream words as output. Our objective is to exhaustively find linear correlations between these elements. Thanks to this technique, 9 new exploitable correlations have been revealed. Finally, we exploit these weaknesses on RC4 to some practical examples, such as the WEP protocol. We show that these correlations lead to a key recovery attack on WEP with only 9800 encrypted packets (less than 20 seconds), instead of 24200 for the best previous attack.


Discrete Fourier Transform Exhaustive Search Success Probability Initialization Vector Stream Cipher 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Biham, E., Carmeli, Y.: Efficient Reconstruction of RC4 Keys from Internal States. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 270–288. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  2. 2.
    Bittau, A.: Additional Weak IV Classes for the FMS Attack (2003),
  3. 3.
    Chaabouni, R.: Breaking WEP Faster with Statistical Analysis. Ecole Polytechnique Fédérale de Lausanne, LASEC, Semester Project (2006)Google Scholar
  4. 4.
    Devine, C., Otreppe, T.: Aircrack,
  5. 5.
    Fluhrer, S.R., Mantin, I., Shamir, A.: Weaknesses in the Key Scheduling Algorithm of RC4. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 1–24. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  6. 6.
    Fluhrer, S.R., McGrew, D.A.: Statistical Analysis of the Alleged RC4 Keystream Generator. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 19–30. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  7. 7.
    Golic, J.D.: Linear statistical weakness of alleged RC4 keystream generator. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 226–238. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  8. 8.
    Golic, J.D.: Iterative Probabilistic Cryptanalysis of RC4 Keystream Generator. In: Dawson, E., Clark, A., Boyd, C. (eds.) ACISP 2000. LNCS, vol. 1841, pp. 220–233. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  9. 9.
    Hulton, D.: Practical Exploitation of RC4 Weaknesses in WEP Environments (2001),
  10. 10.
    IEEE. ANSI/IEEE standard 802.11i: Amendment 6 Wireless LAN Medium Access Control (MAC) and Physical Layer (phy) Specifications, Draft 3 (2003)Google Scholar
  11. 11.
    Jenkins, R.: ISAAC and RC4,
  12. 12.
    Klein, A.: Attacks on the RC4 Stream Cipher. Personal Andreas Klein website (2006),
  13. 13.
    Klein, A.: Attacks on the RC4 Stream Cipher. Des. Codes Cryptography 48(3), 269–286 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  14. 14.
    Knudsen, L.R., Meier, W., Preneel, B., Rijmen, V., Verdoolaege, S.: Analysis Methods for (Alleged) RC4. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 327–341. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  15. 15.
  16. 16.
    KoreK. Next Generation of WEP Attacks? (2004),
  17. 17.
    Maitra, S., Paul, G.: New Form of Permutation Bias and Secret Key Leakage in Keystream Bytes of RC4. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 253–269. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  18. 18.
    Mantin, I.: Analysis of the Stream Cipher RC4,
  19. 19.
    Mantin, I.: Predicting and Distinguishing Attacks on RC4 Keystream Generator. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 491–506. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  20. 20.
    Mantin, I., Shamir, A.: A Practical Attack on Broadcast RC4. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 152–164. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  21. 21.
    Maximov, A.: Two Linear Distinguishing Attacks on VMPC and RC4A and Weakness of RC4 Family of Stream Ciphers. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 342–358. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  22. 22.
    Maximov, A., Khovratovich, D.: New State Recovery Attack on RC4. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 297–316. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  23. 23.
    Mironov, I.: (Not So) Random Shuffles of RC4. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 304–319. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  24. 24.
    Moen, V., Raddum, H., Hole, K.J.: Weaknesses in the Temporal Key Hash of WPA. Mobile Computing and Communications Review 8(2), 76–83 (2004)CrossRefGoogle Scholar
  25. 25.
    Paul, G., Maitra, S.: Permutation After RC4 Key Scheduling Reveals the Secret Key. In: Adams, C., Miri, A., Wiener, M. (eds.) SAC 2007. LNCS, vol. 4876, pp. 360–377. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  26. 26.
    Paul, G., Rathi, S., Maitra, S.: On Non-negligible Bias of the First Output Bytes of RC4 towards the First Three Bytes of the Secret Key. In: WCC 2007 - International Workshop on Coding and Cryptography, pp. 285–294 (2007)Google Scholar
  27. 27.
    Paul, S., Preneel, B.: A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 245–259. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  28. 28.
    Roos, A.: A Class of Weak Keys in RC4 Stream Cipher (sci.crypt) (1995),
  29. 29.
    Tews, E., Beck, M.: Practical attacks against WEP and WPA. In: Basin, D.A., Capkun, S., Lee, W. (eds.) WISEC, pp. 79–86. ACM, New York (2009)CrossRefGoogle Scholar
  30. 30.
    Tews, E., Weinmann, R.-P., Pyshkin, A.: Breaking 104 Bit WEP in Less Than 60 Seconds. In: Kim, S., Yung, M., Lee, H.-W. (eds.) WISA 2007. LNCS, vol. 4867, pp. 188–202. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  31. 31.
    Tomasevic, V., Bojanic, S., Nieto-Taladriz, O.: Finding an internal state of RC4 stream cipher. Finding an internal state of RC4 stream cipher 177(7), 1715–1727 (2007)MathSciNetzbMATHGoogle Scholar
  32. 32.
    Vaudenay, S., Vuagnoux, M.: Passive–Only Key Recovery Attacks on RC4. In: Adams, C., Miri, A., Wiener, M. (eds.) SAC 2007. LNCS, vol. 4876, pp. 344–359. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  33. 33.
    Vuagnoux, M.: Computer Aided Cryptanalysis from Ciphers to Side channels. PhD thesis, Ecole Polytechnique Fédérale de Lausanne — EPFL (2010)Google Scholar
  34. 34.
    Wagner, D.: Weak Keys in RC4 (sci.crypt) (1995),

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Pouyan Sepehrdad
    • 1
  • Serge Vaudenay
    • 1
  • Martin Vuagnoux
    • 1
  1. 1.EPFLLausanneSwitzerland

Personalised recommendations