Dependence in IV-Related Bytes of RC4 Key Enhances Vulnerabilities in WPA

  • Sourav Sen Gupta
  • Subhamoy Maitra
  • Willi Meier
  • Goutam Paul
  • Santanu Sarkar
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8540)


The first three bytes of the RC4 key in WPA are public as they are derived from the public parameter IV, and this derivation leads to a strong mutual dependence between the first two bytes of the RC4 key. In this paper, we provide a disciplined study of RC4 biases resulting specifically in such a scenario. Motivated by the work of AlFardan et al. (2013), we first prove the interesting sawtooth distribution of the first byte in WPA and the similar nature for the biases in the initial keystream bytes towards zero. As we note, this sawtooth characteristics of these biases surface due to the dependence of the first two bytes of the RC4 key in WPA, both derived from the same byte of the IV. Our result on the nature of the first keystream byte provides a significantly improved distinguisher for RC4 used in WPA than what had been presented by Sepehrdad et al. (2011–2012). Further, we revisit the correlation of initial keystream bytes in WPA to the first three bytes of the RC4 key. As these bytes are known from the IV, one can obtain new as well as significantly improved biases in WPA than the absolute biases exploited earlier by AlFardan et al. or Isobe et al. We notice that the correlations of the keystream bytes with publicly known IV values of WPA potentially strengthen the practical plaintext recovery attack on the protocol.


RC4 WPA Bias Key correlation Plaintext recovery 



We are thankful to the anonymous reviewers of FSE 2014 for their detailed review reports containing invaluable feedback, which helped in substantially improving the technical and editorial quality of our paper.


  1. 1.
    Alfardan, N., Bernstein, D. J., Paterson, K. G., Poettering, B., Schuldt, J.: On the security of RC4 in TLS. In: USENIX Security Symposium Presented at FSE 2013 as an Invited Talk [2] by Daniel J. Bernstein (2013).
  2. 2.
    Bernstein, D. J.: Failures of secret-key cryptography. Invited talk at FSE 2013; session chaired by Bart Preneel (2013)Google Scholar
  3. 3.
    Chaabouni, R.: Break WEP faster with statistical analysis. IACR Cryptology ePrint Arch. 2013, 425 (2013). Google Scholar
  4. 4.
    Fluhrer, S.R., Mantin, I., Shamir, A.: Weaknesses in the key scheduling algorithm of RC4. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, p. 1. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  5. 5.
    IEEE Computer Society. 802.11iTM - IEEE Standard for Information technology - Telecommunications and information exchange between systems - Local and metropolitan area networks -Specific requirements, Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications, Amendment 6: Medium Access Control (MAC) Security Enhancements, July 2004Google Scholar
  6. 6.
    Isobe, T., Ohigashi, T., Watanabe, Y., Morii, M.: Full plaintext recovery attack on broadcast RC4. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 179–202. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  7. 7.
    Klein, A.: Attacks on the RC4 stream cipher. Des. Codes Crypt. 48(3), 269–286 (2008). Published online in 2006CrossRefzbMATHGoogle Scholar
  8. 8.
    Maitra, S., Paul, G.: New form of permutation bias and secret key leakage in keystream bytes of RC4. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 253–269. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  9. 9.
    Maitra, S., Paul, G., Sen Gupta, S.: Attack on broadcast RC4 revisited. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 199–217. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  10. 10.
    Mantin, I.: Analysis of the stream cipher RC4. Master’s thesis, The Weizmann Institute of Science, Israel (2001).
  11. 11.
    Mantin, I., Shamir, A.: A Practical attack on broadcast RC4. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 152–164. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  12. 12.
    Paterson, K.G., Schuldt, J.C.N., Poettering, B.: Plaintext recovery attacks against WPA/TKIP. In: Cid, C., Rechberger, C. (eds.) FSE 2014, LNCS 8540, pp. 325–349 (2015)Google Scholar
  13. 13.
    Paul, G., Maitra, S.: Permutation after RC4 key scheduling reveals the secret key. In: Adams, C., Miri, A., Wiener, M. (eds.) SAC 2007. LNCS, vol. 4876, pp. 360–377. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  14. 14.
    Paul, G., Rathi, S., Maitra, S.: On non-negligible bias of the first output byte of RC4 towards the first three bytes of the secret key. Des. Codes Crypt. 49(1–3), 123–134 (2008). Initial version in Proceedings of WCC 2007CrossRefzbMATHMathSciNetGoogle Scholar
  15. 15.
    Roos, A.: A class of weak keys in the RC4 stream cipher. Two posts in sci.crypt, 43u1eh\({\$}\) and 44ebge\({\$}\) (1995).
  16. 16.
    Sarkar, S.: Proving empirical key-correlations in RC4. Inf. Proc. Lett. 114(5), 234–238 (2014)CrossRefzbMATHGoogle Scholar
  17. 17.
    Sen Gupta, S., Maitra, S., Paul, G., Sarkar, S.: (Non-)random sequences from (non-)random permutations - analysis of RC4 stream cipher. J. Crypt. 27, 67–108 (2014). doi: 10.1007/s00145-012-9138-1. Published online in December 2012CrossRefzbMATHGoogle Scholar
  18. 18.
    Sepehrdad, P.: Statistical and algebraic cryptanalysis of lightweight and ultra-lightweight symmetric primitives. Ph.D. thesis No. 5415, École Polytechnique Fédérale de Lausanne (EPFL) (2012).
  19. 19.
    Sepehrdad, P., Vaudenay, S., Vuagnoux, M.: Discovery and exploitation of new biases in RC4. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 74–91. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  20. 20.
    Sepehrdad, P., Vaudenay, S., Vuagnoux, M.: Statistical attack on RC4. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 343–363. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  21. 21.
    Tews, E.: Attacks on the WEP protocol. IACR Cryptology ePrint Arch. 2007, 471 (2007). Google Scholar
  22. 22.
    Tews, E., Weinmann, R.-P., Pyshkin, A.: Breaking 104 bit WEP in less than 60 seconds. In: Kim, S., Yung, M., Lee, H.-W. (eds.) WISA 2007. LNCS, vol. 4867, pp. 188–202. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  23. 23.
    Ohigashi, T., Isobe, T., Watanabe, Y., Morii, M.: How to recover any byte of plaintext on RC4. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 155–173. Springer, Heidelberg (2014) Google Scholar
  24. 24.
    Vaudenay, S., Vuagnoux, M.: Passive–only key recovery attacks on RC4. In: Adams, C., Miri, A., Wiener, M. (eds.) SAC 2007. LNCS, vol. 4876, pp. 344–359. Springer, Heidelberg (2007) CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  • Sourav Sen Gupta
    • 1
  • Subhamoy Maitra
    • 1
  • Willi Meier
    • 2
  • Goutam Paul
    • 1
  • Santanu Sarkar
    • 3
  1. 1.Indian Statistical InstituteKolkataIndia
  2. 2.FHNWWindischSwitzerland
  3. 3.Chennai Mathematical InstituteChennaiIndia

Personalised recommendations