Plaintext Recovery Attacks Against WPA/TKIP

  • Kenneth G. Paterson
  • Bertram Poettering
  • Jacob C. N. Schuldt
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8540)


We conduct an analysis of the RC4 algorithm as it is used in the IEEE WPA/TKIP wireless standard. In that standard, RC4 keys are computed on a per-frame basis, with specific key bytes being set to known values that depend on 2 bytes of the WPA frame counter (called the TSC). We observe very large, TSC-dependent biases in the RC4 keystream when the algorithm is keyed according to the WPA specification. These biases permit us to mount an effective statistical, plaintext-recovering attack in the situation where the same plaintext is encrypted in many different frames (the so-called “broadcast attack” setting). We assess the practical impact of these attacks on WPA/TKIP.



We thank Jon Hart of the ISG at RHUL for his assistance with computing infrastructure. The research of the authors was supported by an EPSRC Leadership Fellowship, EP/H005455/1.


  1. 1.
    Wireless LAN medium access control (MAC) and physical layer (PHY) specification (1997)Google Scholar
  2. 2.
    Wireless LAN medium access control (MAC) and physical layer (PHY) specification: Amendment 6: Medium access control (MAC) security enhancements (2004)Google Scholar
  3. 3.
    AlFardan, N.J., Bernstein, D.J., Paterson, K.G., Poettering, B., Schuldt, J.C.N.: On the security of RC4 in TLS. In: USENIX Security (2013).
  4. 4.
    Borisov, N., Goldberg, I., Wagner, D.: Intercepting mobile communications: the insecurity of 802.11. In: Rose, C. (ed.) MOBICOM, pp. 180–189. ACM, New York (2001)Google Scholar
  5. 5.
    Fluhrer, S.R., Mantin, I., Shamir, A.: Weaknesses in the key scheduling algorithm of RC4. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 1–24. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  6. 6.
    Fluhrer, S.R., McGrew, D.: Statistical analysis of the alleged RC4 keystream generator. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 19–30. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  7. 7.
    Halvorsen, F.M., Haugen, O., Eian, M., Mjølsnes, S.F.: An improved attack on TKIP. In: Jøsang, A., Maseng, T., Knapskog, S.J. (eds.) NordSec 2009. LNCS, vol. 5838, pp. 120–132. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  8. 8.
    Jaganathan, K., Zhu, L., Brezak, J.: The RC4-HMAC Kerberos Encryption Types Used by Microsoft Windows. RFC 4757 (Informational), December 2006.
  9. 9.
    Maitra, S., Paul, G., Sen Gupta, S.: Attack on broadcast RC4 revisited. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 199–217. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  10. 10.
    Mantin, I.: Predicting and distinguishing attacks on RC4 keystream generator. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 491–506. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  11. 11.
    Mantin, I., Shamir, A.: A practical attack on broadcast RC4. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 152–164. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  12. 12.
    Mironov, I.: (Not so) random shuffles of RC4. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 304–319. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  13. 13.
    Moen, V., Raddum, H., Hole, K.J.: Weaknesses in the temporal key hash of WPA. Mob. Comput. Commun. Rev. 8(2), 76–83 (2004)CrossRefGoogle Scholar
  14. 14.
    Morii, M., Todo, Y.: Cryptanalysis for RC4 and breaking WEP/WPA-TKIP. IEICE Trans. 94–D(11), 2087–2094 (2011)Google Scholar
  15. 15.
    Sarkar, S., Sen Gupta, S., Paul, G., Maitra, S.: Proving TLS-attack related open biases of RC4. Cryptology ePrint Archive, Report 2013/502 (2013).
  16. 16.
    Sen Gupta, S., Maitra, S., Meier, W., Paul, G., Sarkar, S.: Some results on RC4 in WPA. Cryptology ePrint Archive, Report 2013/476 (2013).
  17. 17.
    Sen Gupta, S., Maitra, S., Paul, G., Sarkar, S.: (Non-) random sequences from (non-) random permutations - analysis of RC4 stream cipher. J. Cryptol. 27(1), 67–108 (2014)CrossRefzbMATHGoogle Scholar
  18. 18.
    Sepehrdad, P., Vaudenay, S., Vuagnoux, M.: Discovery and exploitation of new biases in RC4. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 74–91. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  19. 19.
    Sepehrdad, P., Vaudenay, S., Vuagnoux, M.: Statistical attack on RC4. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 343–363. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  20. 20.
    Tews, E., Beck, M.: Practical attacks against WEP and WPA. In: Basin, D.A., Capkun, S., Lee, W. (eds.) WISEC, pp. 79–86. ACM (2009)Google Scholar
  21. 21.
    Tews, E., Weinmann, R.-P., Pyshkin, A.: Breaking 104 bit WEP in less than 60 seconds. In: Kim, S., Yung, M., Lee, H.-W. (eds.) WISA 2007. LNCS, vol. 4867, pp. 188–202. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  22. 22.
    Todo, Y., Ozawa, Y., Ohigashi, T., Morii, M.: Falsification attacks against WPA-TKIP in a realistic environment. IEICE Trans. 95–D(2), 588–595 (2012)Google Scholar
  23. 23.
    Vanhoef, M., Piessens, F.: Practical verification of WPA-TKIP vulnerabilities. In: Chen, K., Xie, Q., Qiu, W., Li, N., Tzeng, W.G. (eds.) ASIACCS, pp. 427–436. ACM (2013)Google Scholar
  24. 24.
    Vaudenay, S., Vuagnoux, M.: Passive–only key recovery attacks on RC4. In: Adams, C., Miri, A., Wiener, M. (eds.) SAC 2007. LNCS, vol. 4876, pp. 344–359. Springer, Heidelberg (2007) CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  • Kenneth G. Paterson
    • 1
  • Bertram Poettering
    • 1
  • Jacob C. N. Schuldt
    • 1
  1. 1.Information Security GroupRoyal Holloway, University of LondonSurreyUK

Personalised recommendations