Advertisement

KSAm – An Improved RC4 Key-Scheduling Algorithm for Securing WEP

  • Bogdan Crainicu
  • Florian Mircea Boian
Conference paper

Abstract

RC4 is one of the most widely used stream cipher. In this paper we propose a new variant of RC4 Key-Scheduling Algorithm, called KSAm, whose primary goal is to address the FMS (Fluhrer-Mantin-Shamir) weakness of WEP-like cryptosystems, where IV precedes the secret key. Security analysis of KSAm reveals that the FMS IV weakness is removed by destroying the FMS resolved condition. KSAm has a huge internal state of »3748 bits and provides a better distribution of the state table elements than original KSA. Further, based on the Roos’ experimental observation, we also found a weaker probabilistic correlation between the first three words of the secret key and the first three entries of the state table after KSAm, which causes a negligible bias of the first word of the RC4KSAm output stream towards the sum of the first three words of the secret key. The effect of this negligible bias can be easily avoided by discarding only the first word from the RC4KSAm output stream.

Index Terms

FMS attack FMS resolved condition IV weakness KSA KSAm RC4KSA RC4KSAm weak keys WEP 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. [1]
    W. A. Arbaugh, N. Shankar, and Y. C. Justin Wan, “Your 802.11 Wireless Network has No Clothes”, IEEE Wireless Communications, Vol. 9, No. 6, pp. 44–51, 2002. Available: http://www.cs.umd.edu/~waa/wireless.pdf
  2. [2]
    A. Bittau, “Additional weak IV classes for the FMS attack”, Department of Computer Science, University College London, 2003. Available: http://www.cs.ucl.ac.uk/staff/a.bittau/sorwep.txt
  3. [3]
    A. Bittau, M. Handley, and J. Lackey, “The Final Nail in WEP’s Coffin”, in Proc. 2006 IEEE Symposium on Security and Privacy, S&P’06, pp. 386–400, 2006. Available: http://tapir.cs.ucl.ac.uk/bittau-wep.pdf
  4. [4]
    N. Borisov, I. Goldberg, and D. Wagner, “Intercepting mobile communications: The insecurity of 802.11”, in. Proc. 7th Annual International Conference on Mobile Computing and Networking, MobiCom ‘01, Rome, pp. 180–189, 2001. Available: http://www.cypherpunks.ca/~iang/pubs/wep-mob01.pdf
  5. [5]
    Diehard Battery of Tests of Randomness, G. Marsaglia, 1995. Available: http://stat.fsu.edu/pub/diehard/
  6. [6]
    H. Finney, “An RC4 cycle that can’t happen”, Post in sci.crypt, September 1994Google Scholar
  7. [7]
    S. Fluhrer and D. McGrew, “Statistical analysis of the alleged RC4 keystream Generator”, in. Proc. 7th International Workshop, FSE 2000, New York, Lecture Notes in Computer Science, Vol. 1978, Springer-Verlag, pp. 66–71, 2001.Google Scholar
  8. [8]
    S. Fluhrer, I. Mantin, and A. Shamir, “Weaknesses in the key scheduling algorithm of RC4”, in Proc. 8th Annual International Workshop, SAC 2001, Toronto, Lecture Notes in Computer Science, Vol. 2259, Springer-Verlag, pp. 1–24, 2001.Google Scholar
  9. [9]
    S. Fluhrer, I. Mantin, and A. Shamir, “Attacks on RC4 and WEP”, CryptoBytes (RSA Laboratories), Vol. 5, No. 2, pp. 26–34, 2002. Available: http://www.rsa.com/rsalabs/cryptobytes/cryptobytes_v5n2.pdf
  10. [10]
    D. Goldstein and D. Moews, “The identity is the most likely exchange shuffle for large n”, Aequationes Mathematicae, Vol. 65, No. 1–2, pp. 3–30, 2003.MATHMathSciNetGoogle Scholar
  11. [11]
    J. Dj. Golic, “Linear statistical weakness of alleged RC4 keystream generator”, in. Proc. International Conference on the Theory and Application of Cryptographic Techniques, EUROCRYPT ‘97, Konstanz, Lecture Notes in Computer Science, Vol. 1233, Springer-Verlag, pp. 226–238, 1997.Google Scholar
  12. [12]
    G. Gong, K. C. Gupta, M. Hell, and Y. Nawaz, “Towards a General RC4-like Keystream Generator”, in Proc. First SKLOIS Conference, CISC 2005, Beijing, Lecture Notes in Computer Science, Vol. 3822, Springer-Verlag, pp. 162–174, 2005.Google Scholar
  13. [13]
    A. Grosul and D. Wallach, “A related key cryptanalysis of RC4”, Technical Report TR-00–358, Department of Computer Science, Rice University, 2000. Available: www.weizmann.ac.il/mathusers/itsik/RC4/Papers/GrosulWallach.ps
  14. [14]
    D. Hulton, “Practical exploitation of RC4 weaknesses in WEP environments”, 2001. Available: http://www.datastronghold.com/security-articles/hacking-articles/practical-exploitation-of-rc4-weaknesses-in-wep-environments.html
  15. [15]
    IEEE Standard for Information Technology-Telecommunications and information exchange between systems-Local and metropolitan area networks-Specific requirements, Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications, ANSI/IEEE Std 802.11, 1999 Edition (R2003). Available: http://standards.ieee.org/reading/ieee/std/lanman/
  16. [16]
    R. Jenkins, “Isaac and RC4”, 1998. Available: http://burtleburtle.net/bob/rand/isaac.html
  17. [17]
    A. Klein, “Attacks on the RC4 stream cipher”, Designs, Codes and Cryptography, Vol. 48, No. 3, Springer-Verlag, pp. 269–286, 2008. Available: http://cage.ugent.be/~klein/RC4/RC4-en.ps
  18. [18]
    KoreK, Need security pointers, 2004. Available: http://www.netstumbler.org/showthread.php?postid=89036#post89036
  19. [19]
    KoreK, Next generation of WEP attacks?, 2004. Available http://www.netstumbler.org/showpost.php?p=93942&postcount=35
  20. [20]
    L. R. Knudsen, W. Meier, B. Preneel, V. Rijmen, and S. Verdoolaege, “Analysis Methods for (Alleged) RC4”, in Proc. International Conference on the Theory and Application of Cryptology and Information Security, ASIACRYPT’98, Beijing, Lecture Notes in Computer Science, Springer-Verlag, Vol.1514, pp.327–341, 1998.Google Scholar
  21. [21]
    D. E. Knuth, “The Art of Computer Programming”, Third edition, Volume 2, Addison-Wesley, 1997.Google Scholar
  22. [22]
    K. Kobara and H. Imai, “Key-Dependent Weak IVs and Weak Keys in WEP – How to Trace Conditions Back to Their Patterns –”, IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, Vol. E89-A, No. 8, pp. 2198–2206, 2006.Google Scholar
  23. [23]
    K. Kobara and H. Imai, “IVs to Skip for Immunizing WEP against FMS Attack”, IEICE Transactions on Communications, Vol.E91–B, No.1, pp. 218–227, 2008.MathSciNetGoogle Scholar
  24. [24]
    I. Mantin, “The Security of the Stream Cipher RC4”, Master Thesis, The Weizmann Institute of Science, 2001.Google Scholar
  25. [25]
    I. Mantin and A. Shamir, “A practical attack on broadcast RC4”, in Proc. 8th International Workshop, FSE 2001, Yokohama, Lecture Notes in Computer Science, Springer-Verlag, Vol. 2355, pp. 87–104, 2002.Google Scholar
  26. [26]
    I. Mantin, “Predicting and Distinguishing Attacks on RC4 Keystream Generator”, in. Proc. 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT 2005, Aarhus, Lectures Notes in Computer Science, Vol. 3494, Springer-Verlag, pp. 491–506, 2005.Google Scholar
  27. [27]
    I. Mantin, “A Practical Attack on the Fixed RC4 in the WEP Mode”, in Proc. 11th International Conference on the Theory and Application of Cryptology and Information Security, ASIACRYPT 2005, Chennai, Lecture Notes in Computer Science, Springer-Verlag, Vol. 3788, pp. 395–411, 2005.Google Scholar
  28. [28]
    I. Mironov, “(Not So) Random Shuffles of RC4”, in Proc. 22nd Annual International Cryptology Conference, Advances in Cryptology, CRYPTO 2002, Santa Barbara, Lecture Notes in Computer Science, Springer-Verlag, Vol. 2442, pp. 304–319, 2002.Google Scholar
  29. [29]
    S. Mister and S. E. Tavares, “Cryptanalysis of RC4-like Ciphers”, in Proc. 5th Annual International Workshop, SAC 1998, Kingston, Lecture Notes in Computer Science, Springer-Verlag, Vol.1556, pp. 131–143, 1999.Google Scholar
  30. [30]
    T. Ohigashi, Y. Shiraishi, and M. Morii, “Most IVs of FMS Attack-Resistant WEP Implementation Leak Secret Key Information”, in Proc. 2005 Symposium on Cryptography and Information Security, Maiko, Vol. 4, pp. 1957–1962, 2005.Google Scholar
  31. [31]
    T. Ohigashi, Y. Shiraishi, and M. Morii, “FMS Attack-Resistant WEP Implementation Is Still Broken – Most IVs Leaks a Part of Key Information – “, in Proc. International Conference, CIS 2005, Xi’an, Lecture Notes in Computer Science, Springer-Verlag, Vol. 3802, pp. 17–26, 2005.Google Scholar
  32. [32]
    T. Ohigashi, Y. Shiraishi, and M. Morii, “New Weakness in the Key-Scheduling Algorithm of RC4”, IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, Vol. E91-A, No. 1, pp. 3–11, 2008.Google Scholar
  33. [33]
    S. Paul and B. Preneel, “Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator”, in Proc. 4th International Conference on Cryptology in India, INDOCRYPT 2003, New Delhi, Lecture Notes in Computer Science, Springer-Verlag, Vol. 2904, pp. 52–67, 2002.Google Scholar
  34. [34]
    S. Paul and B. Preneel, “A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher”, in Proc. 11th International Workshop, FSE 2004, Delhi, Lecture Notes in Computer Science, Springer-Verlag, Vol. 3017, pp. 245–259, 2004.Google Scholar
  35. [35]
    G. Paul, S. Rathi, and S. Maitra, “On non-negligible bias of the first output bytes of RC4 towards the first three bytes of the secret key”, Designs, Codes and Cryptography, Vol. 49, No. 1–3, Springer-Verlag, pp. 123–134, 2008.Google Scholar
  36. [36]
    D. Robbins and E. Bolker, “The bias of three pseudo-random shuffles”, Aequationes Mathematicae, Vol. 22, pp. 268–292, 1981.MATHCrossRefMathSciNetGoogle Scholar
  37. [37]
    A. Roos, “Class of weak keys in the RC4 stream cipher”, Two posts in sci.crypt, message-id 43u1eh$1j3@hermes.is.co.za and 44ebge$llf@hermes.is.co.za, 1995.Google Scholar
  38. [38]
    R. Rivest, “RSA security response to weaknesses in key scheduling algorithm of RC4”, Tech Notes, RSA Laboratories, 2001. Available: http://www.rsasecurity.com/rsalabs/node.asp?id=2009
  39. [39]
    F. Schmidt and R. Simion, “Card shuffling and a transformation on Sn”, Aequationes Mathematicae, Vol. 44, pp. 11–34, 1992.MATHCrossRefMathSciNetGoogle Scholar
  40. [40]
    Y. Shiraishi, T. Ohigashi, and M. Morii, “An improved Internal-State Reconstruction Method of a Stream Cipher RC4”, in Proc. IASTED International Conference on Communication, Network, and Information Security, CNIS 2003, New York, pp. 132–135, 2003.Google Scholar
  41. [41]
    A. Stubblefield, J. Ioannidis, and A. Rubin, “Using the Fluhrer, Mantin, and Shamir attack to Break WEP”, Technical Report TD-4ZCPZZ, AT&T Labs, 2001.Google Scholar
  42. [42]
    A. Stubblefield, J. Ioannidis, and A. Rubin, “A key recovery attack on the 802.11b wired equivalent privacy protocol (WEP)”, ACM Transactions on Information and System Security (TISSEC), Vol. 7, No. 2, pp. 319–332, 2004.CrossRefGoogle Scholar
  43. [43]
    E. Tews, R. P. Weinmann, and A. Pyshkin, “Breaking 104 bit WEP in less than 60 seconds”, in Proc. 8th International Workshop, WISA 2007, Jeju Island, Lecture Notes in Computer Science, Vol. 4867, Springer-Verlag, pp. 188–202, 2008. Available: http://eprint.iacr.org/2007/120.pdf
  44. [44]
    S. Vaudenay and M. Vuagnoux, “Passive-only Key Recovery Attacks on RC4”, in Proc. 14th International Workshop, SAC 2007, Ottawa, Lecture Notes in Computer Science, Vol. 4876, Springer-Verlag, pp. 344–359, 2007. Available: http://infoscience.epfl.ch/record/115086/files/VV07.pdf
  45. [45]
    D. Wagner, “My RC4 weak keys”, Post in sci.crypt, message-id 447o1l$cbj@cnn.princeton.edu, 1995. Available: http://www.cs.berkeley.edu/~daw/my-posts/my-rc4-weak-keys
  46. [46]
    B. Zoltak, “VMPC One-Way Function and Stream Cipher”, in Proc. 11th International Workshop, FSE 2004, Delhi, Lectures Notes in Computer Science, Vol. 3017, Springer-Verlag, pp. 210–225, 2004.Google Scholar

Copyright information

© Springer Science+Business Media B.V. 2010

Authors and Affiliations

  1. 1.“Petru Maior” University of Târgu MureşTârgu MureşRomania
  2. 2.“Babeş-Bolyai” University of Cluj-NapocaCluj-NapocaRomania

Personalised recommendations