New Linear Correlations Related to State Information of RC4 PRGA Using IV in WPA

  title={New Linear Correlations Related to State Information of RC4 PRGA Using IV in WPA},
  author={Ryoma Ito and Atsuko Miyaji},
RC4 is a stream cipher designed by Ron Rivest in 1987, and is widely used in various applications. WPA is one of these applications, where TKIP is used for a key generation procedure to avoid weak IV generated by WEP. In FSE 2014, two different attacks against WPA were proposed by Sen Gupta et al. and Paterson et al. Both focused correlations between the keystream bytes and the first 3 bytes of the RC4 key in WPA. In this paper, we focus on linear correlations between unknown internal state and… 
How TKIP Induces Biases of Internal States of Generic RC4
T theoretical results demonstrated how TKIP key generation procedure in WPA induces biases on internal states different from generic RC4, as well as linear correlations between the keystream byte and known RC4 key bytes.
Tornado Attack on RC4 with Applications to WEP & WPA
This paper reports extremely fast and optimized active and passive attacks against IEEE 802.11 wireless communication protocol WEP and a key recovery and a distinguishing attack against WPA, and describes several attacks on WPA.
Refined Construction of RC4 Key Setting in WPA
Refined RC4 Key Correlations of Internal States in WPA
  • Ryoma Ito, A. Miyaji
  • Computer Science
    IEICE Trans. Fundam. Electron. Commun. Comput. Sci.
  • 2016


Dependence in IV-Related Bytes of RC4 Key Enhances Vulnerabilities in WPA
A disciplined study of RC4 biases resulting specifically in such a scenario, and proves the interesting sawtooth distribution of the first byte in WPA and the similar nature for the biases in the initial keystream bytes towards zero.
New State Recovery Attack on RC4
A state recovery attack which accepts the keystream of a certain length, and recovers the internal state, and it is much smaller than the complexity of the best known previous attack 2779.
Weaknesses in the Key Scheduling Algorithm of RC4
It is shown that RC4 is completely insecure in a common mode of operation which is used in the widely deployed Wired Equivalent Privacy protocol (WEP, which is part of the 802.11 standard), in which a fixed secret key is concatenated with known IV modifiers in order to encrypt different messages.
New Form of Permutation Bias and Secret Key Leakage in Keystream Bytes of RC4
A complete framework is presented to show that many keystream output bytes of RC4 are significantly biased towards several linear combinations of the secret key bytes, and that these biases propagate further, once the information for the index jis revealed.
Plaintext Recovery Attacks Against WPA/TKIP
Very large, TSC-dependent biases in the RC4 keystream when the algorithm is keyed according to the WPA specification permit us to mount an effective statistical, plaintext-recovering attack in the situation where the same plaintext is encrypted in many different frames.
Attacks on the RC4 stream cipher
  • Andreas Klein
  • Computer Science, Mathematics
    Des. Codes Cryptogr.
  • 2008
The attack described by Fluhrer, Mantin, Shamir in such a way, that it will work, if the weak keys described in that paper are avoided, and a further attack will work if the first 256 Byte of the output remain unused.
Some Combinatorial Results towards State Recovery Attack on RC4
This paper performs a combinatorial analysis of the complexity of RC4 state recovery under the assumption that the values of j are known for several rounds, and reveals a nice combinatorsial structure of the RC4 evolution and establishes certain interesting results related to the complex of state recovery.
Permutation After RC4 Key Scheduling Reveals the Secret Key
  • G. Paul, S. Maitra
  • Computer Science, Mathematics
    Selected Areas in Cryptography
  • 2007
A theoretical analysis of the RC4 Key Scheduling Algorithm is presented, where the nonlinear operation is swapping among the permutation bytes, and an algorithm is devised to recover the l bytes from the final permutation after the KSA with constant probability of success.
On the Security of RC4 in TLS
C ciphertext-only plaintext recovery attacks against TLS when RC4 is selected for encryption are presented, building on recent advances in the statistical analysis of RC4, and on new findings announced in this paper.
Full Plaintext Recovery Attack on Broadcast RC4
Several new biases in the initial (1st to 257th) bytes of the RC4 keystream, which are substantially stronger than known biases are introduced, which enable a plaintext recovery attack using a strong bias set of initial bytes.