# Weaknesses in the Key Scheduling Algorithm of RC4

@inproceedings{Fluhrer2001WeaknessesIT, title={Weaknesses in the Key Scheduling Algorithm of RC4}, author={Scott R. Fluhrer and Itsik Mantin and Adi Shamir}, booktitle={Selected Areas in Cryptography}, year={2001} }

In this paper we present several weaknesses in the key scheduling algorithm of RC4, and describe their cryptanalytic significance. [...] Key Method We use these weak keys to construct new distinguishers for RC4, and to mount related key attacks with practical complexities. Finally, we show that RC4 is completely insecure in a common mode of operation which is used in the widely deployed Wired Equivalent Privacy protocol (WEP, which is part of the 802.11 standard), in which a fixed secret key is concatenatedâ€¦ Expand

#### Figures and Topics from this paper

#### 1,240 Citations

New Weakness in the Key-Scheduling Algorithm of RC4

- Computer Science
- IEICE Trans. Fundam. Electron. Commun. Comput. Sci.
- 2008

This paper proposes a method to recover an l-bit secret key from only the first l bits of the initial state of RC4 using linear equations with the time complexity less than that of one execution of KSA. Expand

Passive-Only Key Recovery Attacks on RC4

- Computer Science
- Selected Areas in Cryptography
- 2007

A passive-only attack able to significantly improve the key recovery process on WEP with a data complexity of 215 eavesdropped packets is described. Expand

A New Practical Key Recovery Attack on the Stream Cipher RC4 under Related-Key Model

- Computer Science
- Inscrypt
- 2010

A new key recovery attack under related-key model on RC4 is presented, based on the property that RC4 can generate a large amount of colliding key pairs, which is able to recover any random key in practical time when the length of the key is large under a new proposed related key model. Expand

KSAm - An Improved RC4 Key-Scheduling Algorithm for Securing WEP

- Computer Science
- TeNe
- 2008

A new variant of RC4 Key-Scheduling Algorithm, called KSAm, is proposed, whose primary goal is to address the FMS (Fluhrer-Mantin-Shamir) weakness of WEP-like cryptosystems, where IV precedes the secret key. Expand

A Scheme for Key Management on Alternate Temporal Key Hash

- Computer Science
- Int. J. Netw. Secur.
- 2005

This paper shall propose a scheme to make key management feasible in their solution without changing the framework of the ATKH and the existing 802.11 standards. Expand

Analysis of selected methods for the recovery of encrypted WEP key

- Computer Science, Engineering
- Other Conferences
- 2014

This paper deals with some of the WEP (Wired Equivalent Privacy) key decryption methods based on aircrack-ng software, which was embedded in Backtrack operating system (Linux distribution). Theâ€¦ Expand

Title A New Practical Key Recovery Attack on the Stream Cipher RC 4 under Related-Key Model

- 2019

A new key recovery attack under related-key model on RC4 is presented in this paper. This novel attack is based on the property that RC4 can generate a large amount of colliding key pairs. By makingâ€¦ Expand

Expanding Weak-key Space of RC4

- Computer Science
- J. Inf. Process.
- 2014

This attack is the best-known single-key key recovery attack on RC4 with respect to efficiency and is applicable to any keystream, while Teramura et al. Expand

Cryptanalysis of KSAm-like Algorithms

- Computer Science
- 2008 First International Conference on Complexity and Intelligence of the Artificial and Natural Complex Systems. Medical Applications of the Complex Systems. Biomedical Computing
- 2008

A new variant of key-scheduling algoritm, called KSAm, is proposed, whose primary goal is to address the Fluhrer-Mantin-Shamir (FMS) weakness of WEP-like cryptosystems, where IV (initialization vector) precedes the secret key. Expand

New Form of Permutation Bias and Secret Key Leakage in Keystream Bytes of RC4

- Computer Science
- FSE
- 2008

A complete framework is presented to show that many keystream output bytes of RC4 are significantly biased towards several linear combinations of the secret key bytes, and that these biases propagate further, once the information for the index jis revealed. Expand

#### References

SHOWING 1-10 OF 22 REFERENCES

A Related-Key Cryptanalysis of RC4

- Computer Science
- 2000

Analysis of the RC4 stream cipher shows that for each 2048-bit key there exists a family of related keys, differing in one of the byte positions, and recommends that applications of RC4 with keys longer than 128 bits discard the initial 256 bytes of the keystream output. Expand

Cryptanalysis of RC4-like Ciphers

- Computer Science
- Selected Areas in Cryptography
- 1998

This analysis shows that, although the full-size RC4 remains secure against known attacks, keystreams are distinguishable from randomly generated bit streams, and the RC4 key can be recovered if a significant fraction of the full cycle of keystream bits is generated. Expand

A Practical Attack on Broadcast RC4

- Computer Science
- FSE
- 2001

A major statistical weakness in RC4 makes it trivial to distinguish between short outputs of RC4 and random strings by analyzing their second bytes, which can be used to mount a practical ciphertext-only attack on RC4 in some broadcast applications. Expand

Real Time Cryptanalysis of A5/1 on a PC

- Computer Science
- FSE
- 2000

New attacks on A5/1 are described, which are based on subtle flaws in the tap structure of the registers, their noninvertible clocking mechanism, and their frequent resets, which make it vulnerable to hardware-based attacks by large organizations, but not to software- based attacks on multiple targets by hackers. Expand

Analysis Methods for (Alleged) RC4

- Computer Science
- ASIACRYPT
- 1998

The analysis methods reveal intrinsic properties of alleged RC4 which are independent of the key scheduling and the key size, and the complexity of one of the attacks is estimated to be less than the time of searching through the square root of all possible initial states. Expand

Using the Fluhrer, Mantin, and Shamir Attack to Break WEP

- Computer Science
- NDSS
- 2002

It is concluded that 802.11 WEP is totally insecure, and some recommendations are provided to make the attack more efficient. Expand

Statistical Analysis of the Alleged RC4 Keystream Generator

- Computer Science
- FSE
- 2000

A method for distinguishing 8-bit RC4 from randomness is demonstrated and it is observed that an attacker can, on occasion, determine portions of the internal state with nontrivial probability. Expand

Linear Statistical Weakness of Alleged RC4 Keystream Generator

- Mathematics, Computer Science
- EUROCRYPT
- 1997

A keystream generator known as RC4 is analyzed by the linear model approach. It is shown that the second binary derivative of the least significant bit output sequence is correlated to 1 with theâ€¦ Expand

Wireless lan medium access control (mac) and physical layer (phy) specifications

- Computer Science
- 1997

services are specified here by describing the service primitives and parameters that characterize each service. This definition is independent of any particular implementation. In particular, theâ€¦ Expand

Wireless lan medium access control (mac) and physical layer (phy) specifications

- Computer Science
- 1999

The medium access control (MAC) and physical characteristics for wireless local area networks (LANs) are specified in this standard, part of a series of standards for local and metropolitan areaâ€¦ Expand