Big Bias Hunting in Amazonia: Large-Scale Computation and Exploitation of RC4 Biases (Invited Paper)

RC4 is (still) a very widely-used stream cipher. Previous work by AlFardan et al. (USENIX Security 2013) and Paterson et al. (FSE 2014) exploited the presence of biases in the RC4 keystreams to mount plaintext recovery attacks against TLS-RC4 and WPA/TKIP. We improve on the latter work by performing large-scale computations to obtain accurate estimates of the single-byte and double-byte distributions in the early portions of RC4 keystreams for the WPA/TKIP context and by then using these distributions in a novel variant of the previous plaintext recovery attacks. The distribution computations were conducted using the Amazon EC2 cloud computing infrastructure and involved the coordination of 213 hyper-threaded cores running in parallel over a period of several days. We report on our experiences of computing at this scale using commercial cloud services. We also study Microsoft’s Point-to-Point Encryption protocol and its use of RC4, showing that it is also vulnerable to our attack techniques.

[1]  Kenneth G. Paterson,et al.  On the Security of RC4 in TLS , 2013, USENIX Security Symposium.

[2]  Arjen K. Lenstra,et al.  Factorization of a 768-Bit RSA Modulus , 2010, CRYPTO.

[3]  Masakatu Morii,et al.  Full Plaintext Recovery Attack on Broadcast RC4 , 2013, FSE.

[4]  Gerhard Goos,et al.  Fast Software Encryption , 2001, Lecture Notes in Computer Science.

[5]  Serge Vaudenay,et al.  Statistical Attack on RC4 - Distinguishing WPA , 2011, EUROCRYPT.

[6]  Larry Zhu,et al.  The RC4-HMAC Kerberos Encryption Types Used by Microsoft Windows , 2006, RFC.

[7]  Kenneth G. Paterson,et al.  Plaintext Recovery Attacks Against WPA/TKIP , 2014, FSE.

[8]  Willi Meier,et al.  Dependence in IV-Related Bytes of RC4 Key Enhances Vulnerabilities in WPA , 2014, FSE.

[9]  Itsik Mantin,et al.  Predicting and Distinguishing Attacks on RC4 Keystream Generator , 2005, EUROCRYPT.

[10]  Erik Tews,et al.  Practical attacks against WEP and WPA , 2009, WiSec '09.

[11]  Aggelos Kiayias,et al.  Polynomial Reconstruction Based Cryptography , 2001, Selected Areas in Cryptography.

[12]  Masakatu Morii,et al.  How to Recover Any Byte of Plaintext on RC4 , 2013, Selected Areas in Cryptography.

[13]  Adi Shamir,et al.  A Practical Attack on Broadcast RC4 , 2001, FSE.

[14]  Goutam Paul,et al.  Proving TLS-attack related open biases of RC4 , 2015, IACR Cryptol. ePrint Arch..

[15]  Glen Zorn,et al.  Microsoft Point-To-Point Encryption (MPPE) Protocol , 2001, RFC.

[16]  Scott R. Fluhrer,et al.  Statistical Analysis of the Alleged RC4 Keystream Generator , 2000, FSE.

[17]  Adi Shamir,et al.  Weaknesses in the Key Scheduling Algorithm of RC4 , 2001, Selected Areas in Cryptography.

[18]  Tal Rabin Advances in Cryptology - CRYPTO 2010, 30th Annual Cryptology Conference, Santa Barbara, CA, USA, August 15-19, 2010. Proceedings , 2010, CRYPTO.

[19]  Glen Zorn Deriving Keys for use with Microsoft Point-to-Point Encryption (MPPE) , 2001, RFC.

[20]  Goutam Paul,et al.  Attack on Broadcast RC4 Revisited , 2011, FSE.

[21]  A. M. Abdullah,et al.  Wireless lan medium access control (mac) and physical layer (phy) specifications , 1997 .

[22]  Ronald Cramer,et al.  Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings , 2005, EUROCRYPT.

[23]  Kenneth G. Paterson Advances in Cryptology - EUROCRYPT 2011 - 30th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tallinn, Estonia, May 15-19, 2011. Proceedings , 2011, EUROCRYPT.

[24]  Goutam Paul,et al.  (Non-)Random Sequences from (Non-)Random Permutations—Analysis of RC4 Stream Cipher , 2012, Journal of Cryptology.

[25]  Bruce Schneier,et al.  Cryptanalysis of Microsoft's point-to-point tunneling protocol (PPTP) , 1998, CCS '98.

[26]  Frank Piessens,et al.  Practical verification of WPA-TKIP vulnerabilities , 2013, ASIA CCS '13.