New Iterated RC4 Key Correlations

This paper investigates key correlations of the keystream generated from RC4, and then presents significant improvements for a plaintext recovery attack on WPA-TKIP from the attack by Isobe et al. at FSE 2013. We first discuss newly discovered key correlations between 2 bytes of the RC4 key and a keystream byte in each round. Such correlations are referred as iterated RC4 key correlations. We further apply our iterated RC4 key correlations to the plaintext recovery attack on WPA-TKIP in the same way as the attack by Sen Gupta et al. at FSE 2014, and achieve significant improvements for recovering 8 bytes of a plaintext from the attack by Isobe et al. at FSE 2013. Our result implies that WPA-TKIP further lowers the security level of generic RC4.

[1]  Alexander Maximov,et al.  New State Recovery Attack on RC4 , 2008, CRYPTO.

[2]  Serge Vaudenay,et al.  Discovery and Exploitation of New Biases in RC4 , 2010, Selected Areas in Cryptography.

[3]  Willi Meier,et al.  Dependence in IV-Related Bytes of RC4 Key Enhances Vulnerabilities in WPA , 2014, FSE.

[4]  Masakatu Morii,et al.  Full Plaintext Recovery Attack on Broadcast RC4 , 2013, FSE.

[5]  Adi Shamir,et al.  A Practical Attack on Broadcast RC4 , 2001, FSE.

[6]  Frank Piessens,et al.  All Your Biases Belong to Us: Breaking RC4 in WPA-TKIP and TLS , 2015, USENIX Annual Technical Conference.

[7]  Andrei Popov,et al.  Prohibiting RC4 Cipher Suites , 2015, RFC.

[8]  Goutam Paul,et al.  Permutation After RC4 Key Scheduling Reveals the Secret Key , 2007, Selected Areas in Cryptography.

[9]  Vincent Rijmen,et al.  Analysis Methods for (Alleged) RC4 , 1998, ASIACRYPT.

[10]  Ryoma Ito,et al.  Refined Construction of RC4 Key Setting in WPA , 2017, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[11]  Kenneth G. Paterson,et al.  Plaintext Recovery Attacks Against WPA/TKIP , 2014, FSE.

[12]  Adi Shamir,et al.  Weaknesses in the Key Scheduling Algorithm of RC4 , 2001, Selected Areas in Cryptography.

[13]  Frank Piessens,et al.  Predicting, Decrypting, and Abusing WPA2/802.11 Group Keys , 2016, USENIX Security Symposium.

[14]  Santanu Sarkar,et al.  Proving empirical key-correlations in RC4 , 2014, Inf. Process. Lett..

[15]  Masakatu Morii,et al.  Full Plaintext Recovery Attacks on RC4 Using Multiple Biases , 2015, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[16]  Serge Vaudenay,et al.  Passive-Only Key Recovery Attacks on RC4 , 2007, Selected Areas in Cryptography.