How TKIP induces biases of internal states of generic RC4

Transcript

1. How TKIP Induces Biases of Internal States of Generic RC4

   Keywords: RC4, WPA, TKIP, linear correlations Ryoma Ito Atsuko Miyaji Japan Advanced Institute of Science and Technology (JAIST) Supported by Japan Science and Technology Agency (JST CREST) ACISP 2015 @ Brisbane, Australia June 30, 2015 R. Ito & A. Miyaji (JAIST) How TKIP Induces Biases of Internal States of Generic RC4 June 30, 2015 1 / 24

2. Introduction Background RC4 stream cipher and WPA protocol RC4 stream

   cipher designed by Rivest in 1987 consists of two algorithms: KSA and PRGA WPA: Wi-Fi Protected Access one of the security protocol for IEEE 802.11 wireless network RC4 key generation procedure known as TKIP The first 3-byte RC4 keys, K[0], K[1] and K[2], are known (IV-related). R. Ito & A. Miyaji (JAIST) How TKIP Induces Biases of Internal States of Generic RC4 June 30, 2015 2 / 24

3. Introduction Motivations and Contributions Our motivation: make clear how TKIP

   induces biases of S Our previously discovered more than 150 linear correlations in [IM15] unknown internal state: Xr = a · Zr+1 + b · K[0] + c · K[1] + d · K[2] + e Xr ∈ {Sr [ir+1 ], Sr [jr+1 ], jr+1 , tr+1 }, r ∈ [0, 256], a, b, c, d ∈ {−1, 0, 1}, e ∈ {−3, −2, −1, 0, 1, 2, 3} Proved only 6 correlations theoretically: S0[i1] = K[0], K[0] − K[1] − 3 or K[0] − K[1] − 1; S255[i256] = K[0] or K[1]; Sr [ir+1] = K[0] + K[1] + 1. Our target: linear correlations remain unproven theoretically Theoretical proofs can make clear how TKIP induces biases. Reconstruct a key generation procedure with (known) IV keep or further enhance the security level of its original encryption. R. Ito & A. Miyaji (JAIST) How TKIP Induces Biases of Internal States of Generic RC4 June 30, 2015 3 / 24

4. Introduction Motivations and Contributions Our contributions: prove 10 theorems with

   significant biases Linear correlations RC4 WPA Remarks −K[0] − K[1] − 3 0.005336 0.008437 Theorem 1 S0[i1] K[0] + K[1] + K[2] + 3 0.001492 0.001491 Theorem 2 K[0] + K[1] + K[2] + 3 0.360357 0.361718 Theorem 3 −K[0] − K[1] + K[2] − 1 0.005305 0.008197 Theorem 4 K[0] − K[1] + K[2] − 3 0.005295 0.008163 Theorem 5 K[0] − K[1] + K[2] − 1 0.005290 0.008171 Theorem 5 S1[i2] K[0] − K[1] + K[2] + 1 0.005309 0.008171 Theorem 5 K[2] 0.004428 0.005571 Theorem 6 −K[0] − K[1] + K[2] − 2 0.003921 0.004574 Theorem 7 −K[0] − K[1] + K[2] 0.003919 0.005573 Theorem 7 −K[0] − K[1] + K[2] + 2 0.003912 0.004545 Theorem 7 −K[0] + K[1] + K[2] 0.003921 0.005501 Theorem 8 −K[1] + K[2] − 2 0.003911 0.005479 Theorem 9 −K[1] + K[2] + 3 0.003899 0.005476 Theorem 9 j2 K[0] − K[1] + K[2] 0.003918 0.005618 Theorem 10 Note: The probability of random association is 1 N (≈ 0.003906). R. Ito & A. Miyaji (JAIST) How TKIP Induces Biases of Internal States of Generic RC4 June 30, 2015 4 / 24

5. Outline of the Talk 1 Preliminary RC4 stream cipher and

   WPA protocol 2 Previous Analysis Biases in the initial state S0 [Roo95] Biases induced by TKIP [GMM+14] Our previous work: Biases based on linear equations [IM15] 3 Our Results Newly proved linear correlations Check the accuracy by experiments 4 Conclusion R. Ito & A. Miyaji (JAIST) How TKIP Induces Biases of Internal States of Generic RC4 June 30, 2015 5 / 24

6. Preliminary RC4 stream cipher and WPA protocol PRGA: Pseudo Random

   Generation Algorithm Algorithm 1 PRGA 1: r ← 0, i0 ← 0, j0 ← 0 2: loop 3: r ← r + 1 4: ir ← ir−1 + 1 5: jr ← jr−1 + Sr−1[ir ] 6: Swap(Sr−1[ir ], Sr−1[jr ]) 7: tr ← Sr [ir ] + Sr [jr ] 8: Output: Zr ← Sr [tr ] 9: end loop r, N: # of rounds, arrays in S (N = 256) Sr : S of PRGA in the r-th round ir , jr , tr : indices of Sr , Zr state transition diagram of PRGA R. Ito & A. Miyaji (JAIST) How TKIP Induces Biases of Internal States of Generic RC4 June 30, 2015 6 / 24

7. Preliminary RC4 stream cipher and WPA protocol TKIP: Temporal Key

   Integrity Protocol designed by the IEEE 802.11i task group and Wi-Fi Alliance a 16-byte RC4 key generation procedure avoid the known WEP attacks using (IV-related) K[1] = 255 [FMS01] The first 3-byte RC4 keys, K[0], K[1] and K[2], are generated by IV16 IV16: the last 16-bit IV K[0] = (IV16 >> 8) & 0xFF        Correlation K[1] = [(IV16 >> 8) | 0x20] & 0x7F K[2] = IV16 & 0xFF R. Ito & A. Miyaji (JAIST) How TKIP Induces Biases of Internal States of Generic RC4 June 30, 2015 7 / 24

8. Previous Analysis Biases in the initial state S0 Roos’ biases

   [Roo95] (proved in [PM07]) correlations between the RC4 key K and the initial state S0 Pr ( S0[y] = y(y + 1) 2 + y ∑ x=0 K[x] ) ≈ ( 1 − y N ) · ( 1 − 1 N )[ y(y+1) 2 +N] + 1 N Pretty high biases >> 1 N ≈ 0.003906 (the probability of random association) α0 = Pr(S0[0] = K[0]) ≈ 0.371                    induce linear correlations α1 = Pr(S0[1] = K[0] + K[1] + 1) ≈ 0.368 α2 = Pr(S0[2] = K[0] + K[1] + K[2] + 3) ≈ 0.365 α3 = · · · R. Ito & A. Miyaji (JAIST) How TKIP Induces Biases of Internal States of Generic RC4 June 30, 2015 8 / 24

9. Previous Analysis Biases induced by TKIP Distribution of K[0] +

   K[1] in TKIP [GMM+14] Pr(K[0] + K[1] = v) = 0 ⇔ v is odd; v ∈ [0, 31]; v ∈ [128, 159] induces biases of the initial state S0[1] R. Ito & A. Miyaji (JAIST) How TKIP Induces Biases of Internal States of Generic RC4 June 30, 2015 9 / 24

10. Previous Analysis Biases induced by TKIP Biases of S0 [1]

    [Man01, GMM+14] In 2001, Mantin showed biases of S0 (generic RC4) [Man01] Pr(S0[1] = v) =          1 N (( 1 − 1 N )v + ( 1 − ( 1 − 1 N )v )( 1 − 1 N )N−2 ) if v ≤ 1, 1 N (( 1 − 1 N )N−2 + ( 1 − 1 N )v ) if v > 1. In 2014, Sen Gupta et al. showed biases of S0 (WPA) [GMM+14] Pr(S0[1] = v) = α1 · Pr(K[0] + K[1] = v − 1) + (1 − α1) · (1 − Pr(K[0] + K[1] = v − 1)) · Pr(S0[1] = v)RC4 + (1−α1) N−1 · ∑ x v Pr(K[0] + K[1] = x − 1) · Pr(S0[1] = x)RC4 . Note: α1 = Pr(S0[1] = K[0] + K[1] + 1) is Roos’ bias. Distribution of K[0] + K[1] by TKIP induces biases of S0[1]. R. Ito & A. Miyaji (JAIST) How TKIP Induces Biases of Internal States of Generic RC4 June 30, 2015 10 / 24

11. Previous Analysis Our previous work Biases based on linear equations

    [IM15] Our previously discovered more than 150 linear correlations in [IM15] unknown internal state: Xr = a · Zr+1 + b · K[0] + c · K[1] + d · K[2] + e Xr ∈ {Sr [ir+1 ], Sr [jr+1 ], jr+1 , tr+1 }, r ∈ [0, 256], a, b, c, d ∈ {−1, 0, 1}, e ∈ {−3, −2, −1, 0, 1, 2, 3} Xr Linear correlations RC4 WPA K[0] 0.001445489 0 S0[i1] K[0] − K[1] − 3 0.005325263 0.008182569 K[0] − K[1] − 1 0.003898206 0.008182569 K[0] 0.138326988 0.138326988 S255[i256] K[1] 0.003893102 0.037105932 Sr [ir+1] K[0] + K[1] + 1 a sawtooth distribution Note: a sawtooth distribution is induced by distribution of K[0] + K[1] in TKIP Many correlations remain unproven theoretically. R. Ito & A. Miyaji (JAIST) How TKIP Induces Biases of Internal States of Generic RC4 June 30, 2015 11 / 24

12. Our Results Newly proved linear correlations Our previously discovered more

    than 150 linear correlations in [IM15] unknown internal state: Xr = a · Zr+1 + b · K[0] + c · K[1] + d · K[2] + e Xr ∈ {Sr [ir+1 ], Sr [jr+1 ], jr+1 , tr+1 }, r ∈ [0, 256], a, b, c, d ∈ {−1, 0, 1}, e ∈ {−3, −2, −1, 0, 1, 2, 3} R. Ito & A. Miyaji (JAIST) How TKIP Induces Biases of Internal States of Generic RC4 June 30, 2015 12 / 24

13. Our Results Newly proved linear correlations Theorems 1 and 2:

    Biases in S0 [i1 ] S0[i1] = −K[0] − K[1] − 3 occurs with the probability of about 2 N in WPA. (a double probability of random association) Theorem 1 Pr(S0[i1] = −K[0] − K[1] − 3) ≈          2 N α1 + 1 N ( 1 − 2 N ) (1 − α1) for RC4, 4 N α1 + 1 N ( 1 − 4 N ) (1 − α1) for WPA. Note: α1 = Pr(S0[1] = K[0] + K[1] + 1) is Roos’ bias. S0[i1] = K[0] + K[1] + K[2] + 3 occurs with the probability of about 0.00148 in both generic RC4 and WPA. (less than half of the probability of random association) Theorem 2 Pr(S0[i1] = K[0] + K[1] + K[2] + 3) ≈ 1 N ( 1 − 2 N )( 1 − 1 N )N−2 + 1 N2 ( 3 − 2 N ) R. Ito & A. Miyaji (JAIST) How TKIP Induces Biases of Internal States of Generic RC4 June 30, 2015 13 / 24

14. Our Results Newly proved linear correlations Theorem 3: Biases in

    S1 [i2 ] S1[i2] = K[0] + K[1] + K[2] + 3 occurs with the probability of about 0.361 in both generic RC4 and WPA. (pretty high probability) Theorem 3 Pr(S1[i2] = K[0] + K[1] + K[2] + 3) ≈ β · Pr(S0[1] = 2) + α2 · ( 1 − Pr(S0[1] = 2) ) Note: α2 = Pr(S0[2] = K[0] + K[1] + K[2] + 3) is Roos’ bias, β = Pr(S0[1] = K[0] + K[1] + K[2] + 3) Theorem 3 is induced by Roos’ bias, α2 = Pr(S0[2] = K[0] + K[1] + K[2] + 3) α2 = Pr(S0[2] = K[0] + K[1] + K[2] + 3) ≈ 0.365 R. Ito & A. Miyaji (JAIST) How TKIP Induces Biases of Internal States of Generic RC4 June 30, 2015 14 / 24

15. Our Results Newly proved linear correlations Proof of Theorem 3

    - Step 1: Decompose to 2 paths Pr(S1[i2] = K[0] + K[1] + K[2] + 3) can be decomposed in 2 paths completely. Path 1: j1 = S0[1] = 2, Path 2: j1 = S0[1] 2 Note: β = Pr(S0[1] = K[0] + K[1] + K[2] + 3), α2 = Pr(S0[2] = K[0] + K[1] + K[2] + 3) R. Ito & A. Miyaji (JAIST) How TKIP Induces Biases of Internal States of Generic RC4 June 30, 2015 15 / 24

16. Our Results Newly proved linear correlations Proof of Theorem 3

    - Step 2: Compute the probability Path 1: j1 = S0[1] = 2 Pr(S1[i2] = K[0] + K[1] + K[2] + 3 | Path 1) = β Path 2: j1 = S0[1] 2 Pr(S1[i2] = K[0] + K[1] + K[2] + 3 | Path 2) = α2 Pr(S1[i2] = K[0] + K[1] + K[2] + 3) = Pr(S1[2] = K[0] + K[1] + K[2] + 3 | Path 1) · Pr(Path 1) + Pr(S1[2] = K[0] + K[1] + K[2] + 3 | Path 2) · Pr(Path 2) ≈ β · Pr(S0[1] = 2) + α2 · ( 1 − Pr(S0[1] = 2) ) The probability of S0[1] = 2 is taken from Biases of S0[1] in generic RC4 [Man01] and WPA [GMM+14], respectively. Note: β = Pr(S0[1] = K[0] + K[1] + K[2] + 3), α2 = Pr(S0[2] = K[0] + K[1] + K[2] + 3) R. Ito & A. Miyaji (JAIST) How TKIP Induces Biases of Internal States of Generic RC4 June 30, 2015 16 / 24

17. Our Results Newly proved linear correlations Theorems 4-5: Biases in

    S1 [i2 ] 4 cases related to S1[i2] occur with the probability of about 2 N in WPA. (a double probability of random association) Theorem 4 Pr(S1[i2] = −K[0] − K[1] + K[2] − 1) ≈          2 N γ + 1 N ( 1 − 2 N ) (1 − γ) for RC4, 4 N γ + 1 N ( 1 − 4 N ) (1 − γ) for WPA. Note: γ = Pr(S1[i2] = K[0] + K[1] + K[2] + 3) (Theorem 3) Theorem 5 Pr(S1[i2] = K[0] − K[1] + K[2] + x) ≈          2 N γ + 1 N ( 1 − 2 N ) (1 − γ) for RC4, 4 N γ + 1 N ( 1 − 4 N ) (1 − γ) for WPA. Note: x ∈ −3, −1, 1 R. Ito & A. Miyaji (JAIST) How TKIP Induces Biases of Internal States of Generic RC4 June 30, 2015 17 / 24

18. Our Results Newly proved linear correlations Theorems 6-7: Biases in

    j2 8 cases related to j2 in WPA occur with higher probability than those in generic RC4. (influenced by the distribution of K[0] + K[1]) Theorem 6 Pr(j2 = K[2]) ≈          2 N α1 γ + 1 N ( 1 − 2 N ) (1 − α1 γ) for RC4, 4 N α1 γ + 1 N ( 1 − 4 N ) (1 − α1 γ) for WPA. Note: α1 = Pr(S0[1] = K[0] + K[1] + 1), γ = Pr(S1[i2] = K[0] + K[1] + K[2] + 3) (Theorem 3). Theorem 7 Pr(j2 = −K[0]−K[1]+K[2]+x) ≈                1 N α1 γ + 1 N ( 1 − 1 N ) (1 − α1 γ) for RC4, 2 N α1 γ + 1 N ( 1 − 2 N ) (1 − α1 γ) if x = −2, 2 for WPA, 4 N α1 γ + 1 N ( 1 − 4 N ) (1 − α1 γ) if x = 0 for WPA. Note: x ∈ −2, 0, 2 R. Ito & A. Miyaji (JAIST) How TKIP Induces Biases of Internal States of Generic RC4 June 30, 2015 18 / 24

19. Our Results Newly proved linear correlations Theorems 8-10: Biases in

    j2 Theorem 8 Pr(j2 = −K[0] + K[1] + K[2]) ≈          1 N α1 γ + 1 N ( 1 − 1 N ) (1 − α1 γ) for RC4, 4 N α1 γ + 1 N ( 1 − 4 N ) (1 − α1 γ) for WPA. Note: α1 = Pr(S0[1] = K[0] + K[1] + 1), γ = Pr(S1[i2] = K[0] + K[1] + K[2] + 3) (Theorem 3). Theorem 9 Pr(j2 = −K[1] + K[2] + x) ≈          1 N α1 γ + 1 N ( 1 − 1 N ) (1 − α1 γ) for RC4, 4 N α1 γ + 1 N ( 1 − 4 N ) (1 − α1 γ) for WPA. Note: x ∈ −2, 3 Theorem 10 Pr(j2 = K[0] − K[1] + K[2]) ≈          1 N α1 γ + 1 N ( 1 − 1 N ) (1 − α1 γ) for RC4, 4 N α1 γ + 1 N ( 1 − 4 N ) (1 − α1 γ) for WPA. R. Ito & A. Miyaji (JAIST) How TKIP Induces Biases of Internal States of Generic RC4 June 30, 2015 19 / 24

20. Our Results Check the accuracy by experiments: Theorems 1-7 percentage

    of relative error = |experimental value − theoretical value| experimental value × 100(%) Results Linear correlation (%) of RC4 (%) of WPA Theorem 1 S0[i1] = −K[0] − K[1] − 3 0.151 2.685 Theorem 2 S0[i1] = K[0] + K[1] + K[2] + 3 0.730 0.754 Theorem 3 S1[i2] = K[0] + K[1] + K[2] + 3 0.459 0.268 Theorem 4 S1[i2] = −K[0] − K[1] + K[2] − 1 0.052 0.720 S1[i2] = K[0] − K[1] + K[2] − 3 0.147 0.309 S1[i2] = K[0] − K[1] + K[2] − 1 0.260 0.386 Theorem 5 S1[i2] = K[0] − K[1] + K[2] + 1 0.126 0.425 Theorem 6 j2 = K[2] 0.658 2.571 j2 = −K[0] − K[1] + K[2] − 2 0.708 3.762 j2 = −K[0] − K[1] + K[2] 0.672 2.601 Theorem 7 j2 = −K[0] − K[1] + K[2] + 2 0.458 3.138 R. Ito & A. Miyaji (JAIST) How TKIP Induces Biases of Internal States of Generic RC4 June 30, 2015 20 / 24

21. Our Results Check the accuracy by experiments: Theorems 8-10 percentage

    of relative error = |experimental value − theoretical value| experimental value × 100(%) Results Linear correlation (%) of RC4 (%) of WPA Theorem 8 j2 = −K[0] + K[1] + K[2] 0.698 1.332 j2 = −K[1] + K[2] − 2 0.435 0.929 Theorem 9 j2 = −K[1] + K[2] + 3 0.126 0.930 Theorem 10 j2 = K[0] − K[1] + K[2] 0.635 3.377 generic RC4 Theoretical values closely reflect the experimental values. WPA Theoretical values in S0[i1] and j2 produce slightly big . R. Ito & A. Miyaji (JAIST) How TKIP Induces Biases of Internal States of Generic RC4 June 30, 2015 21 / 24

22. Conclusion Summary of this work Linear correlations including unknown internal

    states unknown internal state: Xr = a · Zr+1 + b · K[0] + c · K[1] + d · K[2] + e Xr ∈ {Sr [ir+1 ], Sr [jr+1 ], jr+1 , tr+1 }, r ∈ [0, 256], a, b, c, d ∈ {−1, 0, 1}, e ∈ {−3, −2, −1, 0, 1, 2, 3} Our contributions: proved 15 significant biases theoretically pretty high bias: Pr(S1[i2] = K[0] + K[1] + K[2] + 3) a double probability of random association: 5 cases related to S0[i1], S1[i2] Open problems apply linear correlations to the state recovery attacks reconstruct a key generation procedure with (known) IV R. Ito & A. Miyaji (JAIST) How TKIP Induces Biases of Internal States of Generic RC4 June 30, 2015 22 / 24

23. References I [FMS01] Scott Fluhrer, Itsik Mantin, and Adi Shamir.

    Weaknesses in the Key Scheduling Algorithm of RC4. In Serge Vaudenay and Amr M. Youssef, editors, Selected Areas in Cryptography - SAC 2001, volume 2259 of Lecture Notes in Computer Science, pages 1–24. Springer Berlin Heidelberg, 2001. [GMM+14] Sourav Sen Gupta, Subhamoy Maitra, Willi Meier, Goutam Paul, and Santanu Sarkar. Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA. In Fast Software Encryption - FSE 2014. To appear, 2014. [IM15] Ryoma Ito and Atsuko Miyaji. New Linear Correlations related to State Information of RC4 PRGA using IV in WPA. In Fast Software Encryption - FSE 2015. To appear, 2015. [Man01] Itsik Mantin. Analysis of the Stream Cipher RC4. Master’s thesis, The Weizmann Institute of Science, Israel, 2001. http://www.wisdom.weizmann.ac.il/ itsik/RC4/rc4.html. [PM07] Goutam Paul and Subhamoy Maitra. Permutation After RC4 Key Scheduling Reveals the Secret Key. In Carlisle Adams, Ali Miri, and Michael Wiener, editors, Selected Areas in Cryptography - SAC 2007, volume 4876 of Lecture Notes in Computer Science, pages 360–377. Springer Berlin Heidelberg, 2007. [Roo95] Andrew Roos. A class of weak keys in the RC4 stream cipher. Posts in sci.crypt, http://marcel.wanda.ch/Archive/WeakKeys, 1995. R. Ito & A. Miyaji (JAIST) How TKIP Induces Biases of Internal States of Generic RC4 June 30, 2015 23 / 24

24. Thank you for your kind attention! ProvSec 2015 will be

    held on Kanazawa, Japan. In Kanazawa, there are one of Japanese three most beautiful gardens called Kenrokuen, and Kanazawa Castle. The latest news ! Submission deadline has been further extended to July 4, 2015 23:59 (JST). R. Ito & A. Miyaji (JAIST) How TKIP Induces Biases of Internal States of Generic RC4 June 30, 2015 24 / 24