Upgrade to Pro — share decks privately, control downloads, hide ads and more …

New Iterated RC4 Key Correlations

New Iterated RC4 Key Correlations

This slide was presented at ACISP 2018.

Ryoma Ito

July 12, 2018
Tweet

More Decks by Ryoma Ito

Other Decks in Research

Transcript

  1. New Iterated RC4 Key Correlations Keywords: RC4, WPA-TKIP, Bias, Key

    Correlations, Plaintext Recovery Ryoma Ito Atsuko Miyaji Osaka University, Japan ACISP 2018 @ Wollongong, Australia July 12, 2018 R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 1 / 27
  2. Introduction Bacground RC4 Stream Cipher and WPA Protocol RC4 stream

    cipher ▶ designed by Rivest in 1987 ▶ widely used in SSL/TLS, WEP, WPA-TKIP ▶ consists of two algorithms: KSA and PRGA R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 2 / 27
  3. Introduction Bacground RC4 Stream Cipher and WPA Protocol RC4 stream

    cipher ▶ designed by Rivest in 1987 ▶ widely used in SSL/TLS, WEP, WPA-TKIP ▶ consists of two algorithms: KSA and PRGA R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 2 / 27
  4. Introduction Bacground RC4 Stream Cipher and WPA Protocol RC4 stream

    cipher ▶ designed by Rivest in 1987 ▶ widely used in SSL/TLS, WEP, WPA-TKIP ▶ consists of two algorithms: KSA and PRGA WPA: Wi-Fi Protected Access ▶ one of the security protocol for IEEE 802.11 wireless network ▶ 16-byte RC4 key setting known as TKIP ▶ The first 3-byte RC4 keys {K[0], K[1], K[2]} are known (IV-related). R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 2 / 27
  5. Introduction Motivations and Contributions 1st Motivation: Key Correlations of the

    Keystream Key correlations of the keystream [?] Correlations between the RC4 key K and the keystream Z (key size: ℓ = 16) (a0 · K[0] + · · · + aℓ−1 · K[ℓ − 1] + aℓ · Z1 + · · · + a2ℓ−1 · Zℓ ) = b ai ∈ {−1, 0, 1} (0 ≤ i ≤ 2ℓ − 1), b ∈ Z/NZ R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 3 / 27
  6. Introduction Motivations and Contributions 1st Motivation: Key Correlations of the

    Keystream Key correlations of the keystream [?] Correlations between the RC4 key K and the keystream Z (key size: ℓ = 16) (a0 · K[0] + · · · + aℓ−1 · K[ℓ − 1] + aℓ · Z1 + · · · + a2ℓ−1 · Zℓ ) = b ai ∈ {−1, 0, 1} (0 ≤ i ≤ 2ℓ − 1), b ∈ Z/NZ Table 1: Experimentally observed key correlations of the keystream [?] Key correlations Probability Z1 = K[0] − K[1] − 1 1.04969/N Z3 = K[0] − K[3] − 3 1.04620/N . . . . . . Z4 = K[0] − K[4] − 4 1.04463/N R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 3 / 27
  7. Introduction Motivations and Contributions 1st Motivation: Key Correlations of the

    Keystream Key correlations of the keystream [?] Correlations between the RC4 key K and the keystream Z (key size: ℓ = 16) (a0 · K[0] + · · · + aℓ−1 · K[ℓ − 1] + aℓ · Z1 + · · · + a2ℓ−1 · Zℓ ) = b ai ∈ {−1, 0, 1} (0 ≤ i ≤ 2ℓ − 1), b ∈ Z/NZ Table 1: Experimentally observed key correlations of the keystream [?] Key correlations Probability Z1 = K[0] − K[1] − 1 1.04969/N Z3 = K[0] − K[3] − 3 1.04620/N . . . . . . Z4 = K[0] − K[4] − 4 1.04463/N ▶ Their investigations are limited to the first 5 rounds ▶ There might exist correlations between (K[0], K[r mod ℓ]) pairs and Zr R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 3 / 27
  8. Introduction Motivations and Contributions 1st Contribution: Iterated RC4 Key Correlations

    New Iterated RC4 Key Correlations Zr = K[0] − K[r mod ℓ] − r (K[0], K[r mod ℓ]) pairs are iterated every ℓ rounds (key size: ℓ = 16) R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 4 / 27
  9. Introduction Motivations and Contributions 1st Contribution: Iterated RC4 Key Correlations

    New Iterated RC4 Key Correlations Zr = K[0] − K[r mod ℓ] − r (K[0], K[r mod ℓ]) pairs are iterated every ℓ rounds (key size: ℓ = 16) Figure 1: Experimental observations in WPA-TKIP R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 4 / 27
  10. Introduction Motivations and Contributions 2nd Motivation: Plaintext Recovery on WPA-TKIP

    Motivation: plaintext recovery on WPA-TKIP [IOWM13, GMM+14, PPS14] Key correlations of the keystream with the known value {K[0], K[1], K[2]} Zr = a · K[0] + b · K[1] + c · K[2] + d r ∈ [1, 257], a, b, c ∈ {−1, 0, 1}, d ∈ {−3, −2, −1, 0, 1, 2, 3} R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 5 / 27
  11. Introduction Motivations and Contributions 2nd Motivation: Plaintext Recovery on WPA-TKIP

    Motivation: plaintext recovery on WPA-TKIP [IOWM13, GMM+14, PPS14] Key correlations of the keystream with the known value {K[0], K[1], K[2]} Zr = a · K[0] + b · K[1] + c · K[2] + d r ∈ [1, 257], a, b, c ∈ {−1, 0, 1}, d ∈ {−3, −2, −1, 0, 1, 2, 3} Table 2: Significant improvements in recovering 4 bytes of a plaintext {P1 , P3 , P256 , P257} on WPA-TKIP from [IOWM13] [GMM+14] [IOWM13] Targets Key correlations # of C Biased events # of C P1 Z1 = −K[0] − K[1] 210.896 Z1 = 0 | Z2 = 0 218.072 P3 Z3 = K[0] + K[1] + K[2] + 3 213.939 Z3 = 131 224.218 P256 Z256 = −K[0] 213.803 Z256 = 0 226.814 P257 Z257 = −K[0] − K[1] 216.758 Z257 = 0 227.062 R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 5 / 27
  12. Introduction Motivations and Contributions 2nd Contribution: Further Improvements for Plaintext

    Recovery Motivation: plaintext recovery on WPA-TKIP [IOWM13, GMM+14] New Iterated RC4 Key Correlations with the known value {K[0], K[1], K[2]} Zr = K[0] − K[r mod ℓ] − r Table 3: Significant improvements in recovering 8 bytes of a plaintext {P17 , P18 , P33 , P34 , P49 , P50 , P66 , P82} on WPA-TKIP from [IOWM13] [Ours] [IOWM13] Targets Key correlations # of C Biased events # of C P17 Z17 = K[0] − K[1] − 17 217.727 Z17 = 17 223.178 P18 Z18 = K[0] − K[2] − 18 217.800 Z18 = 18 223.210 P33 Z33 = K[0] − K[1] − 33 218.955 Z33 = 0 223.770 P34 Z34 = K[0] − K[2] − 34 219.035 Z34 = 0 223.791 P49 Z49 = K[0] − K[1] − 49 220.297 Z49 = 0 224.114 P50 Z50 = K[0] − K[2] − 50 220.386 Z50 = 0 224.135 P66 Z66 = K[0] − K[2] − 66 221.869 Z66 = 0 224.479 P82 Z82 = K[0] − K[2] − 82 223.505 Z82 = 0 224.820 R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 6 / 27
  13. Preliminaries Outline in My Talk 1 Preliminaries RC4 algorithms and

    WPA-TKIP protocol 2 New Iterated RC4 Key Correlations Observations Proofs Experiments 3 Improvements for Plaintext Recovery on WPA-TKIP Known Attacks Our Result 4 Conclusion R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 7 / 27
  14. Preliminaries RC4 algorithms and WPA-TKIP protocol RC4 algorithms: KSA and

    PRGA Algorithm 1 KSA 1: for i = 0 to N − 1 do 2: SK 0 [i] ← i 3: end for 4: jK 0 ← 0 5: for i = 0 to N − 1 do 6: jK i+1 ← jK i + SK i [i] + K[i mod ℓ] 7: Swap(SK i [i], SK i [jK i+1 ]) 8: end for Algorithm 2 PRGA 1: r ← 0, i0 ← 0, j0 ← 0 2: loop 3: r ← r + 1 4: ir ← ir−1 + 1 5: jr ← jr−1 + Sr−1 [ir ] 6: Swap(Sr−1 [ir ], Sr−1 [jr ]) 7: Output: Zr ← Sr [Sr [ir ] + Sr [jr ]] 8: end loop R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 8 / 27
  15. Preliminaries RC4 algorithms and WPA-TKIP protocol TKIP: Temporal Key Integrity

    Protocol ▶ designed by the IEEE 802.11i task group and Wi-Fi Alliance ▶ a 16-byte RC4 key setting ▶ avoid the known WEP attacks using (IV-related) K[1] = 255 [FMS01] R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 9 / 27
  16. Preliminaries RC4 algorithms and WPA-TKIP protocol TKIP: Temporal Key Integrity

    Protocol ▶ designed by the IEEE 802.11i task group and Wi-Fi Alliance ▶ a 16-byte RC4 key setting ▶ avoid the known WEP attacks using (IV-related) K[1] = 255 [FMS01] The first 3-byte RC4 keys, K[0], K[1] and K[2], are generated by IV16 ▶ IV16: the last 16-bit IV K[0] = (IV16 ≫ 8) & 0xFF K[1] = [(IV16 ≫ 8) | 0x20] & 0x7F K[2] = IV16 & 0xFF R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 9 / 27
  17. New Iterated RC4 Key Correlations Outline in My Talk 1

    Preliminaries RC4 algorithms and WPA-TKIP protocol 2 New Iterated RC4 Key Correlations Observations Proofs Experiments 3 Improvements for Plaintext Recovery on WPA-TKIP Known Attacks Our Result 4 Conclusion R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 10 / 27
  18. New Iterated RC4 Key Correlations Observations Observations: Zr = K[0]

    − K[r mod ℓ] − r Key correlations of the keystream [?] (a0 · K[0] + · · · + aℓ−1 · K[ℓ − 1] + aℓ · Z1 + · · · + a2ℓ−1 · Zℓ ) = b ai ∈ {−1, 0, 1} (0 ≤ i ≤ 2ℓ − 1), b ∈ Z/NZ Table 4: Previous works on key correlations of the keystream Key correlations Reference Z1 = K[0] − K[1] − 1 [Sar14] Z3 = K[0] − K[3] − 3 [Sar14] Z4 = K[0] − K[4] − 4 [Sar14] Zx·ℓ = K[0] − K[x · ℓ mod ℓ] − x · ℓ = −x · ℓ [IOWM13] R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 11 / 27
  19. New Iterated RC4 Key Correlations Observations Observations: Zr = K[0]

    − K[r mod ℓ] − r Key correlations of the keystream [?] (a0 · K[0] + · · · + aℓ−1 · K[ℓ − 1] + aℓ · Z1 + · · · + a2ℓ−1 · Zℓ ) = b ai ∈ {−1, 0, 1} (0 ≤ i ≤ 2ℓ − 1), b ∈ Z/NZ Table 4: Previous works on key correlations of the keystream Key correlations Reference Z1 = K[0] − K[1] − 1 [Sar14] Z3 = K[0] − K[3] − 3 [Sar14] Z4 = K[0] − K[4] − 4 [Sar14] Zx·ℓ = K[0] − K[x · ℓ mod ℓ] − x · ℓ = −x · ℓ [IOWM13] Motivation: Are there correlations between (K[0], K[r mod ℓ]) pairs and Zr ? R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 11 / 27
  20. New Iterated RC4 Key Correlations Observations Observations: Zr = K[0]

    − K[r mod ℓ] − r Key correlations of the keystream [?] (a0 · K[0] + · · · + aℓ−1 · K[ℓ − 1] + aℓ · Z1 + · · · + a2ℓ−1 · Zℓ ) = b ai ∈ {−1, 0, 1} (0 ≤ i ≤ 2ℓ − 1), b ∈ Z/NZ Table 4: Previous works on key correlations of the keystream Key correlations Reference Z1 = K[0] − K[1] − 1 [Sar14] Z3 = K[0] − K[3] − 3 [Sar14] Z4 = K[0] − K[4] − 4 [Sar14] Zx·ℓ = K[0] − K[x · ℓ mod ℓ] − x · ℓ = −x · ℓ [IOWM13] Motivation: Are there correlations between (K[0], K[r mod ℓ]) pairs and Zr ? Our Observations For any arbitrary secret key K, the following key correlations of the keystream Zr in generic RC4 and WPA-TKIP induce biases: Zr = K[0] − K[r mod ℓ] − r. R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 11 / 27
  21. New Iterated RC4 Key Correlations Proofs Theorem 7: Pr(Zr =

    K[0] − K[r mod ℓ] − r) Theorem 7 For any arbitrary secret key K and round r except when r = 1, 2, x · ℓ (x = 1, 2, . . . , 7), key correlations of the keystream Zr in both generic RC4 and WPA-TKIP are given by Pr(Zr = K[0] − K[r mod ℓ] − r) ≈ αr + 1 N (1 − αr ), where αr , βr , γr and δr are given by αr ≈ βr + 1 N(N−1) (1 − βr ) · γr · δr + 1 N (1 − δr ) , βr ≈ 1 N · N−r−1 N · r x=3 (N − x − 1)/ r−3 x=0 (N − x), γr ≈ 1 − 1 N N−r−1 · 1 N · N−1 x=r+1 1 − 1 N x · 1 − 1 N x−r−1 · 1 − 2 N N−x−1 , δr ≈ 1 − r v=2 ζ1,v − N−1 x=r+1 ζ1,x N−r−2 · N−r+1 N−1 . R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 12 / 27
  22. New Iterated RC4 Key Correlations Proofs Proof sketch of Theorem

    7 3 phases to prove the major path for the target event: R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 13 / 27
  23. New Iterated RC4 Key Correlations Proofs Proof sketch of Theorem

    7 3 phases to prove the major path for the target event: 1st Phase: From the initial to the (r + 1)-th round of the KSA ▶ Assuming that r + 1 events {jK 1 , . . . , jK r+1 } hold simultaneously ▶ Compute Pr(SK r+1 [r − 1] = K[0] − K[r mod ℓ] − r ∧ SK r+1 [r] = 0) R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 13 / 27
  24. New Iterated RC4 Key Correlations Proofs Proof sketch of Theorem

    7 3 phases to prove the major path for the target event: 1st Phase: From the initial to the (r + 1)-th round of the KSA ▶ Assuming that r + 1 events {jK 1 , . . . , jK r+1 } hold simultaneously ▶ Compute Pr(SK r+1 [r − 1] = K[0] − K[r mod ℓ] − r ∧ SK r+1 [r] = 0) 2nd Phase: From the (r + 2)-th round to the end of the KSA ▶ Assuming that 5 events hold simultaneously ▶ Compute Pr(S0 [r − 1] = x ∧ S0 [r] = 0 ∧ S0 [x] = K[0] − K[r mod ℓ] − r) 3rd Phase: From the initial to the r-th round of the PRGA ▶ Assuming that r − 1 events {j1, . . . , jr−1} hold simultaneously ▶ Compute Pr(Zr = K[0] − K[r mod ℓ] − r) R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 13 / 27
  25. New Iterated RC4 Key Correlations Proofs Proof sketch of Theorem

    7 3 phases to prove the major path for the target event: 1st Phase: From the initial to the (r + 1)-th round of the KSA ▶ Assuming that r + 1 events {jK 1 , . . . , jK r+1 } hold simultaneously ▶ Compute Pr(SK r+1 [r − 1] = K[0] − K[r mod ℓ] − r ∧ SK r+1 [r] = 0) 2nd Phase: From the (r + 2)-th round to the end of the KSA ▶ Assuming that 5 events hold simultaneously ▶ Compute Pr(S0 [r − 1] = x ∧ S0 [r] = 0 ∧ S0 [x] = K[0] − K[r mod ℓ] − r) 3rd Phase: From the initial to the r-th round of the PRGA ▶ Assuming that r − 1 events {j1, . . . , jr−1} hold simultaneously ▶ Compute Pr(Zr = K[0] − K[r mod ℓ] − r) αr ≈ βr + 1 N(N − 1) (1 − βr ) 1st Phase · γr 2nd Phase · δr + 1 N (1 − δr ) 3rd Phase R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 13 / 27
  26. New Iterated RC4 Key Correlations Proofs Proof of Theorem 7

    when r = 3: 1st Phase 1st Phase: From the initial to the (r + 1)-th round of the KSA ▶ Assuming that r + 1 events {jK 1 , . . . , jK r+1 } hold simultaneously ▶ Compute Pr(SK r+1 [r − 1] = K[0] − K[r mod ℓ] − r ∧ SK r+1 [r] = 0) Pr(SK r+1 [r − 1] = K[0] − K[r mod ℓ] − r ∧ SK r+1 [r] = 0) ≈ βr + 1 N(N−1) (1 − βr ) R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 14 / 27
  27. New Iterated RC4 Key Correlations Proofs Proof of Theorem 7

    when r = 3: 2nd Phase 2nd Phase: From the (r + 2)-th round to the end of the KSA ▶ Assuming that 5 events hold simultaneously ▶ Compute Pr(S0 [r − 1] = x ∧ S0 [r] = 0 ∧ S0 [x] = K[0] − K[r mod ℓ] − r) Pr(S0 [r − 1] = x ∧ S0 [r] = 0 ∧ S0 [x] = K[0] − K[r mod ℓ] − r) ≈ γr R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 15 / 27
  28. New Iterated RC4 Key Correlations Proofs Proof of Theorem 7

    when r = 3: 3rd Phase 3rd Phase: From the initial to the r-th round of the PRGA ▶ Assuming that r − 1 events {j1, . . . , jr−1} hold simultaneously ▶ Compute Pr(Zr = K[0] − K[r mod ℓ] − r) Pr(Zr = K[0] − K[r mod ℓ] − r) ≈ δr + 1 N (1 − δr ) R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 16 / 27
  29. New Iterated RC4 Key Correlations Proofs Proof of Theorem 7:

    Summary ▶ the probability in the major path: αr ≈ βr + 1 N(N − 1) (1 − βr ) Phase 1 · γr Phase 2 · δr + 1 N (1 − δr ) Phase 3 ▶ the probability that any phase does not hold: 1 N (1 − αr ) Pr(Zr = K[0] − K[r] − r) ≈ αr + 1 N (1 − αr ). (Q.E.D) R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 17 / 27
  30. New Iterated RC4 Key Correlations Proofs Theorems 9 and 10

    Theorem 9 For any arbitrary secret key K, a key correlation of the keystream Z1 in WPA-TKIP is given by Pr(Z1 = K[0] − K[1] − 1) ≈ 1 N (1 − α1 ), where α1 ≈ 1 N2 · (1 − 2 N ) · (1 − 1 N )N−2 · N−1 x=2 (1 − 1 N )x · (1 − 1 N )x−2 · (1 − 2 N )N−x−1. Theorem 10 For any arbitrary secret key K, a key correlation of the keystream Z2 in both generic RC4 and WPA-TKIP is given by Pr(Z2 = K[0] − K[2] − 2) ≈ 1 N . R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 18 / 27
  31. New Iterated RC4 Key Correlations Experiments Experiments: Check the Accuracy

    of Theorems 7, 9 and 10 percentage of relative error ϵ ϵ = |experimental value − theoretical value| experimental value × 100(%) R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 19 / 27
  32. Improvements for Plaintext Recovery on WPA-TKIP Outline in My Talk

    1 Preliminaries RC4 algorithms and WPA-TKIP protocol 2 New Iterated RC4 Key Correlations Observations Proofs Experiments 3 Improvements for Plaintext Recovery on WPA-TKIP Known Attacks Our Result 4 Conclusion R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 20 / 27
  33. Improvements for Plaintext Recovery on WPA-TKIP Known Attacks Known Attack

    in the Broadcast Setting [IOWM13] Broadcast Setting ▶ Ciphertexts C are generated from same plaintext P using multiple keys R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 21 / 27
  34. Improvements for Plaintext Recovery on WPA-TKIP Known Attacks Known Attack

    in the Broadcast Setting [IOWM13] Broadcast Setting ▶ Ciphertexts C are generated from same plaintext P using multiple keys Plaintext Recovery Algorithm in the Broadcast Setting [IOWM13] 1st Step. Obtain n ciphertexts C in the broadcast setting 2nd Step. Exploit the most/least frequent value in distribution of Cr 3rd Step. Recover Pr = Cr ⊕ Zr where Zr is the value of the keystream byte from a set of the strongest biases R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 21 / 27
  35. Improvements for Plaintext Recovery on WPA-TKIP Known Attacks A Set

    of the Strongest Biases [IOWM13] Round Events of Zr Theoretical Value 1 Z1 = 0 | Z2 = 0 2−8 · (1 + 2−1.009) 2 Z2 = 0 2−8 · (1 + 20) 3 Z3 = 131 2−8 · (1 + 2−8.089) 4 Z4 = 0 2−8 · (1 + 2−7.581) 5-15 Zr = r max: 2−8 · (1 + 2−7.627), min: 2−8 · (1 + 2−7.737) 16 Z16 = 240 2−8 · (1 + 2−4.671) 17-31 Zr = r max: 2−8 · (1 + 2−7.759), min: 2−8 · (1 + 2−7.912) 32 Z32 = 224 2−8 · (1 + 2−5.176) 33-47 Zr = 0 max: 2−8 · (1 + 2−7.897), min: 2−8 · (1 + 2−8.050) 48 Z48 = 208 2−8 · (1 + 2−5.651) 49-63 Zr = 0 max: 2−8 · (1 + 2−8.072), min: 2−8 · (1 + 2−8.224) 64 Z64 = 192 2−8 · (1 + 2−6.085) 65-79 Zr = 0 max: 2−8 · (1 + 2−8.246), min: 2−8 · (1 + 2−8.398) 80 Z80 = 176 2−8 · (1 + 2−6.574) 81-95 Zr = 0 max: 2−8 · (1 + 2−8.420), min: 2−8 · (1 + 2−8.571) 96 Z96 = 160 2−8 · (1 + 2−6.970) 97-111 Zr = 0 max: 2−8 · (1 + 2−8.592), min: 2−8 · (1 + 2−8.741) 112 Z112 = 144 2−8 · (1 + 2−7.300) 113-255 Zr = 0 max: 2−8 · (1 + 2−8.763), min: 2−8 · (1 + 2−10.052) 256 Z256 = 0 2−8 · (1 − 2−9.474) 257 Z257 = 0 2−8 · (1 + 2−9.474) R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 22 / 27
  36. Improvements for Plaintext Recovery on WPA-TKIP Known Attacks Previous Improvements

    on WPA-TKIP [GMM+14] Existing attack [IOWM13] uses the constant values of the keystream biases. R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 23 / 27
  37. Improvements for Plaintext Recovery on WPA-TKIP Known Attacks Previous Improvements

    on WPA-TKIP [GMM+14] Existing attack [IOWM13] uses the constant values of the keystream biases. Motivation: Application to plaintext recovery on WPA-TKIP Key correlations of the keystream with the known value {K[0], K[1], K[2]} Zr = a · K[0] + b · K[1] + c · K[2] + d r ∈ [1, 257], a, b, c ∈ {−1, 0, 1}, d ∈ {−3, −2, −1, 0, 1, 2, 3} R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 23 / 27
  38. Improvements for Plaintext Recovery on WPA-TKIP Known Attacks Previous Improvements

    on WPA-TKIP [GMM+14] Existing attack [IOWM13] uses the constant values of the keystream biases. Motivation: Application to plaintext recovery on WPA-TKIP Key correlations of the keystream with the known value {K[0], K[1], K[2]} Zr = a · K[0] + b · K[1] + c · K[2] + d r ∈ [1, 257], a, b, c ∈ {−1, 0, 1}, d ∈ {−3, −2, −1, 0, 1, 2, 3} Table 5: Significant improvements in recovering 4 bytes of a plaintext {P1 , P3 , P256 , P257} on WPA-TKIP from [IOWM13] [GMM+14] [IOWM13] Targets Key correlations # of C Biased events # of C P1 Z1 = −K[0] − K[1] 210.896 Z1 = 0 | Z2 = 0 218.072 P3 Z3 = K[0] + K[1] + K[2] + 3 213.939 Z3 = 131 224.218 P256 Z256 = −K[0] 213.803 Z256 = 0 226.814 P257 Z257 = −K[0] − K[1] 216.758 Z257 = 0 227.062 R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 23 / 27
  39. Improvements for Plaintext Recovery on WPA-TKIP Our Result Our Result:

    Further Improvements on WPA-TKIP Further improvements on WPA-TKIP using (K[0], K[1]) and (K[0], K[2]) pairs New Iterated RC4 Key Correlations with the known value {K[0], K[1], K[2]} Zr = K[0] − K[r mod ℓ] − r R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 24 / 27
  40. Improvements for Plaintext Recovery on WPA-TKIP Our Result Our Result:

    Further Improvements on WPA-TKIP Further improvements on WPA-TKIP using (K[0], K[1]) and (K[0], K[2]) pairs New Iterated RC4 Key Correlations with the known value {K[0], K[1], K[2]} Zr = K[0] − K[r mod ℓ] − r Table 6: Significant improvements in recovering 8 bytes of a plaintext {P17 , P18 , P33 , P34 , P49 , P50 , P66 , P82} on WPA-TKIP from [IOWM13] [Ours] [IOWM13] Targets Key correlations # of C Biased events # of C P17 Z17 = K[0] − K[1] − 17 217.727 Z17 = 17 223.178 P18 Z18 = K[0] − K[2] − 18 217.800 Z18 = 18 223.210 P33 Z33 = K[0] − K[1] − 33 218.955 Z33 = 0 223.770 P34 Z34 = K[0] − K[2] − 34 219.035 Z34 = 0 223.791 P49 Z49 = K[0] − K[1] − 49 220.297 Z49 = 0 224.114 P50 Z50 = K[0] − K[2] − 50 220.386 Z50 = 0 224.135 P66 Z66 = K[0] − K[2] − 66 221.869 Z66 = 0 224.479 P82 Z82 = K[0] − K[2] − 82 223.505 Z82 = 0 224.820 R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 24 / 27
  41. Conclusion Outline in My Talk 1 Preliminaries RC4 algorithms and

    WPA-TKIP protocol 2 New Iterated RC4 Key Correlations Observations Proofs Experiments 3 Improvements for Plaintext Recovery on WPA-TKIP Known Attacks Our Result 4 Conclusion R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 25 / 27
  42. Conclusion Summary in My Talk New Iterated RC4 Key Correlations

    Zr = K[0] − K[r mod ℓ] − r (K[0], K[r mod ℓ]) pairs are iterated every ℓ rounds (key size: ℓ = 16) Application to plaintext recovery on WPA-TKIP ▶ Significant improvements in recovering 8 bytes of a plaintext {P17 , P18 , P33 , P34 , P49 , P50 , P66 , P82} on WPA-TKIP from [IOWM13] R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 26 / 27
  43. Conclusion Summary in My Talk New Iterated RC4 Key Correlations

    Zr = K[0] − K[r mod ℓ] − r (K[0], K[r mod ℓ]) pairs are iterated every ℓ rounds (key size: ℓ = 16) Application to plaintext recovery on WPA-TKIP ▶ Significant improvements in recovering 8 bytes of a plaintext {P17 , P18 , P33 , P34 , P49 , P50 , P66 , P82} on WPA-TKIP from [IOWM13] Open problems ▶ Further improvements for full plaintext recovery on WPA-TKIP ▶ Application to key recovery attack ▶ Proposal of secure IV setting for WPA-TKIP R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 26 / 27
  44. References I [FMS01] Scott Fluhrer, Itsik Mantin, and Adi Shamir.

    Weaknesses in the Key Scheduling Algorithm of RC4. In Serge Vaudenay and Amr M. Youssef, editors, Selected Areas in Cryptography - SAC 2001, volume 2259 of Lecture Notes in Computer Science, pages 1–24. Springer Berlin Heidelberg, 2001. [GMM+14] Sourav Sen Gupta, Subhamoy Maitra, Willi Meier, Goutam Paul, and Santanu Sarkar. Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA. In Carlos Cid and Christian Rechberger, editors, Fast Software Encryption - FSE 2014, volume 8540 of Lecture Notes in Computer Science, pages 350–369. Springer Berlin Heidelberg, 2014. [IOWM13] Takanori Isobe, Toshihiro Ohigashi, Yuhei Watanabe, and Masakatu Morii. Full Plaintext Recovery Attack on Broadcast RC4. In Shiho Moriai, editor, Fast Software Encryption - FSE 2013, volume 8424 of Lecture Notes in Computer Science. Springer Berlin Heidelberg, 2013. [PPS14] Kenneth G. Paterson, Bertram Poettering, and Jacob C.N. Schuldt. Plaintext Recovery Attacks Against WPA/TKIP. In Carlos Cid and Christian Rechberger, editors, Fast Software Encryption - FSE 2014, volume 8540 of Lecture Notes in Computer Science, pages 325–349. Springer Berlin Heidelberg, 2014. [Sar14] Santanu Sarkar. Proving Empirically key-correlations in RC4. Information Processing Letters, 114 (5):234–238, 2014. R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 27 / 27