New Iterated RC4 Key Correlations

Transcript

1. New Iterated RC4 Key Correlations Keywords: RC4, WPA-TKIP, Bias, Key

   Correlations, Plaintext Recovery Ryoma Ito Atsuko Miyaji Osaka University, Japan ACISP 2018 @ Wollongong, Australia July 12, 2018 R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 1 / 27

2. Introduction Bacground RC4 Stream Cipher and WPA Protocol RC4 stream

   cipher ▶ designed by Rivest in 1987 ▶ widely used in SSL/TLS, WEP, WPA-TKIP ▶ consists of two algorithms: KSA and PRGA R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 2 / 27

3. Introduction Bacground RC4 Stream Cipher and WPA Protocol RC4 stream

   cipher ▶ designed by Rivest in 1987 ▶ widely used in SSL/TLS, WEP, WPA-TKIP ▶ consists of two algorithms: KSA and PRGA R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 2 / 27

4. Introduction Bacground RC4 Stream Cipher and WPA Protocol RC4 stream

   cipher ▶ designed by Rivest in 1987 ▶ widely used in SSL/TLS, WEP, WPA-TKIP ▶ consists of two algorithms: KSA and PRGA WPA: Wi-Fi Protected Access ▶ one of the security protocol for IEEE 802.11 wireless network ▶ 16-byte RC4 key setting known as TKIP ▶ The first 3-byte RC4 keys {K[0], K[1], K[2]} are known (IV-related). R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 2 / 27

5. Introduction Motivations and Contributions 1st Motivation: Key Correlations of the

   Keystream Key correlations of the keystream [?] Correlations between the RC4 key K and the keystream Z (key size: ℓ = 16) (a0 · K[0] + · · · + aℓ−1 · K[ℓ − 1] + aℓ · Z1 + · · · + a2ℓ−1 · Zℓ ) = b ai ∈ {−1, 0, 1} (0 ≤ i ≤ 2ℓ − 1), b ∈ Z/NZ R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 3 / 27

6. Introduction Motivations and Contributions 1st Motivation: Key Correlations of the

   Keystream Key correlations of the keystream [?] Correlations between the RC4 key K and the keystream Z (key size: ℓ = 16) (a0 · K[0] + · · · + aℓ−1 · K[ℓ − 1] + aℓ · Z1 + · · · + a2ℓ−1 · Zℓ ) = b ai ∈ {−1, 0, 1} (0 ≤ i ≤ 2ℓ − 1), b ∈ Z/NZ Table 1: Experimentally observed key correlations of the keystream [?] Key correlations Probability Z1 = K[0] − K[1] − 1 1.04969/N Z3 = K[0] − K[3] − 3 1.04620/N . . . . . . Z4 = K[0] − K[4] − 4 1.04463/N R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 3 / 27

7. Introduction Motivations and Contributions 1st Motivation: Key Correlations of the

   Keystream Key correlations of the keystream [?] Correlations between the RC4 key K and the keystream Z (key size: ℓ = 16) (a0 · K[0] + · · · + aℓ−1 · K[ℓ − 1] + aℓ · Z1 + · · · + a2ℓ−1 · Zℓ ) = b ai ∈ {−1, 0, 1} (0 ≤ i ≤ 2ℓ − 1), b ∈ Z/NZ Table 1: Experimentally observed key correlations of the keystream [?] Key correlations Probability Z1 = K[0] − K[1] − 1 1.04969/N Z3 = K[0] − K[3] − 3 1.04620/N . . . . . . Z4 = K[0] − K[4] − 4 1.04463/N ▶ Their investigations are limited to the first 5 rounds ▶ There might exist correlations between (K[0], K[r mod ℓ]) pairs and Zr R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 3 / 27

8. Introduction Motivations and Contributions 1st Contribution: Iterated RC4 Key Correlations

   New Iterated RC4 Key Correlations Zr = K[0] − K[r mod ℓ] − r (K[0], K[r mod ℓ]) pairs are iterated every ℓ rounds (key size: ℓ = 16) R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 4 / 27

9. Introduction Motivations and Contributions 1st Contribution: Iterated RC4 Key Correlations

   New Iterated RC4 Key Correlations Zr = K[0] − K[r mod ℓ] − r (K[0], K[r mod ℓ]) pairs are iterated every ℓ rounds (key size: ℓ = 16) Figure 1: Experimental observations in WPA-TKIP R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 4 / 27

10. Introduction Motivations and Contributions 2nd Motivation: Plaintext Recovery on WPA-TKIP

    Motivation: plaintext recovery on WPA-TKIP [IOWM13, GMM+14, PPS14] Key correlations of the keystream with the known value {K[0], K[1], K[2]} Zr = a · K[0] + b · K[1] + c · K[2] + d r ∈ [1, 257], a, b, c ∈ {−1, 0, 1}, d ∈ {−3, −2, −1, 0, 1, 2, 3} R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 5 / 27

11. Introduction Motivations and Contributions 2nd Motivation: Plaintext Recovery on WPA-TKIP

    Motivation: plaintext recovery on WPA-TKIP [IOWM13, GMM+14, PPS14] Key correlations of the keystream with the known value {K[0], K[1], K[2]} Zr = a · K[0] + b · K[1] + c · K[2] + d r ∈ [1, 257], a, b, c ∈ {−1, 0, 1}, d ∈ {−3, −2, −1, 0, 1, 2, 3} Table 2: Significant improvements in recovering 4 bytes of a plaintext {P1 , P3 , P256 , P257} on WPA-TKIP from [IOWM13] [GMM+14] [IOWM13] Targets Key correlations # of C Biased events # of C P1 Z1 = −K[0] − K[1] 210.896 Z1 = 0 | Z2 = 0 218.072 P3 Z3 = K[0] + K[1] + K[2] + 3 213.939 Z3 = 131 224.218 P256 Z256 = −K[0] 213.803 Z256 = 0 226.814 P257 Z257 = −K[0] − K[1] 216.758 Z257 = 0 227.062 R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 5 / 27

12. Introduction Motivations and Contributions 2nd Contribution: Further Improvements for Plaintext

    Recovery Motivation: plaintext recovery on WPA-TKIP [IOWM13, GMM+14] New Iterated RC4 Key Correlations with the known value {K[0], K[1], K[2]} Zr = K[0] − K[r mod ℓ] − r Table 3: Significant improvements in recovering 8 bytes of a plaintext {P17 , P18 , P33 , P34 , P49 , P50 , P66 , P82} on WPA-TKIP from [IOWM13] [Ours] [IOWM13] Targets Key correlations # of C Biased events # of C P17 Z17 = K[0] − K[1] − 17 217.727 Z17 = 17 223.178 P18 Z18 = K[0] − K[2] − 18 217.800 Z18 = 18 223.210 P33 Z33 = K[0] − K[1] − 33 218.955 Z33 = 0 223.770 P34 Z34 = K[0] − K[2] − 34 219.035 Z34 = 0 223.791 P49 Z49 = K[0] − K[1] − 49 220.297 Z49 = 0 224.114 P50 Z50 = K[0] − K[2] − 50 220.386 Z50 = 0 224.135 P66 Z66 = K[0] − K[2] − 66 221.869 Z66 = 0 224.479 P82 Z82 = K[0] − K[2] − 82 223.505 Z82 = 0 224.820 R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 6 / 27

13. Preliminaries Outline in My Talk 1 Preliminaries RC4 algorithms and

    WPA-TKIP protocol 2 New Iterated RC4 Key Correlations Observations Proofs Experiments 3 Improvements for Plaintext Recovery on WPA-TKIP Known Attacks Our Result 4 Conclusion R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 7 / 27

14. Preliminaries RC4 algorithms and WPA-TKIP protocol RC4 algorithms: KSA and

    PRGA Algorithm 1 KSA 1: for i = 0 to N − 1 do 2: SK 0 [i] ← i 3: end for 4: jK 0 ← 0 5: for i = 0 to N − 1 do 6: jK i+1 ← jK i + SK i [i] + K[i mod ℓ] 7: Swap(SK i [i], SK i [jK i+1 ]) 8: end for Algorithm 2 PRGA 1: r ← 0, i0 ← 0, j0 ← 0 2: loop 3: r ← r + 1 4: ir ← ir−1 + 1 5: jr ← jr−1 + Sr−1 [ir ] 6: Swap(Sr−1 [ir ], Sr−1 [jr ]) 7: Output: Zr ← Sr [Sr [ir ] + Sr [jr ]] 8: end loop R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 8 / 27

15. Preliminaries RC4 algorithms and WPA-TKIP protocol TKIP: Temporal Key Integrity

    Protocol ▶ designed by the IEEE 802.11i task group and Wi-Fi Alliance ▶ a 16-byte RC4 key setting ▶ avoid the known WEP attacks using (IV-related) K[1] = 255 [FMS01] R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 9 / 27

16. Preliminaries RC4 algorithms and WPA-TKIP protocol TKIP: Temporal Key Integrity

    Protocol ▶ designed by the IEEE 802.11i task group and Wi-Fi Alliance ▶ a 16-byte RC4 key setting ▶ avoid the known WEP attacks using (IV-related) K[1] = 255 [FMS01] The first 3-byte RC4 keys, K[0], K[1] and K[2], are generated by IV16 ▶ IV16: the last 16-bit IV K[0] = (IV16 ≫ 8) & 0xFF K[1] = [(IV16 ≫ 8) | 0x20] & 0x7F K[2] = IV16 & 0xFF R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 9 / 27

17. New Iterated RC4 Key Correlations Outline in My Talk 1

    Preliminaries RC4 algorithms and WPA-TKIP protocol 2 New Iterated RC4 Key Correlations Observations Proofs Experiments 3 Improvements for Plaintext Recovery on WPA-TKIP Known Attacks Our Result 4 Conclusion R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 10 / 27

18. New Iterated RC4 Key Correlations Observations Observations: Zr = K[0]

    − K[r mod ℓ] − r Key correlations of the keystream [?] (a0 · K[0] + · · · + aℓ−1 · K[ℓ − 1] + aℓ · Z1 + · · · + a2ℓ−1 · Zℓ ) = b ai ∈ {−1, 0, 1} (0 ≤ i ≤ 2ℓ − 1), b ∈ Z/NZ Table 4: Previous works on key correlations of the keystream Key correlations Reference Z1 = K[0] − K[1] − 1 [Sar14] Z3 = K[0] − K[3] − 3 [Sar14] Z4 = K[0] − K[4] − 4 [Sar14] Zx·ℓ = K[0] − K[x · ℓ mod ℓ] − x · ℓ = −x · ℓ [IOWM13] R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 11 / 27

19. New Iterated RC4 Key Correlations Observations Observations: Zr = K[0]

    − K[r mod ℓ] − r Key correlations of the keystream [?] (a0 · K[0] + · · · + aℓ−1 · K[ℓ − 1] + aℓ · Z1 + · · · + a2ℓ−1 · Zℓ ) = b ai ∈ {−1, 0, 1} (0 ≤ i ≤ 2ℓ − 1), b ∈ Z/NZ Table 4: Previous works on key correlations of the keystream Key correlations Reference Z1 = K[0] − K[1] − 1 [Sar14] Z3 = K[0] − K[3] − 3 [Sar14] Z4 = K[0] − K[4] − 4 [Sar14] Zx·ℓ = K[0] − K[x · ℓ mod ℓ] − x · ℓ = −x · ℓ [IOWM13] Motivation: Are there correlations between (K[0], K[r mod ℓ]) pairs and Zr ? R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 11 / 27

20. New Iterated RC4 Key Correlations Observations Observations: Zr = K[0]

    − K[r mod ℓ] − r Key correlations of the keystream [?] (a0 · K[0] + · · · + aℓ−1 · K[ℓ − 1] + aℓ · Z1 + · · · + a2ℓ−1 · Zℓ ) = b ai ∈ {−1, 0, 1} (0 ≤ i ≤ 2ℓ − 1), b ∈ Z/NZ Table 4: Previous works on key correlations of the keystream Key correlations Reference Z1 = K[0] − K[1] − 1 [Sar14] Z3 = K[0] − K[3] − 3 [Sar14] Z4 = K[0] − K[4] − 4 [Sar14] Zx·ℓ = K[0] − K[x · ℓ mod ℓ] − x · ℓ = −x · ℓ [IOWM13] Motivation: Are there correlations between (K[0], K[r mod ℓ]) pairs and Zr ? Our Observations For any arbitrary secret key K, the following key correlations of the keystream Zr in generic RC4 and WPA-TKIP induce biases: Zr = K[0] − K[r mod ℓ] − r. R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 11 / 27

21. New Iterated RC4 Key Correlations Proofs Theorem 7: Pr(Zr =

    K[0] − K[r mod ℓ] − r) Theorem 7 For any arbitrary secret key K and round r except when r = 1, 2, x · ℓ (x = 1, 2, . . . , 7), key correlations of the keystream Zr in both generic RC4 and WPA-TKIP are given by Pr(Zr = K[0] − K[r mod ℓ] − r) ≈ αr + 1 N (1 − αr ), where αr , βr , γr and δr are given by αr ≈ βr + 1 N(N−1) (1 − βr ) · γr · δr + 1 N (1 − δr ) , βr ≈ 1 N · N−r−1 N · r x=3 (N − x − 1)/ r−3 x=0 (N − x), γr ≈ 1 − 1 N N−r−1 · 1 N · N−1 x=r+1 1 − 1 N x · 1 − 1 N x−r−1 · 1 − 2 N N−x−1 , δr ≈ 1 − r v=2 ζ1,v − N−1 x=r+1 ζ1,x N−r−2 · N−r+1 N−1 . R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 12 / 27

22. New Iterated RC4 Key Correlations Proofs Proof sketch of Theorem

    7 3 phases to prove the major path for the target event: R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 13 / 27

23. New Iterated RC4 Key Correlations Proofs Proof sketch of Theorem

    7 3 phases to prove the major path for the target event: 1st Phase: From the initial to the (r + 1)-th round of the KSA ▶ Assuming that r + 1 events {jK 1 , . . . , jK r+1 } hold simultaneously ▶ Compute Pr(SK r+1 [r − 1] = K[0] − K[r mod ℓ] − r ∧ SK r+1 [r] = 0) R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 13 / 27

24. New Iterated RC4 Key Correlations Proofs Proof sketch of Theorem

    7 3 phases to prove the major path for the target event: 1st Phase: From the initial to the (r + 1)-th round of the KSA ▶ Assuming that r + 1 events {jK 1 , . . . , jK r+1 } hold simultaneously ▶ Compute Pr(SK r+1 [r − 1] = K[0] − K[r mod ℓ] − r ∧ SK r+1 [r] = 0) 2nd Phase: From the (r + 2)-th round to the end of the KSA ▶ Assuming that 5 events hold simultaneously ▶ Compute Pr(S0 [r − 1] = x ∧ S0 [r] = 0 ∧ S0 [x] = K[0] − K[r mod ℓ] − r) 3rd Phase: From the initial to the r-th round of the PRGA ▶ Assuming that r − 1 events {j1, . . . , jr−1} hold simultaneously ▶ Compute Pr(Zr = K[0] − K[r mod ℓ] − r) R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 13 / 27

25. New Iterated RC4 Key Correlations Proofs Proof sketch of Theorem

    7 3 phases to prove the major path for the target event: 1st Phase: From the initial to the (r + 1)-th round of the KSA ▶ Assuming that r + 1 events {jK 1 , . . . , jK r+1 } hold simultaneously ▶ Compute Pr(SK r+1 [r − 1] = K[0] − K[r mod ℓ] − r ∧ SK r+1 [r] = 0) 2nd Phase: From the (r + 2)-th round to the end of the KSA ▶ Assuming that 5 events hold simultaneously ▶ Compute Pr(S0 [r − 1] = x ∧ S0 [r] = 0 ∧ S0 [x] = K[0] − K[r mod ℓ] − r) 3rd Phase: From the initial to the r-th round of the PRGA ▶ Assuming that r − 1 events {j1, . . . , jr−1} hold simultaneously ▶ Compute Pr(Zr = K[0] − K[r mod ℓ] − r) αr ≈ βr + 1 N(N − 1) (1 − βr ) 1st Phase · γr 2nd Phase · δr + 1 N (1 − δr ) 3rd Phase R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 13 / 27

26. New Iterated RC4 Key Correlations Proofs Proof of Theorem 7

    when r = 3: 1st Phase 1st Phase: From the initial to the (r + 1)-th round of the KSA ▶ Assuming that r + 1 events {jK 1 , . . . , jK r+1 } hold simultaneously ▶ Compute Pr(SK r+1 [r − 1] = K[0] − K[r mod ℓ] − r ∧ SK r+1 [r] = 0) Pr(SK r+1 [r − 1] = K[0] − K[r mod ℓ] − r ∧ SK r+1 [r] = 0) ≈ βr + 1 N(N−1) (1 − βr ) R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 14 / 27

27. New Iterated RC4 Key Correlations Proofs Proof of Theorem 7

    when r = 3: 2nd Phase 2nd Phase: From the (r + 2)-th round to the end of the KSA ▶ Assuming that 5 events hold simultaneously ▶ Compute Pr(S0 [r − 1] = x ∧ S0 [r] = 0 ∧ S0 [x] = K[0] − K[r mod ℓ] − r) Pr(S0 [r − 1] = x ∧ S0 [r] = 0 ∧ S0 [x] = K[0] − K[r mod ℓ] − r) ≈ γr R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 15 / 27

28. New Iterated RC4 Key Correlations Proofs Proof of Theorem 7

    when r = 3: 3rd Phase 3rd Phase: From the initial to the r-th round of the PRGA ▶ Assuming that r − 1 events {j1, . . . , jr−1} hold simultaneously ▶ Compute Pr(Zr = K[0] − K[r mod ℓ] − r) Pr(Zr = K[0] − K[r mod ℓ] − r) ≈ δr + 1 N (1 − δr ) R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 16 / 27

29. New Iterated RC4 Key Correlations Proofs Proof of Theorem 7:

    Summary ▶ the probability in the major path: αr ≈ βr + 1 N(N − 1) (1 − βr ) Phase 1 · γr Phase 2 · δr + 1 N (1 − δr ) Phase 3 ▶ the probability that any phase does not hold: 1 N (1 − αr ) Pr(Zr = K[0] − K[r] − r) ≈ αr + 1 N (1 − αr ). (Q.E.D) R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 17 / 27

30. New Iterated RC4 Key Correlations Proofs Theorems 9 and 10

    Theorem 9 For any arbitrary secret key K, a key correlation of the keystream Z1 in WPA-TKIP is given by Pr(Z1 = K[0] − K[1] − 1) ≈ 1 N (1 − α1 ), where α1 ≈ 1 N2 · (1 − 2 N ) · (1 − 1 N )N−2 · N−1 x=2 (1 − 1 N )x · (1 − 1 N )x−2 · (1 − 2 N )N−x−1. Theorem 10 For any arbitrary secret key K, a key correlation of the keystream Z2 in both generic RC4 and WPA-TKIP is given by Pr(Z2 = K[0] − K[2] − 2) ≈ 1 N . R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 18 / 27

31. New Iterated RC4 Key Correlations Experiments Experiments: Check the Accuracy

    of Theorems 7, 9 and 10 percentage of relative error ϵ ϵ = |experimental value − theoretical value| experimental value × 100(%) R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 19 / 27

32. Improvements for Plaintext Recovery on WPA-TKIP Outline in My Talk

    1 Preliminaries RC4 algorithms and WPA-TKIP protocol 2 New Iterated RC4 Key Correlations Observations Proofs Experiments 3 Improvements for Plaintext Recovery on WPA-TKIP Known Attacks Our Result 4 Conclusion R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 20 / 27

33. Improvements for Plaintext Recovery on WPA-TKIP Known Attacks Known Attack

    in the Broadcast Setting [IOWM13] Broadcast Setting ▶ Ciphertexts C are generated from same plaintext P using multiple keys R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 21 / 27

34. Improvements for Plaintext Recovery on WPA-TKIP Known Attacks Known Attack

    in the Broadcast Setting [IOWM13] Broadcast Setting ▶ Ciphertexts C are generated from same plaintext P using multiple keys Plaintext Recovery Algorithm in the Broadcast Setting [IOWM13] 1st Step. Obtain n ciphertexts C in the broadcast setting 2nd Step. Exploit the most/least frequent value in distribution of Cr 3rd Step. Recover Pr = Cr ⊕ Zr where Zr is the value of the keystream byte from a set of the strongest biases R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 21 / 27

35. Improvements for Plaintext Recovery on WPA-TKIP Known Attacks A Set

    of the Strongest Biases [IOWM13] Round Events of Zr Theoretical Value 1 Z1 = 0 | Z2 = 0 2−8 · (1 + 2−1.009) 2 Z2 = 0 2−8 · (1 + 20) 3 Z3 = 131 2−8 · (1 + 2−8.089) 4 Z4 = 0 2−8 · (1 + 2−7.581) 5-15 Zr = r max: 2−8 · (1 + 2−7.627), min: 2−8 · (1 + 2−7.737) 16 Z16 = 240 2−8 · (1 + 2−4.671) 17-31 Zr = r max: 2−8 · (1 + 2−7.759), min: 2−8 · (1 + 2−7.912) 32 Z32 = 224 2−8 · (1 + 2−5.176) 33-47 Zr = 0 max: 2−8 · (1 + 2−7.897), min: 2−8 · (1 + 2−8.050) 48 Z48 = 208 2−8 · (1 + 2−5.651) 49-63 Zr = 0 max: 2−8 · (1 + 2−8.072), min: 2−8 · (1 + 2−8.224) 64 Z64 = 192 2−8 · (1 + 2−6.085) 65-79 Zr = 0 max: 2−8 · (1 + 2−8.246), min: 2−8 · (1 + 2−8.398) 80 Z80 = 176 2−8 · (1 + 2−6.574) 81-95 Zr = 0 max: 2−8 · (1 + 2−8.420), min: 2−8 · (1 + 2−8.571) 96 Z96 = 160 2−8 · (1 + 2−6.970) 97-111 Zr = 0 max: 2−8 · (1 + 2−8.592), min: 2−8 · (1 + 2−8.741) 112 Z112 = 144 2−8 · (1 + 2−7.300) 113-255 Zr = 0 max: 2−8 · (1 + 2−8.763), min: 2−8 · (1 + 2−10.052) 256 Z256 = 0 2−8 · (1 − 2−9.474) 257 Z257 = 0 2−8 · (1 + 2−9.474) R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 22 / 27

36. Improvements for Plaintext Recovery on WPA-TKIP Known Attacks Previous Improvements

    on WPA-TKIP [GMM+14] Existing attack [IOWM13] uses the constant values of the keystream biases. R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 23 / 27

37. Improvements for Plaintext Recovery on WPA-TKIP Known Attacks Previous Improvements

    on WPA-TKIP [GMM+14] Existing attack [IOWM13] uses the constant values of the keystream biases. Motivation: Application to plaintext recovery on WPA-TKIP Key correlations of the keystream with the known value {K[0], K[1], K[2]} Zr = a · K[0] + b · K[1] + c · K[2] + d r ∈ [1, 257], a, b, c ∈ {−1, 0, 1}, d ∈ {−3, −2, −1, 0, 1, 2, 3} R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 23 / 27

38. Improvements for Plaintext Recovery on WPA-TKIP Known Attacks Previous Improvements

    on WPA-TKIP [GMM+14] Existing attack [IOWM13] uses the constant values of the keystream biases. Motivation: Application to plaintext recovery on WPA-TKIP Key correlations of the keystream with the known value {K[0], K[1], K[2]} Zr = a · K[0] + b · K[1] + c · K[2] + d r ∈ [1, 257], a, b, c ∈ {−1, 0, 1}, d ∈ {−3, −2, −1, 0, 1, 2, 3} Table 5: Significant improvements in recovering 4 bytes of a plaintext {P1 , P3 , P256 , P257} on WPA-TKIP from [IOWM13] [GMM+14] [IOWM13] Targets Key correlations # of C Biased events # of C P1 Z1 = −K[0] − K[1] 210.896 Z1 = 0 | Z2 = 0 218.072 P3 Z3 = K[0] + K[1] + K[2] + 3 213.939 Z3 = 131 224.218 P256 Z256 = −K[0] 213.803 Z256 = 0 226.814 P257 Z257 = −K[0] − K[1] 216.758 Z257 = 0 227.062 R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 23 / 27

39. Improvements for Plaintext Recovery on WPA-TKIP Our Result Our Result:

    Further Improvements on WPA-TKIP Further improvements on WPA-TKIP using (K[0], K[1]) and (K[0], K[2]) pairs New Iterated RC4 Key Correlations with the known value {K[0], K[1], K[2]} Zr = K[0] − K[r mod ℓ] − r R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 24 / 27

40. Improvements for Plaintext Recovery on WPA-TKIP Our Result Our Result:

    Further Improvements on WPA-TKIP Further improvements on WPA-TKIP using (K[0], K[1]) and (K[0], K[2]) pairs New Iterated RC4 Key Correlations with the known value {K[0], K[1], K[2]} Zr = K[0] − K[r mod ℓ] − r Table 6: Significant improvements in recovering 8 bytes of a plaintext {P17 , P18 , P33 , P34 , P49 , P50 , P66 , P82} on WPA-TKIP from [IOWM13] [Ours] [IOWM13] Targets Key correlations # of C Biased events # of C P17 Z17 = K[0] − K[1] − 17 217.727 Z17 = 17 223.178 P18 Z18 = K[0] − K[2] − 18 217.800 Z18 = 18 223.210 P33 Z33 = K[0] − K[1] − 33 218.955 Z33 = 0 223.770 P34 Z34 = K[0] − K[2] − 34 219.035 Z34 = 0 223.791 P49 Z49 = K[0] − K[1] − 49 220.297 Z49 = 0 224.114 P50 Z50 = K[0] − K[2] − 50 220.386 Z50 = 0 224.135 P66 Z66 = K[0] − K[2] − 66 221.869 Z66 = 0 224.479 P82 Z82 = K[0] − K[2] − 82 223.505 Z82 = 0 224.820 R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 24 / 27

41. Conclusion Outline in My Talk 1 Preliminaries RC4 algorithms and

    WPA-TKIP protocol 2 New Iterated RC4 Key Correlations Observations Proofs Experiments 3 Improvements for Plaintext Recovery on WPA-TKIP Known Attacks Our Result 4 Conclusion R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 25 / 27

42. Conclusion Summary in My Talk New Iterated RC4 Key Correlations

    Zr = K[0] − K[r mod ℓ] − r (K[0], K[r mod ℓ]) pairs are iterated every ℓ rounds (key size: ℓ = 16) Application to plaintext recovery on WPA-TKIP ▶ Significant improvements in recovering 8 bytes of a plaintext {P17 , P18 , P33 , P34 , P49 , P50 , P66 , P82} on WPA-TKIP from [IOWM13] R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 26 / 27

43. Conclusion Summary in My Talk New Iterated RC4 Key Correlations

    Zr = K[0] − K[r mod ℓ] − r (K[0], K[r mod ℓ]) pairs are iterated every ℓ rounds (key size: ℓ = 16) Application to plaintext recovery on WPA-TKIP ▶ Significant improvements in recovering 8 bytes of a plaintext {P17 , P18 , P33 , P34 , P49 , P50 , P66 , P82} on WPA-TKIP from [IOWM13] Open problems ▶ Further improvements for full plaintext recovery on WPA-TKIP ▶ Application to key recovery attack ▶ Proposal of secure IV setting for WPA-TKIP R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 26 / 27

44. References I [FMS01] Scott Fluhrer, Itsik Mantin, and Adi Shamir.

    Weaknesses in the Key Scheduling Algorithm of RC4. In Serge Vaudenay and Amr M. Youssef, editors, Selected Areas in Cryptography - SAC 2001, volume 2259 of Lecture Notes in Computer Science, pages 1–24. Springer Berlin Heidelberg, 2001. [GMM+14] Sourav Sen Gupta, Subhamoy Maitra, Willi Meier, Goutam Paul, and Santanu Sarkar. Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA. In Carlos Cid and Christian Rechberger, editors, Fast Software Encryption - FSE 2014, volume 8540 of Lecture Notes in Computer Science, pages 350–369. Springer Berlin Heidelberg, 2014. [IOWM13] Takanori Isobe, Toshihiro Ohigashi, Yuhei Watanabe, and Masakatu Morii. Full Plaintext Recovery Attack on Broadcast RC4. In Shiho Moriai, editor, Fast Software Encryption - FSE 2013, volume 8424 of Lecture Notes in Computer Science. Springer Berlin Heidelberg, 2013. [PPS14] Kenneth G. Paterson, Bertram Poettering, and Jacob C.N. Schuldt. Plaintext Recovery Attacks Against WPA/TKIP. In Carlos Cid and Christian Rechberger, editors, Fast Software Encryption - FSE 2014, volume 8540 of Lecture Notes in Computer Science, pages 325–349. Springer Berlin Heidelberg, 2014. [Sar14] Santanu Sarkar. Proving Empirically key-correlations in RC4. Information Processing Letters, 114 (5):234–238, 2014. R. Ito & A. Miyaji (Osaka University) New Iterated RC4 Key Correlations July 12, 2018 27 / 27