WPAにおけるRC4の内部状態に関する新しい線形相関

Transcript

1. WPAʹ͓͚ΔRC4ͷ಺෦ঢ়ଶʹؔ͢Δ ৽͍͠ઢܗ૬ؔ ΩʔϫʔυɿRC4ɼWPAɼઢܗ૬ؔ ҏ౻ ཽഅ 1 ٶ஍ ॆࢠ 1,2 ๺཮ઌ୺Պֶٕज़େֶӃେֶ

   1, JST CREST 2 SCIS 2015@খ૔ 2015. 1. 21 ҏ౻ ཽഅ (JAIST) WPA ʹ͓͚Δ RC4 ͷ಺෦ঢ়ଶʹؔ͢Δ৽͍͠ઢܗ૬ؔ (SCIS 2015) 2015. 1. 21 1 / 28

2. ݚڀഎܠ Outline 1 ݚڀഎܠ RC4, WPA طଘݚڀ Ϟνϕʔγϣϯ 2 ৽͍͠ઢܗ૬ؔ

   ղੳํ਑ S0[i1] ʹ͓͚Δ biases Sr [ir+1] ʹ͓͚Δ biases ࣮ݧ݁Ռ 3 ·ͱΊ ҏ౻ ཽഅ (JAIST) WPA ʹ͓͚Δ RC4 ͷ಺෦ঢ়ଶʹؔ͢Δ৽͍͠ઢܗ૬ؔ (SCIS 2015) 2015. 1. 21 2 / 28

3. ݚڀഎܠ RC4, WPA RC4 1987 ೥ʹ Rivest ʹΑͬͯ։ൃ͞ΕͨετϦʔϜ҉߸ SSL/TLS, WEP,

   WPA ౳Ͱ޿͘ར༻ 2 ͭͷΞϧΰϦζϜɿKSA, PRGA WPA 2003 ೥ʹ WEP ͷ୅ସͱͯ͠ඪ४Խ͞ΕͨηΩϡϦςΟϓϩτίϧ TKIP ʹΑΔ RC4 ൿີݤͷੜ੒ RC4 ൿີݤ K[0], K[1], K[2] ͷੜ੒खॱ ҏ౻ ཽഅ (JAIST) WPA ʹ͓͚Δ RC4 ͷ಺෦ঢ়ଶʹؔ͢Δ৽͍͠ઢܗ૬ؔ (SCIS 2015) 2015. 1. 21 3 / 28

4. ݚڀഎܠ KSA ͷΞϧΰϦζϜ Algorithm 1 KSA 1: for i =

   0 to N − 1 do 2: SK 0 [i] ← i 3: end for 4: jK 0 ← 0 5: for i = 0 to N − 1 do 6: jK i+1 ← jK i +SK i [i]+K[i mod l] 7: Swap(SK i [i], SK i [jK i+1 ]) 8: end for KSA ͷঢ়ଶભҠ ಛ௃ 256 ϥ΢ϯυͷΈ Swap ॲཧ ֤ཁૉʹ͓͍ͯ i ͕બ͹ΕΔͷ͸ 1 ճͷΈ i ϥ΢ϯυʹ͓͍ͯɼू߹ {Si [0], . . . , Si [i − 1]} ಺Ͱ͸ޓ͍ʹ Swap ͞Εͳ͍ɽ ҏ౻ ཽഅ (JAIST) WPA ʹ͓͚Δ RC4 ͷ಺෦ঢ়ଶʹؔ͢Δ৽͍͠ઢܗ૬ؔ (SCIS 2015) 2015. 1. 21 4 / 28

5. ݚڀഎܠ PRGA ͷΞϧΰϦζϜ Algorithm 2 PRGA 1: r ← 0,

   i0 ← 0, j0 ← 0 2: loop 3: r ← r + 1 4: ir ← ir−1 + 1 5: jr ← jr−1 + Sr−1[ir ] 6: Swap(Sr−1[ir ], Sr−1[jr ]) 7: tr ← Sr [ir ] + Sr [jr ] 8: Output: Zr ← Sr [tr ] 9: end loop PRGA ͷঢ়ଶભҠ ಛ௃ ֤ϥ΢ϯυ Sr−1[ir ], Sr−1[jr ], jr , tr ͷ஋͕ະ஌ ࠷దղΛ୳ࡧʢྫɿ෼ࢬݶఆ๏ [KMP+98]ʣͯ͠಺෦ঢ়ଶΛ෮ݩ ҏ౻ ཽഅ (JAIST) WPA ʹ͓͚Δ RC4 ͷ಺෦ঢ়ଶʹؔ͢Δ৽͍͠ઢܗ૬ؔ (SCIS 2015) 2015. 1. 21 5 / 28

6. ݚڀഎܠ طଘݚڀ طଘݚڀ ߈ܸ ࿦จ ֓ཁ ࣝผ߈ܸ [MS02] Z2 =

   0 ͱͳΔ bias ͷূ໌ɼBroadcast attack ͷఏҊ (RC4) [MPG11] Z1 , Z3 , . . . , Z255 ʹؔ͢Δ bias ͷূ໌ɼBroadcast attack ΁ͷద༻ [ABP+13] Single-byte bias, Multi-byte bias ʹΑͬͯฏจΛճ෮ [IOWM14] ઌ಄ 257 όΠτͷ bias ηοτɼ250 όΠτͷฏจΛճ෮ ࣝผ߈ܸ [PPS14] WPA ʹ͓͚Δಛఆ IV ʹண໨ɼ[ABP+13] ʹ͓͚ΔܭࢉྔΛ࡟ݮ (WPA) [GMM+14] WPA ʹ͓͚Δ K[0] + K[1] ͷ෼෍ɼݤετϦʔϜͷઢܗ૬ؔ ݤճ෮ [FMS01] WEP ʹର͢Δ weak IV Λར༻ͨ͠߈ܸ ߈ܸ [Kle08] WEP ʹର͢Δ weak IV ʹґଘ͠ͳ͍߈ܸ [GMPS11] ݤετϦʔϜͱൿີݤؒͷ૬ؔΛར༻ͨ͠߈ܸ ಺෦ঢ়ଶ [KMP+98] PRGA ʹ͓͚Δ 4 ݸͷະ஌ͷ஋ʹର͢Δ෼ࢬݶఆ๏ ෮ݩ߈ܸ [MK08] j Λط஌ͱ૝ఆ͠ɼ಺෦ঢ়ଶͷಛघͳੑ࣭Λར༻ͨ͠߈ܸ [DMPS11] j Λط஌ͱ૝ఆ͠ɼطଘͷ߈ܸΛ૊Έ߹ΘͤͨΞϧΰϦζϜ KSA [Roo95] KSA ऴྃޙͷ಺෦ঢ়ଶʹൿີݤͷઢܗࣜͰද͞ΕΔ૬ؔΛൃݟ [PM07] [Roo95] Ͱࣔ͞Εͨ૬ؔͷཧ࿦తͳূ໌ PRGA [Jen96] Glimpse theorem (Jenkins correlaion) [Ours] Long-term Glimpse ʹؔ͢Δ৽͍͠ biases ͷূ໌ ҏ౻ ཽഅ (JAIST) WPA ʹ͓͚Δ RC4 ͷ಺෦ঢ়ଶʹؔ͢Δ৽͍͠ઢܗ૬ؔ (SCIS 2015) 2015. 1. 21 6 / 28

7. ݚڀഎܠ طଘݚڀ Sen Gupta ΒʹΑΔ؍ଌ [GMM+14] I WPA ʹ͓͚Δ K[0],

   K[1] ͷؔ܎͔Β K[0] + K[1] ͷ෼෍ʹ bias ͕ଘࡏ K[0] + K[1] ͷ෼෍ ˞ K[0] + K[1] = 0, 255 ͱͳΔ֬཰͸ 0 ҏ౻ ཽഅ (JAIST) WPA ʹ͓͚Δ RC4 ͷ಺෦ঢ়ଶʹؔ͢Δ৽͍͠ઢܗ૬ؔ (SCIS 2015) 2015. 1. 21 7 / 28

8. ݚڀഎܠ طଘݚڀ Sen Gupta ΒʹΑΔ؍ଌ [GMM+14] II ൿີݤ K[0], K[1],

   K[2] ͱఆ਺߲Λ༻͍ͨઢܗࣜͷߏங ઢܗࣜͱݤετϦʔϜ Zr ؒͷ૬ؔʢઢܗ૬ؔʣͷ୳ࡧ Zr = a · K[0] + b · K[1] + c · K[2] + d (7) r ∈ [1, 257], a, b, c ∈ {0, ±1}, d ∈ {0, ±1, ±2, ±3} όΠτ ฏจճ෮߈ܸʹ͔͔Δܭࢉྔ ར༻͢Δઢܗ૬ؔ [IOWM14] [GMM+14] Z1 230 5 · 213 ≈ 215.322 Z1 = −K[0] − K[1] Z3 230 219 Z3 = K[0] + K[1] + K[2] + 3 Z256 230 219 Z256 = −K[0] Z257 230 221 Z257 = −K[0] − K[1] WPA ʹ͓͍ͯ K[0], K[1], K[2] ͸ط஌ͷ஋ ઢܗ૬ؔΛ༻͍ͯฏจճ෮߈ܸʹద༻Մೳ ҏ౻ ཽഅ (JAIST) WPA ʹ͓͚Δ RC4 ͷ಺෦ঢ়ଶʹؔ͢Δ৽͍͠ઢܗ૬ؔ (SCIS 2015) 2015. 1. 21 8 / 28

9. ݚڀഎܠ Ϟνϕʔγϣϯ ಺෦ঢ়ଶʹؔ͢Δઢܗ૬ؔ RC4 PRGA ͷ֤ϥ΢ϯυʹ͓͍ͯະ஌ͱͳΔ 4 ݸͷ஋ʹ஫໨ ˞ ಺෦ঢ়ଶ෮ݩ߈ܸ

   [KMP+98] ʹ͓͍ͯਪଌɾܾఆ͞ΕΔର৅ Xr ∈ {Sr−1[ir ], Sr−1[jr ], jr , tr } for r ≥ 1 ൿີݤ K[0], K[1], K[2]ɼఆ਺߲ɼݤετϦʔϜΛ༻͍ͨઢܗؔ਺ͷߏங Xr = a · Zr + b · K[0] + c · K[1] + d · K[2] + e (12) r ∈ [1, 257], a, b, c, d ∈ {0, ±1}, e ∈ {0, ±1, ±2, ±3} WPA ʹ͓͍ͯࣜ (12) ͸ط஌ͷ஋ ൃݟ͞ΕΔઢܗ૬ؔʹΑͬͯະ஌ͷ஋ʹର͢Δ࠷దղͷ୳ࡧޮ཰͕޲্ ಺෦ঢ়ଶ෮ݩ߈ܸʹ͔͔Δܭࢉྔͷ࡟ݮʹߩݙ ҏ౻ ཽഅ (JAIST) WPA ʹ͓͚Δ RC4 ͷ಺෦ঢ়ଶʹؔ͢Δ৽͍͠ઢܗ૬ؔ (SCIS 2015) 2015. 1. 21 9 / 28

10. ৽͍͠ઢܗ૬ؔ Outline 1 ݚڀഎܠ RC4, WPA طଘݚڀ Ϟνϕʔγϣϯ 2 ৽͍͠ઢܗ૬ؔ

    ղੳํ਑ S0[i1] ʹ͓͚Δ biases Sr [ir+1] ʹ͓͚Δ biases ࣮ݧ݁Ռ 3 ·ͱΊ ҏ౻ ཽഅ (JAIST) WPA ʹ͓͚Δ RC4 ͷ಺෦ঢ়ଶʹؔ͢Δ৽͍͠ઢܗ૬ؔ (SCIS 2015) 2015. 1. 21 10 / 28

11. ৽͍͠ઢܗ૬ؔ ղੳํ਑ ࣮ݧʹΑΔ؍ଌ݁Ռ I Ұ༷ϥϯμϜʹબΜͩ 232 ݸͷൿີݤΛ༻͍ͯ಺෦ঢ়ଶʹؔ͢Δઢܗ૬ؔΛ୳ࡧ Xr = a

    · Zr + b · K[0] + c · K[1] + d · K[2] + e (12) Xr ∈ {Sr−1[ir ], Sr−1[jr ], jr , tr } r ∈ [1, 257], a, b, c, d ∈ {0, ±1}, e ∈ {0, ±1, ±2, ±3} ಛ௃తͳઢܗ૬ؔΛ 250 ݸҎ্ൃݟ ઢܗ૬ؔͷ֬཰͕ 0.0045 Ҏ্΋͘͠͸ 0.0030 ະຬͷൣғʹݶఆ ˞ ϥϯμϜͳ֬཰ ≈ 0.003906 ઢܗ૬ؔ ֬཰ ݁Ռ S0[i1] = K[0] for RC4 0.001450 ఆཧ 1 S0[i1] = K[0] for WPA 0 ఆཧ 2 Sr [ir+1] = K[0] + K[1] + 1 ߲࣍ ఆཧ 3 ҏ౻ ཽഅ (JAIST) WPA ʹ͓͚Δ RC4 ͷ಺෦ঢ়ଶʹؔ͢Δ৽͍͠ઢܗ૬ؔ (SCIS 2015) 2015. 1. 21 11 / 28

12. ৽͍͠ઢܗ૬ؔ ղੳํ਑ ࣮ݧʹΑΔ؍ଌ݁Ռ II ࣄ৅ (Sr [ir+1] = K[0] +

    K[1] + 1) ͷ؍ଌ݁Ռʢఆཧ 3ʣ ൃݟͨ͠ઢܗ૬ؔͷཧ࿦తͳূ໌ ҏ౻ ཽഅ (JAIST) WPA ʹ͓͚Δ RC4 ͷ಺෦ঢ়ଶʹؔ͢Δ৽͍͠ઢܗ૬ؔ (SCIS 2015) 2015. 1. 21 12 / 28

13. ৽͍͠ઢܗ૬ؔ S0[i1] ʹ͓͚Δ biases ఆཧ 1, 2ɿࣄ৅ (S0 [i1 ]

    = K[0]) ͕੒Γཱͭ֬཰ I ఆཧ 1 RC4 PRGA ͷॳظ಺෦ঢ়ଶʹ͓͍ͯɼԼهͷ֬཰͕੒Γཱͭɽ Pr(S0[i1] = K[0])RC4 ≈ 1 N ( 1 − 1 N )N−2 ఆཧ 2 WPA ʹ͓͚Δ RC4 PRGA ͷॳظ಺෦ঢ়ଶʹ͓͍ͯɼԼهͷ֬཰͕੒Γཱͭɽ Pr(S0[i1] = K[0])WPA = 0 ҏ౻ ཽഅ (JAIST) WPA ʹ͓͚Δ RC4 ͷ಺෦ঢ়ଶʹؔ͢Δ৽͍͠ઢܗ૬ؔ (SCIS 2015) 2015. 1. 21 13 / 28

14. ৽͍͠ઢܗ૬ؔ S0[i1] ʹ͓͚Δ biases ఆཧ 1, 2ɿࣄ৅ (S0 [i1 ]

    = K[0]) ͕੒Γཱͭ֬཰ II ূ໌ 1. KSA ʹ͓͚Δ࠷ॳͷ 2 ϥ΢ϯυͷঢ়ଶભҠΛߟ࡯ jK 1 = jK 0 + SK 0 [0] + K[0] = K[0], (13) jK 2 = jK 1 + SK 1 [1] + K[1] = K[0] + K[1] + SK 1 [1] (14) ҏ౻ ཽഅ (JAIST) WPA ʹ͓͚Δ RC4 ͷ಺෦ঢ়ଶʹؔ͢Δ৽͍͠ઢܗ૬ؔ (SCIS 2015) 2015. 1. 21 14 / 28

15. ৽͍͠ઢܗ૬ؔ S0[i1] ʹ͓͚Δ biases ఆཧ 1, 2ɿࣄ৅ (S0 [i1 ]

    = K[0]) ͕੒Γཱͭ֬཰ II ূ໌ 1. KSA ʹ͓͚Δ࠷ॳͷ 2 ϥ΢ϯυͷঢ়ଶભҠΛߟ࡯ jK 1 = jK 0 + SK 0 [0] + K[0] = K[0], (13) jK 2 = jK 1 + SK 1 [1] + K[1] = K[0] + K[1] + SK 1 [1] (14) ҏ౻ ཽഅ (JAIST) WPA ʹ͓͚Δ RC4 ͷ಺෦ঢ়ଶʹؔ͢Δ৽͍͠ઢܗ૬ؔ (SCIS 2015) 2015. 1. 21 15 / 28

16. ৽͍͠ઢܗ૬ؔ S0[i1] ʹ͓͚Δ biases ఆཧ 1, 2ɿࣄ৅ (S0 [i1 ]

    = K[0]) ͕੒Γཱͭ֬཰ III ূ໌ 1. KSA ʹ͓͚Δ࠷ॳͷ 2 ϥ΢ϯυͷঢ়ଶભҠΛߟ࡯ jK 1 = jK 0 + SK 0 [0] + K[0] = K[0], (13) jK 2 = jK 1 + SK 1 [1] + K[1] = K[0] + K[1] + SK 1 [1] (14) 2. RC4 ൿີݤ K[0], K[1] ͷ஋Λ࣍ͷΑ͏ͳ 5 ௨Γͷ Path ʹ෼ׂ K[0] + K[1] = 0 K[0] = 1 (Path 1-1), K[0] 1 (Path 1-2) K[0] + K[1] = 255 K[0] = 1 (Path 2-1), K[0] 1 (Path 2-2) K[0] + K[1] 0, 255 (Path 3) ҏ౻ ཽഅ (JAIST) WPA ʹ͓͚Δ RC4 ͷ಺෦ঢ়ଶʹؔ͢Δ৽͍͠ઢܗ૬ؔ (SCIS 2015) 2015. 1. 21 16 / 28

17. ৽͍͠ઢܗ૬ؔ S0[i1] ʹ͓͚Δ biases ఆཧ 1, 2ɿࣄ৅ (S0 [i1 ]

    = K[0]) ͕੒Γཱͭ֬཰ IV ূ໌ 3. શͯͷ Path Ͱ KSA ʹ͓͚Δ࠷ॳͷ 2 ϥ΢ϯυͷঢ়ଶભҠΛߟ࡯ Path 1-1, Path 2-2 ͷ৔߹ͷΈ SK 2 [1] = K[0] ͕੒ཱ 4. S0[1] = SK 2 [1] ͱͳΔ֬཰ͷಋग़ʢΠϯσοΫε j ͷϥϯμϜੑΛԾఆʣ Pr(S0[1] = SK 2 [1]) ≈ ( 1 − 1 N )N−2 ҏ౻ ཽഅ (JAIST) WPA ʹ͓͚Δ RC4 ͷ಺෦ঢ়ଶʹؔ͢Δ৽͍͠ઢܗ૬ؔ (SCIS 2015) 2015. 1. 21 17 / 28

18. ৽͍͠ઢܗ૬ؔ S0[i1] ʹ͓͚Δ biases ఆཧ 1, 2ɿࣄ৅ (S0 [i1 ]

    = K[0]) ͕੒Γཱͭ֬཰ V ূ໌ 5. Path 1-1, Path 2-2 ͕੒Γཱͭ֬཰ͷಋग़ʢൿີݤͷҰ༷ϥϯμϜੑΛԾఆʣ Pr(Path 1-1) = Pr(K[0] + K[1] = 0 ∧ K[0] = 1) ≈ 1 N2 Pr(Path 2-2) = Pr(K[0] + K[1] = 255 ∧ K[0] 1) ≈ 1 N ( 1 − 1 N ) 6. ࣄ৅ (S0[i1] = K[0]) ͕੒Γཱͭ֬཰ͷಋग़ʢఆཧ 1ʣ Pr(S0[i1] = K[0]) = Pr(S0[i1] = K[0] | Path 1-1) · Pr(Path 1-1) + Pr(S0[i1] = K[0] | Path 2-2) · Pr(Path 2-2) ≈ ( 1 − 1 N )N−2 · 1 N2 + ( 1 − 1 N )N−2 · 1 N ( 1 − 1 N ) = 1 N ( 1 − 1 N )N−2 ҏ౻ ཽഅ (JAIST) WPA ʹ͓͚Δ RC4 ͷ಺෦ঢ়ଶʹؔ͢Δ৽͍͠ઢܗ૬ؔ (SCIS 2015) 2015. 1. 21 18 / 28

19. ৽͍͠ઢܗ૬ؔ S0[i1] ʹ͓͚Δ biases ఆཧ 1, 2ɿࣄ৅ (S0 [i1 ]

    = K[0]) ͕੒Γཱͭ֬཰ VI ূ໌ 5. Path 1-1, Path 2-2 ͕੒Γཱͭ֬཰ͷಋग़ʢൿີݤͷҰ༷ϥϯμϜੑΛԾఆʣ Pr(Path 1-1) = Pr(K[0] + K[1] = 0 ∧ K[0] = 1) = 0 Pr(Path 2-2) = Pr(K[0] + K[1] = 255 ∧ K[0] 1) = 0 6. ࣄ৅ (S0[i1] = K[0]) ͕੒Γཱͭ֬཰ͷಋग़ʢఆཧ 2ʣ Pr(S0[i1] = K[0]) = Pr(S0[i1] = K[0] | Path 1-1) · Pr(Path 1-1) + Pr(S0[i1] = K[0] | Path 2-2) · Pr(Path 2-2) ≈ ( 1 − 1 N )N−2 · 0 + ( 1 − 1 N )N−2 · 0 = 0 ҏ౻ ཽഅ (JAIST) WPA ʹ͓͚Δ RC4 ͷ಺෦ঢ়ଶʹؔ͢Δ৽͍͠ઢܗ૬ؔ (SCIS 2015) 2015. 1. 21 19 / 28

20. ৽͍͠ઢܗ૬ؔ Sr [ir+1] ʹ͓͚Δ biases ఆཧ 3ɿࣄ৅ (Sr [ir+1 ]

    = K[0] + K[1] + 1) ͕੒Γཱͭ֬཰ ఆཧ 3 r ϥ΢ϯυޙͷ RC4 PRGA ʹ͓͍ͯ r ∈ [0, N] ͷ৔߹ʹ෼͚ΔͱɼͦΕͧΕԼه ͷ֬཰͕੒Γཱͭɽ Pr(Sr [ir+1] = K[0] + K[1] + 1) ≈                                  α1 if r = 0, α1 γ1 + (1 − β1)δ2 if r = 1, δ0 ( 1 − 1 N )N−1 + 1 N (1 − δ0) ( 1 − ( 1 − 1 N )N−1 ) if r = N − 1, ζ1 ( 1 − 1 N )N−1 + 1 N (1 − ζ1) ( 1 − ( 1 − 1 N )N−1 ) if r = N, ζr+1 ( 1 − 1 N )r−1 + 1 N ∑ r−1 x=1 ηx ( 1 − 1 N )r−x−1 otherwise. ҏ౻ ཽഅ (JAIST) WPA ʹ͓͚Δ RC4 ͷ಺෦ঢ়ଶʹؔ͢Δ৽͍͠ઢܗ૬ؔ (SCIS 2015) 2015. 1. 21 20 / 28

21. ৽͍͠ઢܗ૬ؔ ࣮ݧ݁Ռ Ұ༷ϥϯμϜʹબΜͩ 240 ݸͷൿີݤΛ༻͍ͯఆཧͷਖ਼౰ੑΛݕূ ૬ରޡࠩ Λ༻͍࣮ͯݧ஋ͱཧ࿦஋ͷޡࠩΛධՁ = | ࣮ݧ஋

    − ཧ࿦஋ | ࣮ݧ஋ × 100(%) (15) ݁Ռ ࣮ݧ஋ ཧ࿦஋ (%) ఆཧ 1 0.001449605 0.001445489 0.284 ఆཧ 2 0 0 0 ఆཧ 3 Appendix ࣮ݧʹΑͬͯཧ࿦తͳূ໌ͷਖ਼౰ੑΛ֬ೝ ҏ౻ ཽഅ (JAIST) WPA ʹ͓͚Δ RC4 ͷ಺෦ঢ়ଶʹؔ͢Δ৽͍͠ઢܗ૬ؔ (SCIS 2015) 2015. 1. 21 21 / 28

22. Outline 1 ݚڀഎܠ RC4, WPA طଘݚڀ Ϟνϕʔγϣϯ 2 ৽͍͠ઢܗ૬ؔ ղੳํ਑

    S0[i1] ʹ͓͚Δ biases Sr [ir+1] ʹ͓͚Δ biases ࣮ݧ݁Ռ 3 ·ͱΊ ҏ౻ ཽഅ (JAIST) WPA ʹ͓͚Δ RC4 ͷ಺෦ঢ়ଶʹؔ͢Δ৽͍͠ઢܗ૬ؔ (SCIS 2015) 2015. 1. 21 22 / 28

23. ·ͱΊ ಺෦ঢ়ଶʹؔ͢Δ༷ʑͳઢܗ૬ؔͷൃݟɼཧ࿦తͳূ໌ ఆཧ 1ɿPr(S0[i1] = K[0])RC4 ≈ 0.001445 ʢ˞ ϥϯμϜͳ֬཰ɿ0.003906ʣ

    ఆཧ 2ɿPr(S0[i1] = K[0])WPA = 0 ఆཧ 3ɿPr(Sr [ir+1] = K[0] + K[1] + 1) K[0] + K[1] ͷ෼෍ʹґଘ ࠓޙͷ՝୊ ଞͷઢܗ૬ؔʹؔ͢Δཧ࿦తͳূ໌ 19 ݸͷઢܗ૬ؔ͸ূ໌ࡁΈ ൃݟͨ͠ઢܗ૬ؔΛ಺෦ঢ়ଶ෮ݩ߈ܸ΁ద༻͢Δํ๏ͷݕ౼ ҏ౻ ཽഅ (JAIST) WPA ʹ͓͚Δ RC4 ͷ಺෦ঢ়ଶʹؔ͢Δ৽͍͠ઢܗ૬ؔ (SCIS 2015) 2015. 1. 21 23 / 28

24. ূ໌ࡁΈͷઢܗ૬ؔʹؔ͢Δ؍ଌ݁Ռ Xr ઢܗ૬ؔ RC4 WPA −K[0] − K[1] − 3

    0.005336 0.008437 K[0] − K[1] − 3 0.005337 0.007848 S0[i1] K[0] − K[1] − 1 0.003922 0.007877 −K[0] − K[1] + K[2] − 1 0.005305 0.008197 K[1] + K[2] + 3 0.008157 0.008092 K[0] − K[1] + K[2] − 3 0.005295 0.008163 K[0] − K[1] + K[2] − 1 0.005290 0.008171 K[0] − K[1] + K[2] + 1 0.005309 0.008171 S1[i2] K[0] − K[1] + K[2] + 3 0.005310 0.002838 K[0] 0.137294 0.138047 S255[i256] K[1] 0.003911 0.037189 −K[0] − K[1] + K[2] − 2 0.003921 0.004574 −K[0] − K[1] + K[2] 0.003919 0.005573 −K[0] − K[1] + K[2] + 2 0.003912 0.004545 −K[0] + K[1] + K[2] 0.003921 0.005501 −K[1] + K[2] − 2 0.003911 0.005479 −K[1] + K[2] + 3 0.003899 0.005476 K[2] 0.004428 0.005571 j2 K[0] − K[1] + K[2] 0.003918 0.005618 ҏ౻ ཽഅ (JAIST) WPA ʹ͓͚Δ RC4 ͷ಺෦ঢ়ଶʹؔ͢Δ৽͍͠ઢܗ૬ؔ (SCIS 2015) 2015. 1. 21 24 / 28

25. References I [ABP+13] Nadhem J. AlFardan, Daniel J. Bernstein, Keneth

    G. Paterson, Bertram Poettering, and Jacob C. N. Schuldt. On the Security of RC4 in TLS. In USENIX Security Symposium 2013, 2013. [DMPS11] Apurba Das, Subhamoy Maitra, Goutam Paul, and Santanu Sarkar. Some Combinatorial Results towards State Recovery Attack on RC4. In Sushil Jajodia and Chandan Mazumdar, editors, Information Systems Security - ICISS 2011, volume 7093 of Lecture Notes in Computer Science, pages 204–214. Springer Berlin Heidelberg, 2011. [FMS01] Scott Fluhrer, Itsik Mantin, and Adi Shamir. Weaknesses in the Key Scheduling Algorithm of RC4. In Serge Vaudenay and Amr M. Youssef, editors, Selected Areas in Cryptography - SAC 2001, volume 2259 of Lecture Notes in Computer Science, pages 1–24. Springer Berlin Heidelberg, 2001. [GMM+14] Sourav Sen Gupta, Subhamoy Maitra, Willi Meier, Goutam Paul, and Santanu Sarkar. Dependence in IV-related bytes of RC4 key enhances vulunerabilities in WPA. In Fast Software Encryption - FSE 2014. To appear, 2014. [GMPS11] Sourav Sen Gupta, Subhamoy Maitra, Goutam Paul, and Santanu Sarkar. Proof of Empirical RC4 Biases and New Key Correlations. In Ali Miri and Serge Vaudenay, editors, Selected Areas in Cryptography - SAC 2011, volume 7118 of Lecture Notes in Computer Science, pages 151–168. Springer Berlin Heidelberg, 2011. [IOWM14] Takanori Isobe, Toshihiro Ohigashi, Yuhei Watanabe, and Masakatu Morii. Full Plaintext Recovery Attack on Broadcast RC4. In Shiho Moriai, editor, Fast Software Encryption - FSE 2013, volume 8424 of Lecture Notes in Computer Science. Springer Berlin Heidelberg, 2014. [Jen96] R. J. Jenkins. ISAAC and RC4. http://burtleburtle.net/bob/rand/isaac.html, 1996. [Kle08] Andreas Klein. Attacks on the RC4 stream cipher. Designs, Codes and Cryptography, 48(3):269–286, April 2008. ҏ౻ ཽഅ (JAIST) WPA ʹ͓͚Δ RC4 ͷ಺෦ঢ়ଶʹؔ͢Δ৽͍͠ઢܗ૬ؔ (SCIS 2015) 2015. 1. 21 25 / 28

26. References II [KMP+98] Lars R. Knudsen, Willi Meier, Bart Preneel,

    Vincent Rijmen, and Sven Verdoolaege. Analysis Methods for (Alleged) RC4. In Kazuo Ohta and Dingyi Pei, editors, Advances in Cryptology - ASIACRYPT ’98, volume 1514 of Lecture Notes in Computer Science, pages 327–341. Springer Berlin Heidelberg, 1998. [MK08] Alexander Maximov and Dmitry Khovratovich. New State Recovery Attack on RC4. In David Wagner, editor, Advances in Cryptology - CRYPTO 2008, volume 5157 of Lecture Notes in Computer Science, pages 297–316. Springer Berlin Heidelberg, 2008. [MPG11] Subhamoy Maitra, Goutam Paul, and Sourav Sen Gupta. Attack on Broadcast RC4 Revisited. In Antoine Joux, editor, Fast Software Encryption - FSE 2011, volume 6733 of Lecture Notes in Computer Science, pages 199–217. Springer Berlin Heidelberg, 2011. [MS02] Itsik Mantin and Adi Shamir. Practical Attack on Broadcast RC4. In Mitsuru Matsui, editor, Fast Software Encryption - FSE 2001, volume 2355 of Lecture Notes in Computer Science, pages 152–164. Springer Berlin Heidelberg, 2002. [PM07] Goutam Paul and Subhamoy Maitra. Permutation After RC4 Key Scheduling Reveals the Secret Key. In Carlisle Adams, Ali Miri, and Michael Wiener, editors, Selected Areas in Cryptography - SAC 2007, volume 4876 of Lecture Notes in Computer Science, pages 360–377. Springer Berlin Heidelberg, 2007. [PPS14] Kenneth G. Paterson, Bertram Poettering, and Jacob C.N. Schuldt. Plaintext Recovery Attacks Against WPA/TKIP. In Fast Software Encryption - FSE 2014. To appear, 2014. [Roo95] Andrew Roos. A class of weak keys in the RC4 stream cipher. Posts in sci.crypt, http://marcel.wanda.ch/Archive/WeakKeys, 1995. ҏ౻ ཽഅ (JAIST) WPA ʹ͓͚Δ RC4 ͷ಺෦ঢ়ଶʹؔ͢Δ৽͍͠ઢܗ૬ؔ (SCIS 2015) 2015. 1. 21 26 / 28

27. Thank you for your kind attention ! Important Dates: Conference

    date: November 24-26, 2015 Paper submission deadline: June 17, 2015 Notification of acceptance: August 17, 2015 Camera ready deadline: August 24, 2015 ҏ౻ ཽഅ (JAIST) WPA ʹ͓͚Δ RC4 ͷ಺෦ঢ়ଶʹؔ͢Δ৽͍͠ઢܗ૬ؔ (SCIS 2015) 2015. 1. 21 27 / 28

28. Appendix ఆཧ 3 ͷ࣮ݧ஋ͱཧ࿦஋ͷൺֱ ҏ౻ ཽഅ (JAIST) WPA ʹ͓͚Δ RC4

    ͷ಺෦ঢ়ଶʹؔ͢Δ৽͍͠ઢܗ૬ؔ (SCIS 2015) 2015. 1. 21 28 / 28