Professional Documents
Culture Documents
1 History
2 Description
(PRGA)
o 2.3 Implementation
o 2.4 Test vectors
3 Security
Permutation
o 3.4 Klein's Attack
o 3.5 Combinatorial problem
4 RC4-based cryptosystems
5 See also
6 References
7 External links
[edit]History
The lookup stage of RC4. The output byte is selected by looking up the values of S(i) and S(j), adding them together
modulo 256, and then looking up the sum in S; S(S(i) + S(j)) is used as a byte of the key stream, K.
For as many iterations as are needed, the PRGA modifies the state
and outputs a byte of the keystream. In each iteration, the PRGA
increments i, adds the value of S pointed to by i to j, exchanges the
values of S[i] and S[j], and then outputs the element of S at the
location S[i] + S[j] (modulo 256). Each element of S is swapped with
another element at least once every 256 iterations.
i := 0
j := 0
while GeneratingOutput:
i := (i + 1) mod 256
j := (j + S[i]) mod 256
swap values of S[i] and S[j]
K := S[(S[i] + S[j]) mod 256]
output K
endwhile
[edit]Implementation
/* KSA */
void rc4_init(unsigned char *key, unsigned int
key_length) {
for (i = 0; i < 256; i++)
S[i] = i;
i = j = 0;
}
/* PRGA */
unsigned char rc4_output() {
i = (i + 1) & 255;
j = (j + S[i]) & 255;
swap(S, i, j);
return S[(S[i] + S[j]) & 255];
}
#include <stdio.h>
int main() {
int k, output_length;
unsigned char key[] = "Secret"; // key
hardcoded to "Secret"
k = 0;
while (k < output_length) {
printf("%c", rc4_output());
k++;
}
}
[edit]Test vectors
These test vectors are not official, but convenient for anyone testing
their own RC4 program. The keys and plaintext are ASCII, the
keystream and ciphertext are in hexadecimal.
[edit]Security
WEP
WPA (default algorithm, but can be configured to use AES-
CCMP instead of RC4)
BitTorrent protocol encryption
Microsoft Point-to-Point Encryption
Opera Mini[23]
Secure Sockets Layer (optionally)
Secure shell (optionally)
Remote Desktop Protocol
Kerberos (optionally)
SASL Mechanism Digest-MD5 (optionally)
Gpcode.AK, an early June 2008 computer virus for Microsoft
Windows, which takes documents hostage for ransom by obscuring
them with RC4 and RSA-1024 encryption
PDF
Skype (in modified form)[24]
Where a cryptosystem is marked with "(optionally)", RC4 is one of
several ciphers the system can be configured to use.
[edit]
What is WEP?
WEP stands for Wired Equivalent Privacy. The 802.11 designers intention was to provide wireless users with a
level of security equivalent to that achievable on a wired network. Unfortunately WEP has turned out to be much
less secure than intended.
WEP uses secret keys to encrypt data. Both AP and the receiving stations must know the secret keys.
There are two kinds of WEP with keys of either 64bits or 128bits. The longer key gives a slightly higher level of
security (but not as much as the larger number would imply). In fact the user keys are 40bits and 104bits long, the
other 24bits in each case being taken up by a variable called the Initialization Vector (IV).
When a packet is to be sent it is encrypted using a combination of the IV and the secret key. The IV is different (in
theory) for each packet, while the secret key is fixed. The resulting packet data looks like random data and
therefore makes the original message unreadable to an outsider not knowing the key. The receiving station
reverses the encryption process to retrieve the message in clear text.
In fact the standard does not specify that the value needs to change at all. Reusing keys is a major cryptographic
weakness in any security system.
24 bit keys allow for around 16.7 million possibilities. Sounds a lot, but on a busy network this number can be
achieved in a few hours. Reuse is then unavoidable.
Some manufacturers use ’random’ keys. This is not the best way to ensure against reuse. A better solution is to
start with a key and increment by one for each subsequent key. Unfortunately many devices revert to the same
value at start up and then follow the same sequence providing lots of duplicate values for hackers to work on.
Certain keys value combinations, ’Weak IVs’, do not produce sufficiently random data for the first few bytes. This
is the basis of the highly publicized attacks on WEP and the reason that keys can be discovered.
Manufacturers often deliberately disallow Weak IV values. This is good in that it reduces the chances of a hacker
capturing weak keys, but also has the effect of reducing the already limited key possibilities further, increasing the
chance of reuse of keys.
From a cryptographic point of view using master keys directly is not at all recommended. Master keys should only
be used to generate other temporary keys. WEP is seriously flawed in this respect.
WEP does have a message integrity check but hackers can change messages and recompute a new value to
match. This makes the checking ineffective against tampering.
Conclusion
Although WEP is far from an ideal security solution you should still use it. Some security is better than none. A
determined attacker may be able to discover your keys given time and enough weak IVs, but that’s no reason to
leave all of your doors open.
Check if your equipment manufacturer has an updated driver that avoids sending weak IVs. Use 128 bit
encryption if your equipment supports it. Change the key if there is any suspicion of an attack. Ideally install an
Intruder Detection System (IDS) to monitor attacks.
Take these precautions and your wireless network will be reasonably secure. For stronger security consider using
WiFi Protected Access (WPA).
Wireless Networks
Read more: http://www.openxtra.co.uk/articles/wep-weaknesses#ixzz1GQD8Bpce
Security researchers have discovered security problems that let malicious users
compromise the security of WLANs (wireless local area network) that use WEP
(Wired Equivalent Privacy) — these, for instance:
Passive attacks to decrypt traffic: These are based on statistical analysis.
Active attacks to inject new traffic from unauthorized mobile stations: These are
based on known plaintext.
Active attacks to decrypt traffic: These are based on tricking the access point.
Dictionary-building attacks: These are possible after analyzing enough traffic on a
busy network.
The biggest problem with WEP is when the installer doesn't enable it in the first
place. Even bad security is generally better than no security.
When people do use WEP, they forget to change their keys periodically. Having
many clients in a wireless network — potentially sharing the identical key for long
periods of time — is a well-known security vulnerability. If you keep your key long
enough, someone can grab all the frames he needs to crack it.
Can't blame most access-point administrators for not changing keys — after all, the
WEP protocol doesn't offer any key management provisions. But the situation is
dangerous: When someone in your organization loses a laptop for any reason, the
key could become compromised — along with all the other computers sharing the
key. So it's worth repeating . . .
Shared keys can compromise a wireless network. As the number of people sharing
the key grows, so does the security risk. A fundamental tenet of cryptography is that
the security of a system is largely dependent on the secrecy of the keys. Expose the
keys and you expose the text. Share the key, and a cracker only has to crack it once.
Moreover, when every station uses the same key, an eavesdropper has ready
access to a large amount of traffic for analytic attacks.
As if key management problems weren't enough, you have other problems with the
WEP algorithm. Check out these bugbears in the WEP initialization vector:
The IV is too small and in cleartext. It's a 24-bit field sent in the cleartext portion of
a message. This 24-bit string, used to initialize the key stream generated by the RC4
algorithm, is a relatively small field when used for cryptographic purposes.
The IV is static. Reuse of the same IV produces identical key streams for the
protection of data, and because the IV is short, it guarantees that those streams will
repeat after a relatively short time (between 5 and 7 hours) on a busy network.
The IV makes the key stream vulnerable. The 802.11 standard does not specify
how the IVs are set or changed, and individual wireless adapters from the same
vendor may all generate the same IV sequences, or some wireless adapters may
possibly use a constant IV. As a result, hackers can record network traffic, determine
the key stream, and use it to decrypt the ciphertext.
The IV is a part of the RC4 encryption key. The fact that an eavesdropper knows
24-bits of every packet key, combined with a weakness in the RC4 key schedule, leads
to a successful analytic attack that recovers the key after intercepting and analyzing
only a relatively small amount of traffic. Such an attack is so nearly a no-brainer that
it's publicly available as an attack script and as open-source code.
WEP provides no cryptographic integrity protection. However, the 802.11 MAC
protocol uses a non-cryptographic Cyclic Redundancy Check (CRC) to check the
integrity of packets, and acknowledges packets that have the correct checksum. The
combination of non-cryptographic checksums with stream ciphers is dangerous — and
often introduces vulnerabilities. The classic case? You guessed it: WEP.
There is an active attack that permits the attacker to decrypt any packet by systematically
modifying the packet, and CRC sending it to the AP and noting whether the packet is
acknowledged. These kinds of attacks are often subtle, and it is now considered risky to
design encryption protocols that do not include cryptographic integrity protection, because of
the possibility of interactions with other protocol levels that can give away information about
ciphertext.
Only one of the problems listed above depends on a weakness in the cryptographic
algorithm. Therefore substituting a stronger stream cipher will not help. For example,
the vulnerability of the key stream is a consequence of a weakness in the
implementation of the RC4 stream cipher — and that's exposed by a poorly designed
protocol.
One flaw in the implementation of the RC4 cipher in WEP is the fact that the 802.11
protocol does not specify how to generate IVs. Remember that IVs are the 24-bit
values that are pre-pended to the secret key and used in the RC4 cipher. The IV is
transmitted in plaintext. The reason we have IVs is to ensure that the value used as a
seed for the RC4 PRNG is always different.
RC4 is quite clear in its requirement that you should never, ever reuse a secret key.
The problem with WEP is that there is no guidance on how to implement IVs.
Microsoft uses the RC4 stream cipher in Word and Excel — and makes the mistake
of using the same keystream to encrypt two different documents. So you can break
Word and Excel encryption by XORing the two ciphertext streams together to get the
keystream to dropsout. Using the key stream, you can easily recover the two
plaintexts by using letter-frequency analysis and other basic techniques. You'd think
Microsoft would learn. But they made the same mistake in 1999 with the Windows NT
Syskey.
The key, whether it's 64 or 128 bits, is a combination of a shared secret and the IV.
The IV is a 24-bit binary number. Do we choose IV values randomly? Do we start at 0
and increment by 1? Or do we start at 16,777,215 and decrement by 1? Most
implementations of WEP initialize hardware using an IV of 0; and increment by 1 for
each packet sent. Because every packet requires a unique seed for RC4, you can
see that at higher volumes, the entire 24-bit space can be used up in a matter of
hours. Therefore we are forced to repeat IVs — and to violate RC4's cardinal rule
against ever repeating keys. Ask Microsoft what happens when you do. Statistical
analysis shows that all possible IVs (224) are exhausted in about 5 hours. Then the
IV re-initializes, starting at 0, every 5 hours.
Read more: http://www.dummies.com/how-to/content/understanding-wep-
weaknesses.html#ixzz1GQDWygyR