Tutorial 3

RC4 Algorithm
Netw1002: Computer security
Nahla Afifi
RC4 Algorithm overview
+ RC4 is a stream cipher designed in
1987 by Ron Rivest for RSA
Security.
+ RC4 is used in the Secure Sockets
Layer/Transport Layer Security
(SSL/TLS) standards that have
been defined for communication
between Web browsers and
servers.
How does it work?
1. Initialize an array of 256 bytes
2. Run the key scheduling Algorithm (KSA) on them
3. Run the Pseudo-Random Generation Algorithm (PRGA) on
the (KSA) output to generate key stream
4. XOR the data with a key stream.
1. Array initialization
+[S]: entries of S are set equal to the values from 0 through 255
in ascending order
+[T]: is a temporary vector.
+ [K]: Array of bytes of secret key
+Keylen: is the length of the k array
key scheduling Algorithm:
+We use T to produce the initial permutation of S
+Because the only operation on S is a swap, the only effect is a
permutation. S still contains all the numbers from 0 to 255.
Pseudo-Random Generation Algorithm
+Once the S vector is initialized, the input keyy is no longer used.
Encryption/Decryption
+To encrypt, XOR the value k with the next byte of plaintext.
+To decrypt, XOR the value k with the next byte of ciphertext.
 Question 1:
What RC4 key value will leave S unchanged during initialization?
That is, after the initial permutation of S, the entries of S will be
equal to the values from 0 through 255 in ascending order.
(S) Array 0 1 2 3 4 5 6 7 …. …. …. …. …. …. …. …. … 255
Permutate 0 1 2 3 4 5 6 7 …. …. …. …. …. …. …. …. … 255
d (S) Array
Question 1:
According to RC4 initialization:
1. Key is expanded to 256 bytes
2. S [ i ] = i
3. This algorithm is applied:

To leave S array unchanged 𝒋𝒏𝒆𝒘 should be equal to 𝒊𝒄𝒖𝒓𝒓𝒆𝒏𝒕 to cancel the effect of
swapping

We have: 𝑗()* = 𝑗+,- + 𝑖./00)(1 + 𝐾 𝑖./00)(1 𝑚𝑜𝑑 256;

We need 𝑗()* = 𝑖./00)(1 , this could happen when

𝑗+,- + 𝐾 𝑖./00)(1 𝑚𝑜𝑑 256 = 0
Question 1:
At Iteration #1:
𝑖./00)(1 = 0
𝑗+,- 2 = 0
Constraint we need to satisfy: 𝑗()* = 𝑖./00)(1 à 𝑗()*2 = 𝑖./00)(1 = 0

𝑗()*! = 𝑗+,-! + 𝑆 𝑖./00)(1 + 𝐾 𝑖./00)(1 𝑚𝑜𝑑 256;

𝑗()*! = 𝑗+,-! + 𝑖./00)(1 + 𝐾 [𝑖./00)(1 ] 𝑚𝑜𝑑 256;
0 = 0 + 0 + 𝐾 [0] 𝑚𝑜𝑑 256;

K [0] = 0
++𝑖./00)(1 = 1
Question 1:
At Iteration #2:
𝑖./00)(1 = 1
𝑗()*2 = 𝑗+,- 3 = 0

Constraint we need to satisfy: 𝑗()* = 𝑖./00)(1 à 𝑗()* 3 = 𝑖./00)(1 = 1

𝑗()*" = 𝑗+,-" + 𝑆 𝑖./00)(1 + 𝐾 𝑖./00)(1 𝑚𝑜𝑑 256;

𝑗()*" = 𝑗+,-" + 𝑖./00)(1 + 𝐾 [𝑖./00)(1 ] 𝑚𝑜𝑑 256;
1 = 0 + 1 + 𝐾 [1] 𝑚𝑜𝑑 256;
0 = 𝐾 [1] 𝑚𝑜𝑑 256;
K [1] = 0 mod 256 = 0
𝑖./00)(1 ++ = 2
Question 1:
At Iteration #3:
𝑖./00)(1 = 2
𝑗()* 3 = 𝑗+,- 4 = 1

Constraint we need to satisfy: 𝑗()* = 𝑖./00)(1 à 𝑗()* 4 = 𝑖./00)(1 = 2

𝑗()*# = 𝑗+,-# + 𝑆 𝑖./00)(1 + 𝐾 𝑖./00)(1 𝑚𝑜𝑑 256;

𝑗()*# = 𝑗+,-# + 𝑖./00)(1 + 𝐾 [𝑖./00)(1 ] 𝑚𝑜𝑑 256;
2 = 1 + 2 + 𝐾 [2] 𝑚𝑜𝑑 256;
0 = (1 + K [2]) mod 256
K [2] = 255
𝑖./00)(1 ++ = 3
Question 1:
At Iteration #4:
𝑖./00)(1 = 3
𝑗()* 4 = 𝑗+,- 5 = 2

Constraint we need to satisfy: 𝑗()* = 𝑖./00)(1 à 𝑗()* 5 = 𝑖./00)(1 = 3

𝑗()*$ = 𝑗+,-$ + 𝑆 𝑖./00)(1 + 𝐾 𝑖./00)(1 𝑚𝑜𝑑 256;

𝑗()*$ = 𝑗+,-$ + 𝑖./00)(1 + 𝐾 [𝑖./00)(1 ] 𝑚𝑜𝑑 256;
3 = 2 + 3 + 𝐾 [3] 𝑚𝑜𝑑 256;
0= 2 + 𝐾 [3] 𝑚𝑜𝑑 256;
K [3] = 254
𝑖./00)(1 ++ = 4
 Question 1:
We will continue with the same steps until we reach the last iteration
(iteration #255) so that the key array will have the same length of S array.
+As shown in the table here this will be the key that makes S array does not
change after permutation
Octet # 1st 2nd 3rd 4th 5th 6th 7th 8th …. …. …. …. …. …. …. …. …. 255th
Key (K) 0 0 255 254 253 252 251 250 …. …. …. …. …. …. …. …. …. 2
(S) Array 0 1 2 3 4 5 6 7 …. …. …. …. …. …. …. …. …. 255

Permutate 0 1 2 3 4 5 6 7 …. …. …. …. …. …. …. …. …. 255
d (S) Array
Question 2:
RC4 has a secret internal state which is a permutation of all
the possible values of the vector S and the two indices x and y.
a) Using a straightforward scheme to store the internal state, how many
bits are used?
We store 3 variables (S, X, Y):
X consists of (8-bits)
Y consists of (8-bits)
S array hold 256 Octets (each of 8-bits)

Total # of bits = 8 + 8 + 256 * 8 = 2064 bits

Question 2:
b) Suppose we think of it from the point of view of how much information
is represented by the state. In that case, we need to determine how
many different states there are, then take the log to the base 2 to find
out how many bits of information this represents. Using this
approach, how many bits would be needed to represent the state?
As X is made of 8-bits so it has 256 states (𝟐𝟖 states)
As Y is made of 8-bits so it has 256 states (𝟐𝟖 states)
As S array hold 256 Octet so we have 256! States for all cells in the array

Total # of states = 256 *256* 256! states

No. of bits for a state = 𝒍𝒐𝒈𝟐 𝟐𝟓𝟔𝟐 ∗ 𝟐𝟓𝟔! = 𝟏𝟕𝟎𝟎 bits
Question 3:
Alice and Bob agree to communicate privately via email using a scheme based on RC4, but
want to avoid using a new secret key for each transmission. Alice and Bob privately agree
on a 128-bit key k. To encrypt a message m, consisting of a string of bits, the following
procedure is used:
• Choose a random 80-bit value v.
• Generate the ciphertext c = RC4(v||k) ⊕ m
• Send the bit string (v||c)

(a) Suppose Alice uses this procedure to send a message m to Bob. Describe how Bob can recover the message
m from (v||C) using k.

(b) If an adversary observes several values (v1||C1), (v2||C2), . . . transmitted between Alice and Bob, how can
he/she determine when the same key stream has been used to encrypt two messages?
Question 3:
Alice sends (V||C) which is equivalent to (V||(RC4(V||K)⊕m) to Bob
At Receiver's Side: Bob’s Side:
+ 1st Step: Bob has to remove 1st 80 bits vector V from the sent message (V||C) to get the cipher
text C.
+ 2nd Step: Bob will input (1st 80-bits) vector V and the 128-bits key in RC4 algorithm to
generate RC4 (V||K)
+ 3rd Step: Bob will Xor the result of step 2 with the result of step 1 to decrypt the cipher
message and get the plain text message (m)
C ⊕ RC4 (V||K) = (RC4(V||K)⊕m) ⊕ RC4 (V||K) = (RC4(V||K)⊕m) ⊕ RC4 (V||K) = m
Question 3:
(b) If an adversary observes several values (v1||C1), (v2||C2), . . . transmitted
between Alice and Bob, how can he/she determine when the same key stream has
been used to encrypt two messages?
+ The key stream is generated as RC4(v||k). Since k is fixed, the key stream will be repeated
only if v is repeated.
+ The adversary can easily notice the repetition of v because it is sent in the clear.
+ For example, if 𝑉# = 𝑉$ then same key stream is used for encrypting 𝑚# = 𝑚$
Question 4:
Give an upper bound on the number of 258-octet states possible
in RC4, i.e., 256 octets for S, one octet for x, and one octet for y.
As mentioned in question 2,
Total # of states = 256 * 256 * 256! states
Thank you!!