Key Collisions of the RC4 Stream Cipher Mitsuru Matsui Mitsuru Matsui Information Technology R&D Center Mitsubishi Electric Corporation February 23 2009, FSE 2009
In this presentation we talk about … ● A colliding key pair of RC4 – keys that create the same initial states – a 24-byte colliding key pair found – # of colliding key pairs = (1/e) (k � (256 mod k)) 256 k � 2 � (256/k) – # of colliding key pairs = (1/e) (k � (256 mod k)) 256 k � 2 � (256/k) ● A near-colliding key pair of RC4 – keys that creates initial states that differ at two positions – a 20-byte near-colliding key pair found – # of near-colliding key pairs = (1/e) (k � (256 mod k)) 256 k � (256/k)
The RC4 Stream Cipher • Designed by Ron Rivest in 1987. • Source program leaked in 1994. • The most influential stream cipher – WEP, WPA, SSL, file encryption … – WEP, WPA, SSL, file encryption … – enormous efforts of cryptanalysis … • Extremely simple and fast in software
The Structure ● Variable key length: 1-byte to 256-byte ● Key Scheduling Algorithm (KSA) + Pseudo-random Generating Algorithm (PRGA) KSA PRGA W k Sym(W) W* ∋ ∋ ∋ K S R “Byte Stream” “Secret Key” “Initial State” W = {0,1,2,…,255}
Key Scheduling Algorithm /* State Setup */ for(i=0; i<=0xFF; i++) S[i] = i; /* State Updating */ j=0; j=0; for(i=0; i<=0xFF; i++){ j = (j + S[i] + K[i]) & 0xFF; SWAP(S[i], S[j]); } State S 0 1 2 3 4 5 6 7 FD FE FF Note: K[i] = K[i mod k]
Pseudo Random Generating Algorithm i=0; j=0; while( 1 ){ i = (i + 1) & 0xFF; j = (j + S[i]) & 0xFF; j = (j + S[i]) & 0xFF; SWAP(S[i], S[j]); OUTPUT S[(S[i]+S[j])0xFF]; } OUTPUT i j State S S[i]+S[j] S[j] S[i]
The KSA Mapping: One-to-one ? KSA W k Sym(W) if k > 210 (#Sym(W)=256! ~ 2 1684 ) No Maybe no if k > 105 (birthday paradox) ? otherwise [Our Results] if k ≧ 24 (colliding keys found) No Maybe no if k ≧ 17 ? otherwise
An Example: 64-byte Colliding Key Pair K1 45 3D 7D 3D C9 45 57 12 00 00 00 j1 = j1 + S1[i] + K1[i%0x40] 45 3D 7E 3D C9 45 57 12 00 00 j2 = j2 + S2[i] + K2[i%0x40] K2 00 i i 00 01 02 03 00 01 02 03 40 41 42 43 40 41 42 43 80 81 82 83 80 81 82 83 C0C1C2C3 C0C1C2C3 �K 0 0 1 0 0 0 1 0 0 0 1 0 0 0 1 0 j1 02 42 02 82 41 C1 81 C1 X 03 42 02 82 41 C1 81 C0 X j2 S1 02 03 S2 02 03
General Key Collision Sequence K2[i] = K1[i]+1 (if i = d) n = (256+k–1–d) / k K2[i] = K1[i] (otherwise) K1[i] = K2[i]+1 exactly n times (i=0,1,…255) Key Length k Repeated n13 times d … d+k … d+(n11)k … d+(n12)k … 0…d11 0…d11 d+(n11)k11 d+(n11)k11 d+k11 d+k11 d+2k11 d+2k11 255 255 i=d+(n12)k i=d i=d+k i=d+(n11)k12 i=d+(n11)k11 i=d+1 j1=d+(n11)k11 j1=d j1=d+2k j1=x j1=d+(n11)k11 j1=d+k j2=d+(n11)k11 j2=d+1 j2=d+2k j2=x j2=d+(n11)k12 j2=d+k S1 d d+1 S2 d d+1
Probability Estimation (254/256) d (255/256) k12 (255/256) k14 (255/256) k12 Key Length k Repeated n13 times d … d+k … d+(n11)k … d+(n12)k … 0…d11 0…d11 d+(n11)k11 d+(n11)k11 d+k11 d+k11 d+2k11 d+2k11 255 255 i=d+(n12)k i=d i=d+k i=d+(n11)k12 i=d+(n11)k11 i=d+1 j1=d+(n11)k11 j1=d j1=d+2k j1=x j1=d+(n11)k11 j1=d+k j2=d+(n11)k11 j2=d+1 j2=d+2k j2=x j2=d+(n11)k12 j2=d+k 1/256 1/256 1/256 1/256 1/256 1/256 ColProb(k,d) = (254/256) d (255/256) (n�1)(k�2)�2 (1/256) n+2 ≒ ≒ ≒ ≒ (1/e) (1/256) n+2
How to Find a Colliding Key Pair (I) A Simple Try�and�Error Algorithm: (1) Generate a key pair randomly. (2) Proceed the key scheduling algorithm by one step (2) Proceed the key scheduling algorithm by one step (3) If ‘j’ does not meet the expected value, go to (1). (4) If the key scheduling algorithm is completed, stop. FOUND! (5) Go to (2). We can ‘skip’ the conditions at i=d and i=d+1, because (1) i=d determines K[d] uniquely. (2) i=d+1 determined K[d+1] uniquely. Specifically K[d+1] =k–d–1.
Experimental Results K1 = 00 6d 41 8b 95 46 07 a4 87 8d 69 d7 bc bc c4 70 4a 3b ed 94 34 50 04 68 4d 4f 2e 30 c1 6e 20 a8 bf 80 b6 ae df ae 43 56 0a 80 e7 K2 = 00 6d 41 8b 95 46 07 a4 87 8d 69 d7 bc bc c4 70 4a 3b ed 94 34 50 04 68 4d 4f 2e 30 c1 6e 20 a8 bf 80 b6 ae df ae 43 56 0a 80 e8
Number of Colliding Pairs ColPairs(k) = = = 256 k Σ d=0…k�1 ColProb(k,d) = ≒ ≒ (1/e) (k � (256 mod k)) 256 k�2�(256/k) ≒ ≒
How to Find a Colliding Key Pair (II) A Faster Recursive Search Algorithm: Search(K1,K2) (1) If K1 and K2 are a (near�)colliding pair, Stop. (2) Measure “Similarity S” between K1 and K2. (2) Measure “Similarity S” between K1 and K2. (3) Change K1 and K2 slightly and measure similarity S’ (4) If found K1’ and K2’ such that S’ > S then call Search(K1’,K2’) Similarity : max i { distance(S1,S2) ≦ 2 at all steps ≦ i } Change K1 and K2 by +y at x and –y at x+1 for all x and y≠0 i.e. K’[x] = K[x]+y, K’[x+1] = K[x]–y, K’[i] = K[i] (if i ≠ x or x+1)
Concluding Remarks ● A 24-byte colliding key pair found. K1 = 00 42 CE D3 DF DD B6 9D 41 3D BD 3A B1 16 5A 33 ED A2 CD 1F E2 8C 01 76 K2 = 00 42 CE D3 DF DD B6 9D 41 3D BD 3A B1 16 5A 33 K2 = 00 42 CE D3 DF DD B6 9D 41 3D BD 3A B1 16 5A 33 ED A2 CD 1F E2 8C 01 77 ● RC4 has many colliding key pairs. – much more than intuitively expected ● Experimental results do not always agree with our theoretical estimation when the key size is less than 30. ● More precise probabilistic analysis is needed.
Recommend
More recommend
