Key Collisions of the RC4 Stream Cipher Mitsuru Matsui Mitsuru - - PowerPoint PPT Presentation

key collisions of the rc4 stream cipher
SMART_READER_LITE
LIVE PREVIEW

Key Collisions of the RC4 Stream Cipher Mitsuru Matsui Mitsuru - - PowerPoint PPT Presentation

Oct 17, 2022 207 likes •359 views

Key Collisions of the RC4 Stream Cipher Mitsuru Matsui Mitsuru Matsui Information Technology R&D Center Mitsubishi Electric Corporation February 23 2009, FSE 2009 In this presentation we talk about A colliding key pair of RC4

slide-1
SLIDE 1

Key Collisions of the RC4 Stream Cipher

Mitsuru Matsui Mitsuru Matsui

Information Technology R&D Center Mitsubishi Electric Corporation

February 23 2009, FSE 2009

slide-2
SLIDE 2

In this presentation we talk about…

  • A colliding key pair of RC4

– keys that create the same initial states – a 24-byte colliding key pair found – # of colliding key pairs = (1/e) (k (256 mod k)) 256 k 2 (256/k) – # of colliding key pairs = (1/e) (k (256 mod k)) 256 k 2 (256/k)

  • A near-colliding key pair of RC4

– keys that creates initial states that differ at two positions – a 20-byte near-colliding key pair found – # of near-colliding key pairs = (1/e) (k (256 mod k)) 256 k (256/k)

slide-3
SLIDE 3

The RC4 Stream Cipher

  • Designed by Ron Rivest in 1987.
  • Source program leaked in 1994.
  • The most influential stream cipher

– WEP, WPA, SSL, file encryption … – WEP, WPA, SSL, file encryption … – enormous efforts of cryptanalysis …

  • Extremely simple and fast in software
slide-4
SLIDE 4

The Structure

  • Variable key length: 1-byte to 256-byte
  • Key Scheduling Algorithm (KSA) +

Pseudo-random Generating Algorithm (PRGA)

W k Sym(W) W* KSA PRGA ∋ ∋ ∋ K S R W = {0,1,2,…,255} “Initial State” “Secret Key” “Byte Stream”

slide-5
SLIDE 5

Key Scheduling Algorithm

/* State Setup */ for(i=0; i<=0xFF; i++) S[i] = i; /* State Updating */ j=0; j=0; for(i=0; i<=0xFF; i++){ j = (j + S[i] + K[i]) & 0xFF; SWAP(S[i], S[j]); }

1 2 3 4 5 6 7 FD FE FF

State S

Note: K[i] = K[i mod k]

slide-6
SLIDE 6

Pseudo Random Generating Algorithm

i=0; j=0; while( 1 ){ i = (i + 1) & 0xFF; j = (j + S[i]) & 0xFF; j = (j + S[i]) & 0xFF; SWAP(S[i], S[j]); OUTPUT S[(S[i]+S[j])0xFF]; } i j S[i] S[j] S[i]+S[j] OUTPUT

State S

slide-7
SLIDE 7

The KSA Mapping: One-to-one ?

W k Sym(W) KSA

No if k > 210 (#Sym(W)=256!~21684) Maybe no if k > 105 (birthday paradox) ?

  • therwise

[Our Results] No if k ≧ 24 (colliding keys found) Maybe no if k ≧ 17 ?

  • therwise
slide-8
SLIDE 8

An Example: 64-byte Colliding Key Pair

00 01 02 03 40 41 42 43 80 81 82 83 C0C1C2C3 i 45 3D 7D 3D C9 45 57 12 00 00 00 45 3D 7E 3D C9 45 57 12 00 00 00 K1 K2 j1 = j1 + S1[i] + K1[i%0x40] j2 = j2 + S2[i] + K2[i%0x40] 0 0 1 0 00 01 02 03 40 41 42 43 80 81 82 83 C0C1C2C3 K 02 03 S1 i 0 0 1 0 0 0 1 0 0 0 1 0 02 03 S2 j1 j2 02 42 02 82 41 C1 81 C1 X 03 42 02 82 41 C1 81 C0 X

slide-9
SLIDE 9

General Key Collision Sequence

K2[i] = K1[i]+1 (if i = d) n = (256+k–1–d) / k K2[i] = K1[i] (otherwise) K1[i] = K2[i]+1 exactly n times (i=0,1,…255) 0…d11 d … d+k11 d+k … d+2k11 d+(n12)k … d+(n11)k11 d+(n11)k … 255 Key Length k Repeated n13 times 0…d11 d+k11 d+2k11 d+(n11)k11 255 i=d j1=d j2=d+1 i=d+1 j1=d+k j2=d+k i=d+k j1=d+2k j2=d+2k i=d+(n12)k j1=d+(n11)k11 j2=d+(n11)k11 i=d+(n11)k12 j1=x j2=x i=d+(n11)k11 j1=d+(n11)k11 j2=d+(n11)k12 d d+1 S1 S2 d d+1

slide-10
SLIDE 10

Probability Estimation

0…d11 d … d+k11 d+k … d+2k11 d+(n12)k … d+(n11)k11 d+(n11)k … 255 Key Length k Repeated n13 times (254/256)d (255/256)k12 (255/256)k12 (255/256)k14 0…d11 d+k11 d+2k11 d+(n11)k11 255 i=d j1=d j2=d+1 i=d+1 j1=d+k j2=d+k i=d+k j1=d+2k j2=d+2k i=d+(n12)k j1=d+(n11)k11 j2=d+(n11)k11 i=d+(n11)k12 j1=x j2=x i=d+(n11)k11 j1=d+(n11)k11 j2=d+(n11)k12 1/256 1/256 1/256 1/256 1/256 1/256

ColProb(k,d) = (254/256)d(255/256)(n1)(k2)2(1/256)n+2 ≒ ≒ ≒ ≒ (1/e) (1/256)n+2

slide-11
SLIDE 11

How to Find a Colliding Key Pair (I)

A Simple TryandError Algorithm: (1) Generate a key pair randomly. (2) Proceed the key scheduling algorithm by one step (2) Proceed the key scheduling algorithm by one step (3) If ‘j’ does not meet the expected value, go to (1). (4) If the key scheduling algorithm is completed, stop. FOUND! (5) Go to (2). We can ‘skip’ the conditions at i=d and i=d+1, because (1) i=d determines K[d] uniquely. (2) i=d+1 determined K[d+1] uniquely. Specifically K[d+1] =k–d–1.

slide-12
SLIDE 12

Experimental Results

K1 = 00 6d 41 8b 95 46 07 a4 87 8d 69 d7 bc bc c4 70 4a 3b ed 94 34 50 04 68 4d 4f 2e 30 c1 6e 20 a8 bf 80 b6 ae df ae 43 56 0a 80 e7 K2 = 00 6d 41 8b 95 46 07 a4 87 8d 69 d7 bc bc c4 70 4a 3b ed 94 34 50 04 68 4d 4f 2e 30 c1 6e 20 a8 bf 80 b6 ae df ae 43 56 0a 80 e8

slide-13
SLIDE 13

Number of Colliding Pairs

ColPairs(k) = = = = 256kΣd=0…k1 ColProb(k,d) ≒ ≒ ≒ ≒ (1/e) (k (256 mod k)) 256 k2(256/k)

slide-14
SLIDE 14

How to Find a Colliding Key Pair (II)

A Faster Recursive Search Algorithm: Search(K1,K2) (1) If K1 and K2 are a (near)colliding pair, Stop. (2) Measure “Similarity S” between K1 and K2. (2) Measure “Similarity S” between K1 and K2. (3) Change K1 and K2 slightly and measure similarity S’ (4) If found K1’ and K2’ such that S’ > S then call Search(K1’,K2’)

Similarity : maxi { distance(S1,S2) ≦ 2 at all steps≦ i } Change K1 and K2 by +y at x and –y at x+1 for all x and y≠0 i.e. K’[x] = K[x]+y, K’[x+1] = K[x]–y, K’[i] = K[i] (if i ≠ x or x+1)

slide-15
SLIDE 15

Concluding Remarks

  • A 24-byte colliding key pair found.

K1 = 00 42 CE D3 DF DD B6 9D 41 3D BD 3A B1 16 5A 33 ED A2 CD 1F E2 8C 01 76 K2 = 00 42 CE D3 DF DD B6 9D 41 3D BD 3A B1 16 5A 33 K2 = 00 42 CE D3 DF DD B6 9D 41 3D BD 3A B1 16 5A 33 ED A2 CD 1F E2 8C 01 77

  • RC4 has many colliding key pairs.

– much more than intuitively expected

  • Experimental results do not always agree with our

theoretical estimation when the key size is less than 30.

  • More precise probabilistic analysis is needed.