AGENDA

●Introduction to RC4
●RC4 algorithm
●Cryptanalysis on RC4
- WEP Attack
●Future work
 INTRODUCTION

●Invented by Ron Rivest (RSA labs).

● Symmetric key
●A stream cipher
●Generate key stream byte at a step
○ Efficient in software
○ Simple and elegant
●Most popular stream cipher in existence
 RC4 ALGORITHM

●KSA
For i= 0 to N do
S[ i ]=i;
T[ i ] =k [ i mod keylen ]
J=0;
For i = 0 to N do
j=( j + s[ i ] + t [ i ] ) mod N
Swap (S[ i],S[j])
 Algorithm contd…..

●PRGN :--
i=0
j=0
i= ( i+1 ) mod N
j= (j+ S[i] ) mod N
Swap ( S[i] , S[j] )
T=( S[i]+S[j] ) mod N
K= S[t]
 Applications of RC4

●WEP (Wired Equivalent privacy )

●SSL (Secure Socket Layer )

●Block cipher designs.

 WEP Attack/RC4

WEP Encryption :-

Plainte
● ICV = Integrity Check
xt
Message ICV Value (CRC-32)

IV = Initialisation Vector
Keystream=RC4(IV, key) (plaintext) [24 bit]

key = Pre-shared Key

IV Ciphertext
[40 or 104 bit]
Transmitted
Data
 WEP Attack/RC4

WEP Decryption :-

Received Data

IV Ciphertext

XOR
Keystream=RC4(IV, key)

Message ICV
decrypted message
 WEP Cryptanalytic Attack

● WEP data encrypted using RC4

○ Packet key is IV and long-term key K
○ 3-byte IV is pre-pended to K
○ Packet key is (IV,K)
●IV is sent in the clear (not secret)
○ New IV sent with every packet
○ Long-term key K seldom changes (maybe never)
●Assume we knows IVs and cipher text
 RC4 in WEP
●3-byte IV pre-pended to key
●We denote the RC4 key bytes…

○…as K0,K1,K2,K3,K4,K5,...

○Where IV = (K0,K1,K2), which we knows

○we wants to find K3,K4,K5,...

●Given enough IVs, we show that we can

recover the long-term key
○ Regardless of the length of the key!
○ Provided we knows first key stream byte
○ Known plaintext attack (1st byte of each packet)
 RC4/WEP Attack
●IV = (3,255,V)
●Key = (3,255,V,K3,K4,...)
●we knows K0 = 3, K1 = 255, K2 = V
●Other Ki are long-term key
○Which is unknown

●Recall RC4 initialization: first, set S to…

 RC4/WEP Attack
● IV = (3,255,V)
● Key = (3,255,V,K3,K4,...)
● Continuing, at i = 3 step
i=3
j = j+S3+K3 = 5+V+1+K3 = 6+V+K3
swap(Si,Sj)
● Assuming 6+V+K3 > 5+V (mod 256), the table is

● Otherwise 6+V+K3 will be to the left of 5+V

 RC4/WEP Attack
● Suppose initialization stopped with

● First key stream byte

● Let i = j = 0
● Then
i = i+1 = 1
j = j+S1 = 0
t = Si+Sj = S1+S0 = 0+3 = 3
Key stream Byte = St = S3 = 6+V+K3
 RC4/WEP Attack
● Note: key stream Byte = 6+V+K3

● If key stream Byte is known, we can solve for K3

since
K3 = (keystreamByte 6 V) mod 256

● But initialization does not stop at i=3

 RC4/WEP Attack

● After i=3 initialization step, S is

● If elements at 0,1 and 3 not swapped in

remaining initialization steps, attack works
● For remaining initialization steps…
○ We have i = 4,5,6,... so index i will not affect
anything at indices 0,1 or 3
WORK DONE :-

I Studied books related to cryptography and

network security and research papers related
to WEP attack.

Implementation code for RC4 encryption and

decryption.
 Future work
●I will work on How to prevent WEP attack
and implementation.

●Applications of RC4 security issues.

 references
● S. Fluhrer, I. Mantin & A. Shamir, "Weaknesses in the
key scheduling algorithm of RC4".Eighth Annual
Workshop on Selected Areas in Cryptography, August
2001.
● Itsik Martin, ”analysis of the stream cipher RC4”, the
partial fulfillment of the requirements for the degree of
Master of Science, The Weizmann Institute of Science.
● William stallings ,” cryptography and network security
principles and practices ” , fourth edition.
● Douglas R. Stinson , “ cryptography theory and practice ”
, second edition.