Results 1 -
4 of
4
On the security of RC4 in TLS
"... Abstract The Transport Layer Security (TLS) protocol aims to provide confidentiality and integrity of data in transit across untrusted networks. TLS has become the de facto protocol standard for secured Internet and mobile applications. TLS supports several symmetric encryption options, including a ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract The Transport Layer Security (TLS) protocol aims to provide confidentiality and integrity of data in transit across untrusted networks. TLS has become the de facto protocol standard for secured Internet and mobile applications. TLS supports several symmetric encryption options, including a scheme based on the RC4 stream cipher. In this paper, we present ciphertext-only plaintext recovery attacks against TLS when RC4 is selected for encryption. Our attacks build on recent advances in the statistical analysis of RC4, and on new findings announced in this paper. Our results are supported by an experimental evaluation of the feasibility of the attacks. We also discuss countermeasures.
Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA?
"... Abstract. The first three bytes of the RC4 key in WPA are public as they are derived from the public parameter IV, and this derivation leads to a strong mutual dependence between the first two bytes of the RC4 key. In this paper, we provide a disciplined study of RC4 biases result-ing specifically i ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract. The first three bytes of the RC4 key in WPA are public as they are derived from the public parameter IV, and this derivation leads to a strong mutual dependence between the first two bytes of the RC4 key. In this paper, we provide a disciplined study of RC4 biases result-ing specifically in such a scenario. Motivated by the work of AlFardan et al. (2013), we first prove the interesting sawtooth distribution of the first byte in WPA and the similar nature for the biases in the initial keystream bytes towards zero. As we note, this sawtooth characteristics of these biases surface due to the dependence of the first two bytes of the RC4 key in WPA, both derived from the same byte of the IV. Our result on the nature of the first keystream byte provides a significantly improved distinguisher for RC4 used in WPA than what had been pre-sented by Sepehrdad et al. (2011-12). Further, we revisit the correlation of initial keystream bytes in WPA to the first three bytes of the RC4 key. As these bytes are known from the IV, one can obtain new as well as significantly improved biases in WPA than the absolute biases exploited earlier by AlFardan et al. or Isobe et al. We notice that the correlations of the keystream bytes with publicly known IV values of WPA potentially strengthen the practical plaintext recovery attack on the protocol.
Designs, Codes and Cryptography manuscript No. (will be inserted by the editor) Proving TLS-attack related open biases of RC4
"... Abstract After a series of results on RC4 cryptanalysis in flagship cryptology conferences and journals, one of the most significant recent attacks on the cipher has been the discovery of vulnerabilities in the SSL/TLS protocol, by AlFardan et al. (USENIX 2013). Through extensive computations, they ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract After a series of results on RC4 cryptanalysis in flagship cryptology conferences and journals, one of the most significant recent attacks on the cipher has been the discovery of vulnerabilities in the SSL/TLS protocol, by AlFardan et al. (USENIX 2013). Through extensive computations, they identified some new significant short-term single-byte biases in RC4 keystream sequence, and utilized those, along-with existing biases, towards the TLS attack. The current article proves these new and unproved biases in RC4, and in the process discovers intricate non-randomness within the cipher. In this connection, we also prove the anomaly in the 128th element of the permutation after the Key Scheduling Algorithm. Finally, the proof for the extended key-length dependent biases in RC4 keystream sequence, a problem attempted and partially solved by Isobe et al. in FSE 2013, has also been completed in this work.
Tornado Attack on RC4 with Applications to WEP & WPA ⋆
"... Abstract. In this paper, we construct several tools for building and manipulating pools of statistical correlations in the analysis of RC4. We develop a theory to analyze these correlations in an optimized manner. We leverage this theory to mount several attacks on IEEE 802.11 wireless communication ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract. In this paper, we construct several tools for building and manipulating pools of statistical correlations in the analysis of RC4. We develop a theory to analyze these correlations in an optimized manner. We leverage this theory to mount several attacks on IEEE 802.11 wireless communication protocols WEP and WPA. Based on several partial temporary key recovery attacks, we recover the full 128-bit temporary key of WPA by using 242 packets. It works with complexity 296. Then, we describe a distinguisher for WPA with complexity 242 and advantage 0.5 which uses 242 packets. Moreover, we report extremely fast and optimized active and passive attacks against WEP. This was achieved through an extensive amount of theoretical and experimental analysis (capturing WiFi packets), refinement and optimization of all the former known attacks and methodologies against RC4. Our theory is supported and verified by a patch on top of Aircrack-ng. Our new attack improves its success probability drastically. Our active attack, based on ARP injection, requires 22500 packets to gain success probability of 50% against a 104-bit WEP key, using Aircrack-ng in non-interactive mode. It runs in less than 5 seconds on an off-the-shelf PC. Using the same number of packets, Aicrack-ng yields around 3 % success rate. Furthermore, we describe very fast passive only attacks by eavesdropping TCP/IPv4 packets in a WiFi communication. Our passive attack requires 27500 packets. This is much less than the number of packets Aircrack-ng requires in active mode (around 37500), which is a significant improvement. We believe that our analysis brings on further insight to the security of RC4. 1
