Presentation is loading. Please wait.

Presentation is loading. Please wait.

By: Anthony Gervasi & Adam Dickinson

Published byἈγλαΐα Βιτάλης Modified over 4 years ago

Similar presentations

Presentation on theme: "By: Anthony Gervasi & Adam Dickinson"— Presentation transcript:

1 By: Anthony Gervasi & Adam Dickinson
RC4 and WEP By: Anthony Gervasi & Adam Dickinson

2 Overview Discussion of RC4 Algorithm
Breaking RC4 as used in WEP (Wired Equivalent Privacy) protocol Response from RSA labs

3 RC4 Algorithm Developed by RSA labs Symmetric Stream Cipher
Block Cipher that uses a different key for each block of plaintext in a stream. WEP generally uses a counter to change the key.

4 RC4 Description Two main parts: Notation: l = length of key
KSA (Key Scheduling Algorithm) PRGA (Pseudo Random Generation Algorithm) Notation: S = {0, 1, 2, … N-1} is the initial permutation l = length of key

5 RC4 Description

6 RC4 Example Simple 4-byte example S = {0, 1, 2, 3} K = {1, 7, 1, 7}
Set i = j = 0

7 KSA First Iteration (i = 0, j = 0, S = {0, 1, 2, 3}):
j = (j + S[ i ] + K[ i ]) = ( ) = 1 Swap S[ i ] with S[ j ]: S = {1, 0, 2, 3} Second Iteration (i = 1, j = 1, S = {1, 0, 2, 3}): j = (j + S[ i ] + K[ i ]) = ( ) = 0 (mod 4) Swap S[ i ] with S[ j ]: S = {0, 1, 2, 3}

8 KSA Third Iteration (i = 2, j = 0, S = {0, 1, 2, 3}):
j = (j + S[ i ] + K[ i ]) = ( ) = 3 Swap S[ i ] with S[ j ]: S = {0, 1, 3, 2} Fourth Iteration (i = 3, j = 3, S = {0, 1, 3, 2}): j = (j + S[ i ] + K[ i ]) = ( ) = 0 (mod 4) Swap S[ i ] with S[ j ]: S = {2, 1, 3, 0}

9 PRGA Reset i = j = 0, Recall S = {2, 1, 3, 0} i = i + 1 = 1
j = j + S[ i ] = = 1 Swap S[ i ] and S[ j ]: S = {2, 1, 3, 0} Output z = S[ S[ i ] + S[ j ] ] = S[2] = 3

10 Analysis of RC4 Advantages Disadvantages Faster than DES
Enormous key space (average of 1700 bits) Disadvantages Large number of “weak” keys 1 of 256 “Weak” keys can be detected and exploited with a high probability

11 Weaknesses of RC4 Almost all weaknesses are in the KSA since attacking the PRGA is fairly infeasible due to the huge effective key. The fastest known method requires 2700 time. The KSA can be attacked with several methods mainly because of the simple initialization permutation used. Invariance Weakness is the most devastating attack.

12 The Invariance Method Many devices that use RC4 use a Initialization Vector (IV) either before or after the key. This IV is often a simple counter. Certain patterns in the IV lead to a case where the S vector is basically unchanged all the way through a round. This gives you about a 5% chance of guessing one or more bytes of the key.

13 The Invariance Method If you collect many samples of these instances you can make a good guess at the key. For example, if you have 60 instances you can guess one or more key bytes with about 50% certainty. Since this attack is done on each byte independently it has a linear complexity instead of exponential complexity. So larger key values don’t help much.

14 Applying the Invariance Method to WEP
In WEP the first part of the RC4 key is transmitted along with the message. We also know a portion of the plaintext since WEP has predefined headers such as the SNAP designation 0xAA in the first byte. ARP and IP also have predictable packet structures.

15 Applying the Invariance Method to WEP
First, we must capture raw encrypted data packets from the network. This can be achieved using inexpensive off the shelf hardware and open source software. Once about 6 million packets are collected, we look for resolved cases where the permutation matrix is essentially unchanged and use them to predict the key bytes. We determine which packets are interesting based on the IV. We will now either have the key or be close enough that an exhaustive search will give us the key in seconds.

16 Invariance Method and SSL
SSL is the main secure communication link used by websites. The Invariance Method does not apply to SSL since it uses hashing functions (SHA1 and MD5) on the key from the KSA, and because it does not re-key RC4 for each packet but rather uses the previous state for the next packet.

17 Response from RSA Labs WEP should be considered broken. Other cryptography is necessary to secure wireless communications. Algorithms such as SSL that use RSA’s recommendations and either hash the KSA output, or disregard the first 256 bits of the PRGA output, should still be completely secure.

18 Resources Fluhrer, Mantin, Shamir - Weakness in the Key Scheduling Algorithm of RC4. Stubblefield, Loannidis, Rubin – Using the Fluhrer, Mantin, and Shamir Attack to Break WEP. Rivest – RSA Security Response to Weakness in the Key Scheduling Algorithm of RC4. RC4 Encryption Algorithm.

Download ppt "By: Anthony Gervasi & Adam Dickinson"

Similar presentations

Block Cipher Modes of Operation and Stream Ciphers

Block Cipher Modes of Operation and Stream Ciphers
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Modern Symmetric-Key Ciphers

Modern Symmetric-Key Ciphers
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Encryption/Decyprtion using RC4 Vivek Ramachandran.

Encryption/Decyprtion using RC4 Vivek Ramachandran.
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
Security flaws of the WEP-Protocol by Bastian Sopora, Seminar Computer Security 2006.

Security flaws of the WEP-Protocol by Bastian Sopora, Seminar Computer Security 2006.
Chalmers University of Technology Wireless security Breaking WEP and WPA.

Chalmers University of Technology Wireless security Breaking WEP and WPA.
Wireless LAN Security Jerry Usery CS 522 December 6 th, 2006.

Wireless LAN Security Jerry Usery CS 522 December 6 th, 2006.
Wireless Network Security: WEP And Beyond Heidi Parsaye Jason DeVries Roxanne Ilse Heidi Parsaye - Jason DeVries - Roxanne Ilse.

Wireless Network Security: WEP And Beyond Heidi Parsaye Jason DeVries Roxanne Ilse Heidi Parsaye - Jason DeVries - Roxanne Ilse.
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.

RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.
802.11 Wireless Security Presentation by Paul Petty and Sooner Brooks-Heath.

Wireless Security Presentation by Paul Petty and Sooner Brooks-Heath.
Foundations of Network and Computer Security J J ohn Black Lecture #24 Nov 23 rd 2004 CSCI 6268/TLEN 5831, Fall 2004.

Foundations of Network and Computer Security J J ohn Black Lecture #24 Nov 23 rd 2004 CSCI 6268/TLEN 5831, Fall 2004.
Computer Security CS 426 Lecture 3

Computer Security CS 426 Lecture 3
AJ Mancini IV Paul Schiffgens Jack O’Hara. WIRELESS SECURITY  Brief history of Wi-Fi  Wireless encryption standards  WEP/WPA  The problem with WEP.

AJ Mancini IV Paul Schiffgens Jack O’Hara. WIRELESS SECURITY  Brief history of Wi-Fi  Wireless encryption standards  WEP/WPA  The problem with WEP.
By Sean Fisk.  Not a new technology  Inherently insecure  In recent years, increased popularity.

By Sean Fisk.  Not a new technology  Inherently insecure  In recent years, increased popularity.
Lecture 23 Cryptography CPE 401 / 601 Computer Network Systems Slides are modified from Jim Kurose & Keith Ross.

Lecture 23 Cryptography CPE 401 / 601 Computer Network Systems Slides are modified from Jim Kurose & Keith Ross.
CSC-682 Advanced Computer Security

CSC-682 Advanced Computer Security

Similar presentations

Ads by Google