Cryptography Reference
In-Depth Information
with probability
2
N
. Otherwise, when one of these conditions is not satisfied,
the probability of which is 1 − α
m
(
N−1
N
)
N−2
, x + m − 1 − z
x+m−1
equals
N−2
S
x+m
[x +m−1] with probability
N(N−1)
as argued in Case II of Section 7.4.
Hence, the event
x+m−1
−
x+m−1
K[r] = S
−1
x
[x + m−1−z
x+m−1
]−j
x
S
x
[r]
(7.12)
r=x
r=x
holds with probability
N−2
2
N−2
N −1
N
N −1
N
N −2
α
m
N
+
1−α
m
N(N −1)
.
where α
m
is given by Equation (7.11). When m = 1, we have α
m
= 1 and
this case corresponds to Klein's attack. The basic attack strategy is to form
a frequency table for each σ
m
. Then the attacker can employ different key
ranking strategies to improve the search.
Around the same time of the publication of [180], Vaudenay and Vuag-
noux [184] independently extended Mantin's and Klein's basic attacks to guess
the sum of the key bytes with an aim to reduce key byte dependency. The
work [184] additionally exploited the repetition of the key and IV bytes to
mount the attack. The active attack in [180] requires 2
20
RC4 key setups,
around 40,000 frames of 104-bit WEP to give a success probability of 0.5. On
the other hand, the passive attack in [184] requires 2
15
data frames to achieve
the same success rate.
7.6 RC4 in WPA and Related Attacks
WPA was designed as a wrapper for the WEP to prevent the FMS attack.
The major improvement in WPA over WEP is the Temporal Key Integrity
Protocol (TKIP), a key management scheme [95] to avoid key reuse. TKIP
consists of a key hash function [75] to defend against the FMS attack, and a
message integrity code (MIC) [48].
A 16-byte Temporal Key (TK) is derived from a Pre-Shared Key (PSC)
during the authentication. TK, in addition to the 6-byte Transmitter Address
(TA) and a 6-byte IV (the IV is also called the TKIP Sequence Counter
or TSC), goes into the key hash function h as inputs. The output, i.e.,
h(TK,TA,IV ), becomes a 16-byte RC4 key where the first three bytes are
derived from the IV. A TK, IV pair is used only once by a sender and hence
none of the WEP attacks are applicable.
MIC ensures the integrity of the message. It takes as inputs a MIC key,
TA, receiver address and the message, and outputs the message concatenated