Cryptography Reference
In-Depth Information
functions which update j as a function of “the permutation S and j in
the previous round” and “the secret key K,” one can always construct
explicit functions of the key bytes which the permutation at every stage
of the KSA would be biased to.
6. Each permutation byte after the KSA is significantly biased (either pos-
itively or negatively) toward many values in the range 0,...,N − 1,
independent of the secret key. For each y, 0 ≤y ≤ N −2, P(S
N
[y] = v)
is maximum at v = y + 1 and this maximum probability ranges approx-
imately between
N
(1 +
5
) for different values of y, with
N = 256. We describe these absolute value biases in Section 3.2.
N
(1 +
3
) and
1
1
7. As shown in Section 3.3, the expectation E
v
of the number of times each
value v in the permutation is visited by the indices i,j is not uniform.
E
v
decreases from 3.0 to 1.37, as v increases from 0 to 255.
8. Known IV is prepended with the secret key when RC4 is used in WEP
and WPA protocols. This mode of use is vulnerable to practical attacks
which we cover in Chapter 7.
Let the permutation after the KSA
+
be denoted by S
N
+
. The motivations
behind the new design according to [101] are as follows.
1. Removal of the existing weaknesses of the KSA.
2. Generation of a random-looking S
N
+
after the key scheduling so that
identification of any non-uniformity in it becomes di
cult.
3. Recovering the secret key from S
N
+
should be of the same order as
exhaustive search.
4. It should be hard to get two secret keys k,k
′
and two initialization
vectors iv,iv
′
(with at least one of the events k = k
′
and iv = iv
′
holding) that can result in the same S
N
+
after KSA
+
.
The KSA
+
consists of three-layers of key scheduling. The initialization
and the basic scrambling in the first layer are the same as those of the original
RC4 KSA.
Initialization
For i = 0,...,N −1
S[i] = i;
Layer 1: Basic Scrambling
For i = 0,...,N −1
j = (j + S[i] + K[i]);
Swap(S[i],S[j]);
j = 0;
In the second layer, the permutation is scrambled further using IVs. Ac-
cording to [73], stream ciphers using IVs shorter than the key may be vulnera-
ble against the Time Memory Trade-Off attack [68]. Keeping this in mind, the
IV size in KSA
+
is kept the same as the secret key length. The deterministic
index i moves first from the middle down to the left end and then from the
