Cryptography Reference
In-Depth Information
One may see from the graphs in Figure 9.2 that from the end of Layer
1 (top) to the end of Layer 2 (middle), P(S[u] = v) is flattened to a large
extent. However, some non-uniformities still remain. After Layer 3 (bottom),
the graph becomes completely flat, indicating that there is no bias in the
probabilities P(S[u] = v). The maximum and the minimum values of the
probabilities as well as the standard deviations in Table 9.2 elaborate this
fact further. Recall that
1
N = 0.003906 for N = 256.
avg
sd
max
min
Theory
0.003901 0.000445 0.005325 0.002878
RC4
KSA
Experiment
0.003906 0.000448 0.005347 0.002444
After Layer 2 0.003906 0.000023 0.003983 0.003803
After Layer 3 0.003906 0.000006 0.003934 0.003879
KSA +
(Experiment)
TABLE 9.2: Average, standard deviation, maximum and minimum of the
probabilities P(S[u] = v) over all u and v between 0 and 255.
In [110, Page 67], it was mentioned that the RC4 KSA needs to be executed
approximately six times in order to get rid of these biases. Whereas, in the
new design, the key scheduling time is of the order of three times that of RC4
KSA.
On introducing the IVs
The IV-mode attacks, mentioned in Item (6) in the list of the weaknesses
of the RC4 KSA, work because in the original RC4, IVs are either prepended
or appended with the secret key. However, in Layer 2 of the KSA + , the
IVs are used in the middle and also the corresponding key bytes are added
in the update of j. In this layer, 2l many operations involve the IV, but
N − 2l many operations do not. In addition to such use of IVs, a third
layer of zigzag scrambling is performed where no use of IV is made. This
almost eliminates the possibility of WEP-like chosen IV attack once the key
scheduling is complete.
SSL protocol generates the encryption keys of RC4 by hashing the secret
key and the IV together, using both MD5 and SHA-1 hashes. Hence, differ-
ent sessions have unrelated keys [147], and the WEP attack [52, 175] can be
bypassed. Since the KSA + is believed to be free from the IV-weaknesses, it
can be used without any hashing. Thus, the cost of hashing can be engaged
in the extra operations in Layer 2 and Layer 3. This conforms to the design
motivation of keeping the basic structure of RC4 KSA and still avoids the
weaknesses.
As claimed in [101], extensive experimentation did not reveal any weakness
with null IVs as well as with randomly chosen IVs.
Search WWH ::




Custom Search