RC4 Stream Cipher with a Random Initial State

Transcription

1 RC4 Stream Cipher with a Random Initial State Maytham M. Hammood, Kenji Yoshigoe and Ali M. Sagheer Abstract Rivest Cipher 4 (RC4) is one of the modern encryption techniques utilized in many real time security applications; however, it has several weaknesses including a correlation problem in the initially generated key sequences. In this paper, we propose RC4 stream cipher with a random initial state (RRC4) to solve the RC4 s correlation problem between the public known outputs of the internal state. RRC4 solves the weak keys problem of the RC4 using random initialization of internal state S. Experimental results show that the output streams generated by RRC4 are more random than that generated by RC4. Moreover, RRC4 s high resistivity protects against many attacks vulnerable to RC4 and solves several weaknesses of RC4 such as predictable first bytes of intermediate outputs by RC4. Keywords Stream cipher Random number generator RC4 1 Introduction Due to power limitation, low bandwidth, small storage, and limited computing capacity, cryptographic algorithms that can provide fast implementation, small size, low complexity and high security for resource-constrained devices such as M. M. Hammood Applied Science, University of Arkansas, Little Rock, USA mmhammood@ualr.edu K. Yoshigoe (&) Computer Science, University of Arkansas, Little Rock, USA kxyoshigoe@ualr.edu A. M. Sagheer College of Computer, University of Anbar, Anbar, Iraq ali_makki@ieee.org J. J. (Jong Hyuk) Park et al. (eds.), Information Technology Convergence, Lecture Notes in Electrical Engineering 253, DOI: / _42, Ó Springer Science+Business Media Dordrecht

2 408 M. M. Hammood et al. wireless sensor devices are imperative. Cryptographic algorithms are sequences of processes, or rules, used to encrypt or decrypt messages in a cryptographic system to provide security services. It includes symmetric and asymmetric key algorithms, but asymmetric key algorithms are inappropriate for resource-constrained devices for several reasons including the limited storage space and power [1]. Consequently, security systems should depend on a symmetric key cryptography in such cases. Stream ciphers can be classified as synchronous and asynchronous. In a synchronous stream cipher, a sequence of keys is generated independently from the plaintext and ciphertext. The drawback of synchronous is that both the sender and the receiver have to be synchronized for key usages. It can detect any deletion or insertion of bits by an active attack directly, yet such an attack can cause immediate loss of synchronization [2]. Asynchronous stream ciphers depend on the previously generated ciphertext in order to continue generating new ones, yet it cannot regenerate the same sequence of ciphertext. On the other hand, synchronous stream ciphers can regenerate a sequence of ciphertext because a key sequence is independent of the plaintext. This case is named self-synchronized because of the ability to re-synchronize after insertion or deletion of bits. Though, self-synchronization can be an important property, this type of stream cipher did not receive much interest [3]. Stream cipher relies on robustness of Pseudo Random Number Generator (PRNG) which has passes the statistical tests. Menezes et al. [4] considered one-time pad as a separate type of stream cipher. Consequently, the sequence key is truly random and not generated in a deterministic manner as it happens in other algorithms. Rivest Cipher 4 (RC4) belongs to the stream cipher family which was developed in 1987 by Ron Rivest. RC4 is commonly used in security software based on stream cipher with communication protocols as in the encryption of traffic form-to secure web sites such as Secure Socket Layer (SSL), Wired Equivalent Privacy (WEP) and Transport Layer Security (TLS) implementations. RC4 has a simple design hardware implementation and it is fast, compared with other algorithms [5]. Furthermore, RC4 is fifteen times faster than Triple-DES and five times faster than Data Encryption Standard (DES) [3]. Sharif and Mansoor [6] provided comparisons between different encryption algorithms using different data sizes and key sizes. The simulation results clarify preponderance of RC4 algorithm over other algorithms in terms of speed and throughput. The structures of stream ciphers are presented more than block ciphers. The security of the cryptographic algorithms can assess by cryptanalysis. Numerous weaknesses found in stream ciphers triggered by mathematical relations between the key, ciphertext, and plaintext. The main aim is to produce a random key asymptotic to the true random key [7]. Cryptanalyst refers to the theoretical knowledge and uses numerous statistical tools to find weaknesses in the ciphertext or cryptosystems. The rest of the paper is organized as follows. Section 2 reviews some related works. Section 3 provided description of RC4, and Sect. 4 describes some weaknesses of RC4. We present our algorithm to enhance randomness of RC4 in Sect. 5, and evaluate it in Sect. 6. Section 7 is a conclusion.

3 RC4 Stream Cipher with a Random Initial State Related Work Many researchers tried to enhance the RC4 and create several algorithms. Variably Modified Permutation Composition (VMPC) presented by Zoltak [7] was designed to be efficient in software implementations to solve a weakness found in the RC4 Key Scheduling Algorithm (KSA) that was defined by Fluhrer et al. in [13]. The structure of Pseudo-Random Generation Algorithm (PRGA) in VMPC was more complex compared to RC4, which increased the resistant against attacks. In the same year, Paul and Preneel [9] presented RC4A as an enhancement over RC4 after finding out a new statistical weakness in the first two output bytes of the RC4 key stream generator. They presented that the number of outputs required for distinguishing the output of the RC4 random sequence with the presence of bias is 128, and they recommended to use 256 to overcome this bias. RC4A is considered to be robustness against most weaknesses of RC4, particularly its weakness of distribution in the first two output bytes. However, after one year, Maximov [8] proposed distinguishing attack on both VMPC and RC4A which can distinguish the cipher output from truly random number. Mironov [11] presented a new model of RC4 and analyzed it by applying the theory of random permutation. Based on this analysis, he recommended to discard at least the first 512 bytes to avoid these weaknesses which have led to an increase in the execution time. Pardeep and Pateriya [14] presented PardeepCipher-RC4 (PC-RC4) as an extension to RC4 algorithm to improve randomness in KSA and PRGA, yet it increased the execution time. Kamble and Meshram found that RC4 has weakness to differential attack, and showed how the plain text can be retrieved. In addition, the authors recommended how to avoid this attack using different sizes of key of greater than 32 bit [10]. Mousa and Hamad analyzed the effect of different parameters of the RC4 algorithm include the file size and the execution time, and concluded that the length of encryption key and the file size of influence the speed of encryption and decryption [15]. Chefranov and Mazurova [12] presented an extension of RC4 (RC4E) where they combined RC4 with a simple Heap s algorithm to provide enumeration of all potential permutations for periodic change of RC4 state. However, their algorithm requires additional memory to keep one more permutation compare with RC4. Hammood, et al. [16] presented an RC4 with two state tables (RC4-2S) which has improved the key generation time of the conventional RC4 while also outperforming randomness of the keys generated. 3 Description of RC4 Numerous stream cipher algorithms depend on Linear Feedback Shift Registers (LFSRs), especially in hardware. However, the RC4 design avoids the use of LFSRs. The algorithm involves KSA and PRGA which are implemented

4 410 M. M. Hammood et al. sequentially. The idea of RC4 is to manipulate the elements by swapping them to achieve highest randomness. The RC4 algorithm has a variable key length which ranges between 0 and 255 bytes to initialize a 256-byte in initial state array by elements from S [0] to S [255]. For secure RC4, it must use a key long at least 128 bytes [13]. The key of RC4 is initialized the KSA while the pseudo-random number is produced from PRGA part. The pseudo codes for the two parts of RC4 algorithm are shown in Algorithm 1 and Algorithm 2 where m is the message length of a plaintext, L is the length of the initial key in bytes, N is the size of the array or state S, and i and j are index pointers. The output of the second algorithm is a key sequence that will be XOR-ed with plaintext to get ciphertext or XOR-ed with ciphertext to get plaintext. 4 The Weaknesses of RC4 After RC4 was exposed to public in 1994, the interest in the cryptanalysis of RC4 grew faster, especially after being used for the Wired Equivalent Privacy (WEP) implementations. Therefore, several weaknesses in RC4 were recognized including the one in KSA and the one in the relations between the S-box in different time. Some of these weaknesses are simple and can be resolved, but

5 RC4 Stream Cipher with a Random Initial State 411 others are serious because it can be exploited by attackers. Roos [17] studied the weaknesses of RC4 and found a significant correlation between the first few values in the state table and generated value. The main reason for that is the state table is first initialized to the sequence (0, 1, 2,, 255). For at least one out of every 256 possible keys, the initial byte of the key generated by RC4 is strongly correlated with a few bytes of the key. Occasionally, therefore, the keys allow prediction of the first bytes from the output of the PRGA. To eliminate this problem, it was suggested to ignore the first bytes of the output of the PRGA [11]. Our algorithm will address this problem without the need to neglect the first byte of output. The reason behind this weakness is the use of regular sequence of numbers from 0 to 255 as initial state. This gives the attacker a starting point to track numbers because the initial state has a regular sequence. Furthermore, there is a major statistical bias in the first output bytes which can be used to mount a ciphertext-only attack [13]. It has been recommended to reject at least the first 256 bytes of the key-stream output to discourage this attack [11]. Our algorithm with random initial state is resistant against these ciphertext-only attacks. There are many other attacks described in [13] such as subkey guessing attack, linear consistency attack, inversion attack, etc. In addition, an algebraic attack is a new type of higher order correlation attack. In order to protect from this attack, we will use a random initial state. 5 RC4 Stream Cipher with a Random Initial State RC4 has a significant number of weaknesses in the phases of KSA and PRGA. One of the reasons which leads to these weaknesses is that the initialization process produces a deterministic sequence, (0, 1, 2,, 255) which gives the attacker an initial advantage. In this section, we present RRC4 as one of the RC4 stream cipher algorithm family to improve RC4 using random initialization of state table. Since the correlation among the publicly known outputs of the internal state depends on the randomness of the key sequence, RRC4 further tries to reduce the correlation problem in RC4 by resolving various RC4 attacks which exploit strong correlation among the publicly known outputs of the internal state. The new algorithm consists of initialization phase (KSA) as shown in Algorithm 3 and output phase (PRGA) which is identical to the one used in RC4 as shown in Algorithm 2, respectively. All addition operations are carried out modulo N. KSA takes a key k consisting of 16 n-bit word. After the setup, the round algorithm is executed once for each word output. Indeed, all practical applications of the developed RC4 is implemented with n = 8, in which case, all entries of S along with i and j are bytes. In the first phase of KSA, S is randomly generated by a sender from 0 to N-1 without duplication and initial S is shared with the receiver as an additional secret key. The input secret key k is used as a seed for the state S. In the systems or implementations which dynamically update k between a sender and a receiver,

6 412 M. M. Hammood et al. S and k can be shared at the same time. Consequently, S becomes secret random inputs for the PRGA phase as shown in Algorithm 3. S in PRGA is used to produce the sequence of output stream which will be XOR-ed with plaintext to get ciphertext or XORed with ciphertext to get plaintext. This technique solves the correlation between the public known outputs of the internal state with initial randomization of S. 6 Evaluation The generated output sequences are tested by NIST suite of statistical tests (National Institute of Standards and Technology) which is a randomness testing suite that consists of 16 statistical tests to measure the randomness of the output sequences of true random number generators or pseudorandom number generators as shown in Table 1. The design of the RRC4 was done using MATLAB and the tests of this PRNG were done by using NIST STS-1.6 [18]. We checked the produced binary sequence from RRC4 by NIST statistical tests. The probability of a good random number generator is represented by p value. Testing process compared p-value to If the p-value is more than 0.01 then the sequence is accepted, else, the sequence is rejected because of the sequence non-randomness. However, some tests accepted large sizes of sequence and failed in the small size as well as other tests accepted both sizes. In our program, a large size, 134,000 bytes (1,072,000 bits), generated by each key and these sequences were tested, and subsequently calculated the average of the p-values result from these tests. As shown in Table 1, the p-values are acceptable when greater than 0.01, and the produced sequence can be deemed random, uniformly distributed, and suitable for cryptography. If the tests give p-value asymptotically to 1, then the sequence appears to have perfect randomness. A p-value of zero indicates that the sequence appears to be completely nonrandom. The SUCCESS indicates the sequence is acceptable and has good randomness, where FAILURE means the sequence is not acceptable due to non-randomness.

7 RC4 Stream Cipher with a Random Initial State 413 Table 1 Result of running the NIST suite over the set data produced by the proposed RRC4 and standard RC4 Test No. Statistical test name RC4 RRC4 p-value Conclusion p-value Conclusion 1 Approximate entropy SUCCESS SUCCESS 2 Block Frequency SUCCESS SUCCESS 3 Cumulative sums (forward) SUCCESS SUCCESS 4 Cumulative sum (reverse) SUCCESS SUCCESS 5 FFT SUCCESS SUCCESS 6 Frequency SUCCESS SUCCESS 7 Lempel Ziv compression SUCCESS SUCCESS 8 Linear complexity SUCCESS SUCCESS 9 Longest runs SUCCESS SUCCESS 10 Non periodic templates SUCCESS SUCCESS 11 Overlapping template SUCCESS SUCCESS 12 Random excursions SUCCESS SUCCESS 13 Random excursions variant SUCCESS SUCCESS 14 Rank SUCCESS SUCCESS 15 Runs SUCCESS SUCCESS 16 Serial SUCCESS SUCCESS 17 Universal statistical SUCCESS SUCCESS There are some statistical tests of PRBG that are very common and must be included in test suite such as Runs test, Frequency test, and Universal test (#15, #6, and #17 in Table 1) [19]. In these tests, the p-values of our algorithm are greater than the p-values of the standard RC4. Moreover, RRC4 is better than RC4 in most of the other tests. 7 Conclusion Many security applications use stream cipher for data encryption, where the robustness of stream cipher depends on the strength of key stream generated. Rivest Cipher 4 (RC4) cipher system is an important encryption algorithm that can be used to protect the information on the common channel. The RC4 cipher shows some weaknesses including a correlation problem in the initially generated key sequences. The proposed RC4 with a random initial state (RRC4) solves the RC4 s weak keys problem using a random initialization of internal state. The generated output sequences of the proposed RRC4 have passed the NIST suite of statistical tests. The RRC4 algorithm is not complicated one, thus it can be implemented in both hardware and software. Acknowledgments This work is based in part, upon research supported by the National Science Foundation (under Grant Nos. CNS and EPS ). Any opinions, findings and

8 414 M. M. Hammood et al. conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the funding agencies or those of the employers. References 1. Wu Y, Ma D, Li T, Deng RH (2004) Classify encrypted data in wireless sensor networks. In: Proceedings of the vehicular technology conference, VTC2004-fall IEEE 60th, vol.5, pp Vol. 5, Sept Turan MS, Doganaksoy A, Calik, C (2006) Statistical analysis of synchronous stream ciphers. In: Proceedings of the SASC 2006: Stream ciphers revisited 3. Ahmad S, Beg MR, Abbas Q, Ahmad J, Atif S (2010) Comparative study between stream cipher and block cipher using RC4 and hill cipher. In: Proceedings of the international journal of computer applications ( ), vol 1(25) 4. Menezes AJ, Oorschot PC, Vanstone SA (2001) Handbook of applied cryptography. CRC Press, Boston, Gupta SS, Chattopadhyay A, Sinha K, Maitra S, Sinha B (2013) High-performance hardware implementation for RC4 stream cipher. IEEE Trans Comput 62(4): Sharif SO, Mansoor SP (2010) Performance analysis of stream and block cipher algorithms. In: Proceedings of the 3rd international conference on advanced computer theory and engineering (ICACTE), vol 1. IEEE, pp Zoltak B (2004) VMPC one-way function and stream cipher. In: Fast software encryption, FSE LNCS Springer-Verlag, New York, pp Maximov A (2005) Two linear distinguishing attacks on VMPC and RC4A and weakness of the RC4 family of stream ciphers. In: Fast software encryption, FSE 2005, vol 3557, Springer, pp Paul S, Preneel B (2004) A new weakness in the RC4 keystream generator and an approach to improve the security of the cipher. In: Fast software encryption, FSE LNCS Springer-Verlag, New York, pp Kamble BH, Meshram BB (2012) Robustness of RC4 against differential attack. Inter J Adv Res Comput Eng Technol 1(4), ISSN: Mironov I (2002) (Not So) Random shuffles of RC4. In: Moti Y (ed) Advances in cryptology. Proceedings of the CRYPTO 2002, 22nd annual international cryptology conference. Lecture notes in computer science, vol Springer, pp Chefranov AG, Mazurova TA (2006) Pseudo-random number generator RC4 period improvement. In: 2006 IEEE international conference on automation, quality and testing, robotics, vol 2, May 2006, pp Fluhrer S, Mantin I, Shamir A (2001) Weaknesses in the key scheduling algorithm of RC4. In: Proceedings of annual workshop on selected areas in cryptography, vol 2259, Springer, Toronto, pp Pardeep, Pateriya, P (2012) PC-RC4 algorithm: an enhancement over standard RC4 algorithm. Inter J Comput Sci Net 1(3) 15. Mousa A, Hamad A (2006) Evaluation of the RC4 algorithm for data encryption. Inter J Comput Sci Appl 3(2) 16. Hammood MM, Yoshigoe K, Sagheer AM (2013) RC4-2S: RC4 stream ciphers with two state tables. In: Proceedings in the 5th FTRA international conference on information technology convergence and services (ITCS 13). Lecture notes in electrical engineering, Springer 17. Roos A (1995) A class of weak keys in the RC4 stream cipher. In: Vironix Soft-ware Laboratories, Westville, South Africa 18. Rukhin A, Soto J, Nechvatal J, Smid M, Barker E, Leigh S, Levenson M, Vangel M, Banks D, Heckert A, Dray J, Vo S (2001) A statistical test suite for random and pseudorandom

9 RC4 Stream Cipher with a Random Initial State 415 number generators for cryptographic applications. NIST special publication , National Institute of Standards and Technology (NIST), Gaithersburg. See Stallings W (2011) Cryptography and network security principles and practices, 5th edn. Prentice Hall, Pearson