Stream Ciphers - RC4 F. Sozzani, G. Bertoni, L. Breveglieri Foundations of Cryptography - RC4 pp. 1 / 16
Overview RC4 is a stream cipher using a symmetric key it was developed in 1987 by Ronald Rivest and kept as a trade secret by RSA Data Security on september 9 1994, the RC4 algorithm was anonymously posted through Internet to the Cyperpunks anonymous remailers list since then RC4 is in the public domain Foundations of Cryptography - RC4 pp. 2 / 16
Introduction RC4 has a programmable secret key of length from 1 to 256 bytes and a state table of 256 bytes secret key is used to initialize the state table state table is used to generate a pseudo random sequence of bytes and then a pseudo random stream of bits such bit stream is XORed with the plaintext to produce the ciphertext every element (byte) in the state table is swapped at least once Foundations of Cryptography - RC4 pp. 3 / 16
Introduction the key of RC4 is often limited to 40 bits because of export restrictions currently RC4 is used with a key of 128 bits RC4 may have keys from 1 to 2048 bits some applications of RC4: many commercial software packages: Lotus Notes, MS Office and Oracle Secure SQ. network protocols: SSL, IPSec and WEP copy protection: inside MS XBOX Foundations of Cryptography - RC4 pp. 4 / 16
RC4 Description RC4 consists of two parts: key schedule (to initialize the state table) pseudo random generation, also called even keystream generator and the data path, which is simply the XOR of the data bit stream and the generated pseudo random key stream this is very similar to the structure of a generic symmetric key block cipher Foundations of Cryptography - RC4 pp. 5 / 16
RC4 Key Schedule initialization for i = 0 to 2 n -1 j = 0 S [ i ] = i scrambling for i = 0 to 2 n -1 j = j + S[ i ] + K[ i mod l ] swap (S[ i ], S[ j ]) K= key array l = size of array K (bytes) n = size (expressed as number of bits) of the words of the tables, generally is 8 S[ ] = the state table composed by 2 n words of n bits Foundations of Cryptography - RC4 pp. 6 / 16
RC4 Pseudo Random Generation (PRNG) initialization i = 0 j = 0 generation loop i = i + 1 j = j + S[ i ] swap (S[ i ], S[ j ]) output z = S[ S[ i ] + S[ j ] ] bit stream z is XORED to the data steam Foundations of Cryptography - RC4 pp. 7 / 16
Strenghts difficulty of knowing the state difficulty of knowing which location in the state table is used to select each value in the sequence encryption in software is about 10 times faster than DES Foundations of Cryptography - RC4 pp. 8 / 16
Weaknesses vulnerable to analytic attacks to the state table there are a few theoretical attacks performed on the RC4 algorithm; one of the best known has been developed by Fhlurer, Martin and Shamir there are some weak keys (one every 256 keys may be a weak key): the output encrypted bytes depend on a small number of key bits Foundations of Cryptography - RC4 pp. 9 / 16
RC4 Hygiene Rules the initial 512 bytes of output must be dropped in order to defeat weak key attacks and other attacks related to key schedule since RC4 is used as a one-time-pad one it should never use the same key twice; most protocols use a random IV (Initialization Vector) appended to the secret key; then a hash function (e.g. SHA-1) should be applied so as to defeat related key attacks no more than 2 30.6 bytes should be encrypted with RC4 at a time (longer sequences are not enough pseudo random) to encrypt larger data streams one should preferably use AES in counter mode (AES-CTR), which works like a stream cipher Foundations of Cryptography - RC4 pp. 10 / 16
SW Performances two implementations in C differing as for the word size of the state table S version 1 (word size = 8 bits) version 2 (word size = 32 bits) Pentium 1GHz ARM 926 270 MHz version 1 6.6 MBytes / s 10 MBytes / s version 2 46 MBytes / s 10 MBytes / s Foundations of Cryptography - RC4 pp. 11 / 16
HW Implementations there is not much bibliography about the HW implementation of the RC4 algorithm Most of the time SW is good enough Foundations of Cryptography - RC4 pp. 12 / 16
HW Implementations algorithm is simple and implementation is quite straightforward main drawback is the necessity of a memory to store state table S, which requires a memory of 256 bytes suppose that one memory access plus one addition takes one clock cycle, then the time latency to output an encrypted or decrypted byte is of five clock cycles time necessary to execute the five operations: read S[i], read S[j], write S[i], write S[j] and read S(S[i] + S[j]) Foundations of Cryptography - RC4 pp. 13 / 16
About RC4 on WEP the Wired Equivalent Privacy protocol (WEP) uses the RC4 algorithm for encryption three attacks exist against WEP: wordlist, brute force and statistical analysis statistical analysis is possible due to the clear transmission of the Initialization Vector and of a guessable first byte of plaintext Foundations of Cryptography - RC4 pp. 14 / 16
References 1. R.Rivest http://theory.lcs.mit.edu/~rivest/faq.html 2. Fluhrer, S., Mantin, I. and Shamir, A. Weaknesses in the key scheduling algorithm of RC4 Eighth Annual Workshop on Selected Areas in Cryptography (August 2001) 3. http://www.cs.rice.edu/~astubble/wep/wep_attack.html 4. http://www.rsasecurity.com/rsalabs/technotes/wep.html 5. http://www.rsasecurity.com/rsalabs/technotes/wep-fix.html 6. https://www1.ietf.org/mail-archive/workinggroups/cfrg/current/msg00273.html 7. Matthews, Jr., Donald P. System and method for a fast hardware implementation of RC4 Compaq Computer Corporation, November 23, 1998 US Patent 6,549,622 Foundations of Cryptography - RC4 pp. 15 / 16
References 8. P. Hamalainen, M. Hannikainen, T. Hamalainen, J. Saarinen Hardware Implementation of the Improved WEP and RC4 Encryption Algorithm for Wireless Terminal EUSIPCO 2000, Tampere Finland, pp. 2289-2292, 2000 9. Andrew bunnie Huang, Keeping Secrets in Hardware: the Microsoft Xbox Case Study, CHES2002 Foundations of Cryptography - RC4 pp. 16 / 16