Universidade Federal do Rio Grande do Sul

PGCC - Pós-graduação em Computação

Considerações sobre o algoritmo RC4.

Ricardo Goulart

ragoulart@hotmail.com
 RC4
“Classificado como algoritmo de Criptografia simétrica(DES,
AES,IDEA)
-Algoritmos rápidos
- Única chave para cifragem e decifragem.

Texto Texto Decifragem Texto

Aberto P Cifragem Cifrado c P Aberto

Canal seguro
Chave
K
 RC4
É um Stream Cipher.
Gera ilimitados bytes pseudo aleatórios
Possui chave de tamanho variável.
Não é considerado um dos melhores sistemas criptográficos
 RC4
“RC4 (also known as ARC4 or ARCFOUR) is the most widely-used stream
cipher and it is used in popular protocols such as Secure Sockets Layer
(SSL) (to protect Internet traffic) and wireless networks. While remarkable
in its simplicity, RC4 falls short of the high standards of security set by
cryptographers, and some ways of using RC4 can lead to very insecure
cryptosystems. It is not recommended for use in new systems. However,
some systems based on RC4 are secure enough for practical use.”Origem:
Wikipédia,

“The main factors which helped its deployment over such a wide range of
applications consisted in its impressive speed and simplicity.
Implementations in both software and hardware are very easy to develop”.
 RC4
História

1987 Ron Rivest desenvolve o algoritmo RC4 para RSA(Rivest, Samir and
Aderman) Data Security, Inc., Especializada em sist. encriptação.
Foi, um segredo comercial bem protegido, popular, e utilizado largamente em
software, como Lotus Notes, Apple Computer’s AOCE, Oracle Secure SQL,
Internet Explorer, Netscape e Adobe Acrobat.[SCH 96]
Em Set 1994, é postado um código fonte em uma mailing list dedicada à
criptografia (Cypherpunks) supostamente equivalente ao RC4. Espalhou-se
rápido pela rede e foi confirmada a compatilidade com o RC4.
 RC4
Algoritmo
As transformações são lineares, não há cálculos complexos, já que o sistema funciona
por permutações e somas de valores inteiros.
Usa um array, que a cada utilização, tem seus valores permutados, e misturados com a
chave, o que provoca que seja muito dependente desta. A chave, usada na inicialização
do array, pode ter até 256 bytes (2048 bits).

Description of ARCFOUR Algorithm - K.Kaukonen

Key Setup

1. Allocate an 256 element array of 8 bit bytes to be used as an

S-box, label it

S [0] .. S [255].
2. Initialize the S-box. Fill each entry first with it's index:

S [0] = 0; S [1] = 1; etc. up to S [255] = 255;

 RC4
Algoritmo

Fill another array of the same size (256) with the key, repeating
bytes as necessary.

for (i = 0; i < 256; i = i + 1)

S2 [i] = key [i % keylen];

4. Set j to zero and initialize the S-box like this:

for (i = 0; i < 256; i = i + 1)

{
j = (j + S [i] + S2 [i]) % 256;
temp = S [i];
S [i] = S [j];
S [j] = temp;
}
 RC4
Algoritmo

5. Initialize i and j to zero.

Stream Generation

For either encryption or decryption, the input text is processed one

byte at a time. A pseudorandom byte K is generated:
i = (i+1) % 256;
j = (j + S[i]) % 256;
temp = S [i];
S [i] = S [j];
S [j] = temp;
t = (S [i] + S [j]) % 256;
K = S [t];

To encrypt, XOR the value K with the next byte of the plaintext. To
decrypt, XOR the value K with the next byte of the ciphertext.
KSA(K) RC4
Initialization:
S ← 0, 1, . . . ,N − 1 j ← 0
Scrambling:
For i ← 0 . . . N − 1
j ← j + S[i] + K[i mod ]
S[i] ↔ S[j]
PRGA(S)
Initialization:
i←0
j←0
Generation loop:
i←i+1
j ← j + S[i]
S[i] ↔ S[j]
t ← S[i] + S[j]
Output z ← S[t]
 RC4
Fragilidade do RC4
2001 - publicação de artigos sobre a fragilidade do protocolo WEP: O
Intercepting Mobile Communication, UCB e
o Weakness in the Key Scheduling Algorithm of RC4, escrito pelo CISCO
e Instituto Weizmann, Israel.. Esses dois artigos atacam o WEP,
alegando ou dando a entender que a sua maior fragilidade é o seu
algoritmo de criptografia.
O primeiro artigo ensina como se consegue, sem o conhecimento prévio
da chave ter acesso às informações criptografadas.
 RC4
Weaknesses in the Key Scheduling Algorithm of RC4
Scott Fluhrer1, Itsik Mantin2 - 1Cisco Systems, 2The Weizmann Institute
Present several weaknesses in the key scheduling algorithm of RC4, and
describe their cryptanalytic significance. Identify a large number of weak keys,
in which knowledge of a small number of key bits suffices to determine many
state and output bits with non-negligible probability. It´s possible to use these
weak keys to construct new distinguishers for RC4, and to mount related key
attacks with practical complexities. Show that RC4 is completely insecure in a
common mode of operation which is used in WEP, in which a fixed secret key
is concatenated with known IV modifiers in order to encrypt different
messages.
The new passive ciphertext-only attack on this mode can recover an arbitrarily
long key in a negligible amount of time which grows only linearly with its size,
both for 24 and 128 bit IV modifiers. – 396 citações.
 RC4
Vantagens
Conforme Bruce Schneier ,quatro (possíveis) vantagens do RC4:
•encriptação é rápida (cerca de 10 vezes mais rápida que o DES).
•RC4 pode estar em 21700 possíveis estados.
•Segundo RSADSI é imune a criptoanálise diferencial e integral?
•Nada impede que possa ser generalizado para vetores e palavras maiores.
What you see is what you get!
Many stream ciphers are based on linear feedback shift registers (LFSRs),
which while efficient in hardware are less so in software. The design of RC4
avoids the use of LFSRs, and is ideal for software implementation.
 RC4
Desvantagens ?

Defesa do RC4?
Maior fragilidade observada é na forma que foi implementado no WEP.

Implementação incorreta no Microsoft msoffice 2002/2003

In 2001 a new discovery was made by Fluhrer, Mantin and Shamir: over all
possible RC4 keys, the statistics for the first few bytes of output keystream
are strongly non-random, leaking information about the key. If the long-term
key and nonce are simply concatenated to generate the RC4 key, this long-
term key can be discovered by analysing large number of messages encrypted
with this key.
“weaknesses in the key scheduling algorithm can be prevented by discarding
the first 256 output bytes of the pseudo-random generator before beginning
encryption” - RSA.
 RC4
Desvantagens ?

Defesa do RC4?

So far no one had found an attack on the

PRGA part of RC4 which is even close to being
practical: For n = 8 and sufficiently long keys, the best known attack requires
more than 2700 time to find its initial state. - RSA.
 RC4
Desvantagens ?
O que diz a RSA?
The "heart" of RC4 is its exceptionally simple and extremely efficient pseudo-
random generator. The recent attacks relate only to the key-scheduling
algorithm, not to the generator. There are at present no known practical
attacks against this generator when initialized with a randomly-chosen initial
state.

RC4 is likely to remain the algorithm of choice for many applications and
embedded systems. (Of course, strong block ciphers like AES or RC6 should
also routinely be considered as candidates for any new application, particularly
when authentication is also required, since block ciphers can utilize modes of
operation, that efficiently provide both confidentiality and integrity.)

The initial key scheduling component of RC4 should for now be routinely
amended for new applications to include hashing and/or discarding the first
256 bytes of pseudo-random output. (This has in any case been RSA's routine
recommendation.).
 RC4
Sistemas de criptografia baseados no RC4

WEP e WPA
CipherSaber
BitTorrent protocol encryption
Microsoft Point-to-Point Encryption
SSL- Secure Sockets Layer (optionally)
Secure shell (optionally)
Kerberos (optionally)

MSOffice 2002 / 2003

RC4
RC4-based cryptosystems
 RC4
•Bruce Schneier. Applied Criptography. 1996.P 397-398.Chapter 17. Others
Stream Ciphers and Real Random Sequence Generators.
•Kaukonen,Thayer Internet Draft ARCFOUR Algorithm July,
1999.A Stream Cipher Encryption Algorithm "Arcfour“. Disponivel em
•http://www.mozilla.org/projects/security/pki/nss/draft-kaukonen-cipher-arcfour-
03.txt
•Mehran Misaghi - O Papel da Criptografia em Segurança da Informação -
SOCIESC – IST.
•Wikipédia(Inglês).Abril de 2007.
•RSA Security Response to weaknesses in ksa of rc4. RSA Site.
•http://www.rsa.com/rsalabs/node.asp?id=2009
•WEBER. Raul Fernando.PEREZ,André. UFRGS. Considerações sobre
segurança em redes sem fio.
•PEARL Tools. Um conjunto de Ferramentas para avaliação da Eficiência de
algoritmos de criptografia em dispositivos móveis.UFB. Hernandez,mateus et
al.
•Hongjun Wu. The misuse of RC4 in Microsoft Word and Excel. I.I.R,
Singapure.
•Cryptobytes.Atacks in RC4 and WEP.RSA Laboratories.Vol. 5 Num
2.2002Scott Fluhrer, Itsik Mantin, and Adi Shamir.