Universidade Federal do Rio Grande do Sul PGCC - Pós-graduação em Computação Considerações sobre o algoritmo RC4. Ricardo Goulart ragoulart@hotmail.com
RC4 “Classificado como algoritmo de Criptografia simétrica(DES, AES,IDEA) -Algoritmos rápidos - Única chave para cifragem e decifragem. Decifragem Texto Aberto Cifragem Texto Cifrado Texto Aberto c P P K Canal seguro Chave K
RC4 É um Stream Cipher. Gera ilimitados bytes pseudo aleatórios Possui chave de tamanho variável. Não é considerado um dos melhores sistemas criptográficos
RC4 “RC4 (also known as ARC4 or ARCFOUR) is the most widely-used stream cipher and it is used in popular protocols such as Secure Sockets Layer (SSL) (to protect Internet traffic) and wireless networks. While remarkable in its simplicity, RC4 falls short of the high standards of security set by cryptographers, and some ways of using RC4 can lead to very insecure cryptosystems. It is not recommended for use in new systems. However, some systems based on RC4 are secure enough for practical use.”Origem: Wikipédia, “The main factors which helped its deployment over such a wide range of applications consisted in its impressive speed and simplicity. Implementations in both software and hardware are very easy to develop”.
RC4 História 1987 Ron Rivest desenvolve o algoritmo RC4 para RSA(Rivest, Samir and Aderman) Data Security, Inc., Especializada em sist. encriptação. Foi, um segredo comercial bem protegido, popular, e utilizado largamente em software, como Lotus Notes, Apple Computer’s AOCE, Oracle Secure SQL, Internet Explorer, Netscape e Adobe Acrobat.[SCH 96] Em Set 1994, é postado um código fonte em uma mailing list dedicada à criptografia (Cypherpunks) supostamente equivalente ao RC4. Espalhou-se rápido pela rede e foi confirmada a compatilidade com o RC4.
RC4 Algoritmo Description of ARCFOUR Algorithm - K.Kaukonen Key Setup As transformações são lineares, não há cálculos complexos, já que o sistema funciona por permutações e somas de valores inteiros. Usa um array, que a cada utilização, tem seus valores permutados, e misturados com a chave, o que provoca que seja muito dependente desta. A chave, usada na inicialização do array, pode ter até 256 bytes (2048 bits). Description of ARCFOUR Algorithm - K.Kaukonen Key Setup 1. Allocate an 256 element array of 8 bit bytes to be used as an S-box, label it S [0] .. S [255]. 2. Initialize the S-box. Fill each entry first with it's index: S [0] = 0; S [1] = 1; etc. up to S [255] = 255;
RC4 Algoritmo Fill another array of the same size (256) with the key, repeating bytes as necessary. for (i = 0; i < 256; i = i + 1) S2 [i] = key [i % keylen]; 4. Set j to zero and initialize the S-box like this: { j = (j + S [i] + S2 [i]) % 256; temp = S [i]; S [i] = S [j]; S [j] = temp; }
RC4 Algoritmo 5. Initialize i and j to zero. Stream Generation For either encryption or decryption, the input text is processed one byte at a time. A pseudorandom byte K is generated: i = (i+1) % 256; j = (j + S[i]) % 256; temp = S [i]; S [i] = S [j]; S [j] = temp; t = (S [i] + S [j]) % 256; K = S [t]; To encrypt, XOR the value K with the next byte of the plaintext. To decrypt, XOR the value K with the next byte of the ciphertext.
RC4 KSA(K) Initialization: S ← �0, 1, . . . ,N − 1� j ← 0 Scrambling: For i ← 0 . . . N − 1 j ← j + S[i] + K[i mod �] S[i] ↔ S[j] PRGA(S) i ← 0 j ← 0 Generation loop: i ← i + 1 j ← j + S[i] t ← S[i] + S[j] Output z ← S[t]
RC4 Fragilidade do RC4 2001 - publicação de artigos sobre a fragilidade do protocolo WEP: O Intercepting Mobile Communication, UCB e o Weakness in the Key Scheduling Algorithm of RC4, escrito pelo CISCO e Instituto Weizmann, Israel.. Esses dois artigos atacam o WEP, alegando ou dando a entender que a sua maior fragilidade é o seu algoritmo de criptografia. O primeiro artigo ensina como se consegue, sem o conhecimento prévio da chave ter acesso às informações criptografadas.
RC4 Weaknesses in the Key Scheduling Algorithm of RC4 Scott Fluhrer1, Itsik Mantin2 - 1Cisco Systems, 2The Weizmann Institute Present several weaknesses in the key scheduling algorithm of RC4, and describe their cryptanalytic significance. Identify a large number of weak keys, in which knowledge of a small number of key bits suffices to determine many state and output bits with non-negligible probability. It´s possible to use these weak keys to construct new distinguishers for RC4, and to mount related key attacks with practical complexities. Show that RC4 is completely insecure in a common mode of operation which is used in WEP, in which a fixed secret key is concatenated with known IV modifiers in order to encrypt different messages. The new passive ciphertext-only attack on this mode can recover an arbitrarily long key in a negligible amount of time which grows only linearly with its size, both for 24 and 128 bit IV modifiers. – 396 citações.
RC4 Vantagens Conforme Bruce Schneier ,quatro (possíveis) vantagens do RC4: encriptação é rápida (cerca de 10 vezes mais rápida que o DES). RC4 pode estar em 21700 possíveis estados. Segundo RSADSI é imune a criptoanálise diferencial e integral? Nada impede que possa ser generalizado para vetores e palavras maiores. What you see is what you get! Many stream ciphers are based on linear feedback shift registers (LFSRs), which while efficient in hardware are less so in software. The design of RC4 avoids the use of LFSRs, and is ideal for software implementation.
RC4 Desvantagens ? Defesa do RC4? Maior fragilidade observada é na forma que foi implementado no WEP. Implementação incorreta no Microsoft msoffice 2002/2003 In 2001 a new discovery was made by Fluhrer, Mantin and Shamir: over all possible RC4 keys, the statistics for the first few bytes of output keystream are strongly non-random, leaking information about the key. If the long-term key and nonce are simply concatenated to generate the RC4 key, this long- term key can be discovered by analysing large number of messages encrypted with this key. “weaknesses in the key scheduling algorithm can be prevented by discarding the first 256 output bytes of the pseudo-random generator before beginning encryption” - RSA.
RC4 Desvantagens ? Defesa do RC4? So far no one had found an attack on the PRGA part of RC4 which is even close to being practical: For n = 8 and sufficiently long keys, the best known attack requires more than 2700 time to find its initial state. - RSA.
RC4 Desvantagens ? O que diz a RSA? The "heart" of RC4 is its exceptionally simple and extremely efficient pseudo- random generator. The recent attacks relate only to the key-scheduling algorithm, not to the generator. There are at present no known practical attacks against this generator when initialized with a randomly-chosen initial state. RC4 is likely to remain the algorithm of choice for many applications and embedded systems. (Of course, strong block ciphers like AES or RC6 should also routinely be considered as candidates for any new application, particularly when authentication is also required, since block ciphers can utilize modes of operation, that efficiently provide both confidentiality and integrity.) The initial key scheduling component of RC4 should for now be routinely amended for new applications to include hashing and/or discarding the first 256 bytes of pseudo-random output. (This has in any case been RSA's routine recommendation.).
RC4 Sistemas de criptografia baseados no RC4 WEP e WPA CipherSaber BitTorrent protocol encryption Microsoft Point-to-Point Encryption SSL- Secure Sockets Layer (optionally) Secure shell (optionally) Kerberos (optionally) MSOffice 2002 / 2003
RC4 RC4-based cryptosystems
RC4 Bruce Schneier. Applied Criptography. 1996.P 397-398.Chapter 17. Others Stream Ciphers and Real Random Sequence Generators. Kaukonen,Thayer Internet Draft ARCFOUR Algorithm July, 1999.A Stream Cipher Encryption Algorithm "Arcfour“. Disponivel em http://www.mozilla.org/projects/security/pki/nss/draft-kaukonen-cipher-arcfour-03.txt Mehran Misaghi - O Papel da Criptografia em Segurança da Informação - SOCIESC – IST. Wikipédia(Inglês).Abril de 2007. RSA Security Response to weaknesses in ksa of rc4. RSA Site. http://www.rsa.com/rsalabs/node.asp?id=2009 WEBER. Raul Fernando.PEREZ,André. UFRGS. Considerações sobre segurança em redes sem fio. PEARL Tools. Um conjunto de Ferramentas para avaliação da Eficiência de algoritmos de criptografia em dispositivos móveis.UFB. Hernandez,mateus et al. Hongjun Wu. The misuse of RC4 in Microsoft Word and Excel. I.I.R, Singapure. Cryptobytes.Atacks in RC4 and WEP.RSA Laboratories.Vol. 5 Num 2.2002Scott Fluhrer, Itsik Mantin, and Adi Shamir. http://www.rsa.com/rsalabs/cryptobytes/cryptobytes_v5n2.pdf.