HOME

TheInfoList



Click Here for Items Related To - Fluhrer, Mantin, and Shamir attack
OR:
Fluhrer, Mantin, and Shamir attack on:   [Wikipedia]   [Google]   [Amazon]

In
cryptography Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or '' -logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adv ...
, the Fluhrer, Mantin and Shamir attack is a stream cipher attack on the widely used
RC4 In cryptography, RC4 (Rivest Cipher 4, also known as ARC4 or ARCFOUR, meaning Alleged RC4, see below) is a stream cipher. While it is remarkable for its simplicity and speed in software, multiple vulnerabilities have been discovered in RC4, ren ...
stream cipher stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream). In a stream cipher, each plaintext digit is encrypted one at a time with the corresponding digit of the keystream ...
. The attack allows an attacker to recover the key in an RC4 encrypted stream from a large number of messages in that stream. The Fluhrer, Mantin and Shamir attack applies to specific key derivation methods, but does not apply in general to RC4-based SSL (TLS), since SSL generates the encryption keys it uses for RC4 by hashing, meaning that different SSL sessions have unrelated keys. However, the closely related bar mitzvah attack, based on the same research and revealed in 2015, does exploit those cases where
weak key In cryptography, a weak key is a key, which, used with a specific cipher, makes the cipher behave in some undesirable way. Weak keys usually represent a very small fraction of the overall keyspace, which usually means that, if one generates a rando ...
s are generated by the SSL keying process.


Background

The Fluhrer, Mantin and Shamir (FMS) attack, published in their 2001 paper "Weaknesses in the Key Scheduling Algorithm of RC4",Fluhrer, S., Mantin, I., and A. Shamir,
Weaknesses in the Key Scheduling Algorithm of RC4
, Selected Areas of Cryptography: SAC 2001, Lecture Notes in Computer Science Vol. 2259, pp 1-24, 2001. takes advantage of a weakness in the RC4
key scheduling In cryptography, the so-called product ciphers are a certain kind of cipher, where the (de-)ciphering of data is typically done as an iteration of ''rounds''. The setup for each round is generally the same, except for round-specific fixed valu ...
algorithm to reconstruct the key from encrypted messages. The FMS attack gained popularity in network attack tools including AirSnort, weplab, and
aircrack Aircrack-ng is a network software suite consisting of a detector, packet sniffer, Wired Equivalent Privacy, WEP and Wi-Fi Protected Access, WPA/IEEE 802.11i-2004, WPA2-PSK cracking of wireless networks, cracker and analysis tool for 802.11 wirele ...
, which use it to recover the key used by WEP protected wireless networks. This discussion will use the below RC4 key scheduling algorithm (KSA). begin ksa(with int keylength, with byte key eylength for i from 0 to 255 S := i endfor j := 0 for i from 0 to 255 j := (j + S + key mod keylength mod 256 swap(S S endfor end The following pseudo-random generation algorithm (PRGA) will also be used. begin prga(with byte S 56 i := 0 j := 0 while GeneratingOutput: i := (i + 1) mod 256 j := (j + S mod 256 swap(S S output S +_S__mod_256.html" ;"title="S + S mod 256">S + S mod 256 endwhile end


The attack

The basis of the FMS attack lies in the use of weak
initialization vector In cryptography, an initialization vector (IV) or starting variable (SV) is an input to a cryptographic primitive being used to provide the initial state. The IV is typically required to be random or pseudorandom, but sometimes an IV only needs to ...
s (IVs) used with RC4. RC4 encrypts one byte at a time with a
keystream In cryptography, a keystream is a stream of random or pseudorandom characters that are combined with a plaintext message to produce an encrypted message (the ciphertext). The "characters" in the keystream can be bits, bytes, numbers or actual chara ...
output from ''prga()''; RC4 uses the key to initialize a
state machine A finite-state machine (FSM) or finite-state automaton (FSA, plural: ''automata''), finite automaton, or simply a state machine, is a mathematical model of computation. It is an abstract machine that can be in exactly one of a finite number ...
via ''ksa()'', and then continuously modifies the state and generates a new byte of the keystream from the new state. Theoretically, the key stream functions as a random
one-time pad In cryptography, the one-time pad (OTP) is an encryption technique that cannot be cracked, but requires the use of a single-use pre-shared key that is not smaller than the message being sent. In this technique, a plaintext is paired with a ra ...
, as a
pseudo-random number generator A pseudorandom number generator (PRNG), also known as a deterministic random bit generator (DRBG), is an algorithm for generating a sequence of numbers whose properties approximate the properties of sequences of random numbers. The PRNG-generate ...
controls the output at each step. With certain IVs, an
attacker In some team sports, an attacker is a specific type of player, usually involved in aggressive play. Heavy attackers are, usually, placed up front: their goal is to score the most possible points for the team. In association football, attackers a ...
knowing the first byte of the keystream and the first ''m'' bytes of the key can derive the (''m'' + 1)th byte of the key due to a weakness in the KSA. Because the first byte of the plaintext comes from the WEP SNAP header, an attacker can assume he can derive the first byte of the keystream from ''B'' ⊕ 0x''AA'' (the SNAP header is almost always 0xAA). From there, he only needs an IV in the form (''a'' + 3, ''n'' − 1, ''x'') for key index ''a'' equal to 0, element value space ''n'' equal to 256 (since 8 bits make a byte), and any ''x''. To start, the attacker needs IVs of (3, 255, ''x''). WEP uses 24-bit IVs, making each value one byte long. To start, the attacker utilizes the IV as the first 3 elements in K nbsp; He fills the S-box S nbsp;with sequential values from 0 to ''n'' as RC4 does when initializing the S-box from a known K nbsp; He then performs the first 3 iterations of ksa() to begin initializing the S-box. After the third step, the attacker can possibly, but not definitely, derive the fourth byte of the key using the keystream output ''O'' by computing (O − ''j'' − ''S'' 'i'' mod ''n'' = ''K'' 'i'' with the value ''i'' = 3 at this step. At this point, the attacker does not yet have the fourth byte of the key. This algorithm does not regenerate the next byte of the key; it generates a possible value of the key. By collecting multiple messages—for example WEP packets—and repeating these steps, the attacker will generate a number of different possible values. The correct value appears significantly more frequently than any other; the attacker can determine the value of the key by recognizing this value and selecting it as the next byte. At this point, he can start the attack over again on the fifth byte of the key. Although the attacker cannot attack words of the key out of order, he can store messages for later sequential attack on later words once he knows earlier words. Again, he only needs messages with weak IVs, and can discard others. Through this process, he can gather a large number of messages for attack on the entire key; in fact, he can store only a short portion of the beginning of those messages, just enough to carry the attack out as far as the word of the key the IV will allow him to attack.


References


See also

* Bar mitzvah attack {{Cryptography navbox Cryptographic attacks