Refined Construction of RC4 Key Setting in WPA

Abstract

The RC4 stream cipher is widely used including WEP and WPA, which are the security protocols for IEEE 802.11 wireless standard. WPA improved a construction of the RC4 key setting known as TKIP to avoid the known WEP attacks. The first 3-byte RC4 keys generated by IV in WPA are known since IV can be obtained by observing packets. The weaknesses in TKIP using the known IV were reported by Sen Gupta et al. at FSE 2014 and by Ito and Miyaji at FSE 2015. Both showed that TKIP induces many RC4 key correlations including the keystream bytes or the unknown internal states. Ideally TKIP should be constructed in such a way that it can keep the security level of generic RC4. In the first part of this paper, we will provide newly theoretical proofs of 17 correlations remain unproven in our previous work theoretically. Our theoretical analysis can make clear how TKIP induces biases of internal states in generic RC4. In the second part of this paper, we will further provide a refined construction of the RC4 key setting. As a result, we can reduce the number of correlations in the refined construction by about 70% in comparison with that in the original setting.