4048:
666:(LFSRs), which, while efficient in hardware, are less so in software. The design of RC4 avoids the use of LFSRs and is ideal for software implementation, as it requires only byte manipulations. It uses 256 bytes of memory for the state array, S through S, k bytes of memory for the key, key through key, and integer variables, i, j, and K. Performing a modular reduction of some value modulo 256 can be done with a
950:: over all the possible RC4 keys, the statistics for the first few bytes of output keystream are strongly non-random, leaking information about the key. If the nonce and long-term key are simply concatenated to generate the RC4 key, this long-term key can be discovered by analysing a large number of messages encrypted with this key. This and related effects were then used to break the
872:
when Goutam Paul, Siddheshwar Rathi and
Subhamoy Maitra proved the keystream–key correlation and, in another work, Goutam Paul and Subhamoy Maitra proved the permutation–key correlations. The latter work also used the permutation–key correlations to design the first algorithm for complete key reconstruction from the final permutation after the KSA, without any assumption on the key or
876:. This algorithm has a constant probability of success in a time, which is the square root of the exhaustive key search complexity. Subsequently, many other works have been performed on key reconstruction from RC4 internal states. Subhamoy Maitra and Goutam Paul also showed that the Roos-type biases still persist even when one considers nested permutation indices, like
424:
900:, who showed that the second output byte of the cipher was biased toward zero with probability 1/128 (instead of 1/256). This is due to the fact that if the third byte of the original state is zero, and the second byte is not equal to 2, then the second output byte is always zero. Such bias can be detected by observing only 256 bytes.
2276:
Goutam Paul, Siddheshwar Rathi and
Subhamoy Maitra. On Non-negligible Bias of the First Output Byte of RC4 towards the First Three Bytes of the Secret Key. Proceedings of the International Workshop on Coding and Cryptography (WCC) 2007, pages 285–294 and Designs, Codes and Cryptography Journal, pages
1316:
RC4 is a modified version of RC4 with a more complex three-phase key schedule (taking about three times as long as RC4, or the same as RC4-drop512), and a more complex output function which performs four additional lookups in the S array for each byte output, taking approximately 1.7 times as long as
1056:
In 2013, a group of security researchers at the
Information Security Group at Royal Holloway, University of London reported an attack that can become effective using only 2 encrypted messages. While yet not a practical attack for most purposes, this result is sufficiently close to one that it has led
1007:
used this analysis to create aircrack-ptw, a tool that cracks 104-bit RC4 used in 128-bit WEP in under a minute. Whereas the
Fluhrer, Mantin, and Shamir attack used around 10 million messages, aircrack-ptw can break 104-bit keys in 40,000 frames with 50% probability, or in 85,000 frames with 95%
923:
The complete characterization of a single step of RC4 PRGA was performed by
Riddhipratim Basu, Shirshendu Ganguly, Subhamoy Maitra, and Goutam Paul. Considering all the permutations, they proved that the distribution of the output is not uniform given i and j, and as a consequence, information about
871:
In 1995, Andrew Roos experimentally observed that the first byte of the keystream is correlated with the first three bytes of the key, and the first few bytes of the permutation after the KSA are correlated with some linear combination of the key bytes. These biases remained unexplained until 2007,
2317:
Riddhipratim Basu, Subhamoy Maitra, Goutam Paul and Tanmoy
Talukdar. On Some Sequences of the Secret Pseudo-random Index j in RC4 Key Scheduling. Proceedings of the 18th International Symposium on Applied Algebra, Algebraic Algorithms and Error Correcting Codes (AAECC), 8–12 June 2009, Tarragona,
1388:
In 2016, Banik and Isobe proposed an attack that can distinguish Spritz from random noise. In 2017, Banik, Isobe, and Morii proprosed a simple fix that removes the distinguisher in the first two keystream bytes, requiring only one additional memory access without diminishing software performance
789:
alongside the key. This means that if a single long-term key is to be used to securely encrypt multiple streams, the protocol must specify how to combine the nonce and the long-term key to generate the stream key for RC4. One approach to addressing this is to generate a "fresh" RC4 key by
2327:
Subhamoy Maitra and Goutam Paul. New Form of
Permutation Bias and Secret Key Leakage in Keystream Bytes of RC4. Proceedings of the 15th Fast Software Encryption (FSE) Workshop, 10–13 February 2008, Lausanne, Switzerland, pages 253–269, vol. 5086, Lecture Notes in Computer Science,
1370:. A hardware accelerator of Spritz was published in Secrypt, 2016 and shows that due to multiple nested calls required to produce output bytes, Spritz performs rather slowly compared to other hash functions such as SHA-3 and the best known hardware implementation of RC4.
859:
In March 2013, there were new attack scenarios proposed by Isobe, Ohigashi, Watanabe and Morii, as well as AlFardan, Bernstein, Paterson, Poettering and
Schuldt that use new statistical biases in RC4 key table to recover plaintext with large number of TLS encryptions.
1118:
As mentioned above, the most important weakness of RC4 comes from the insufficient key schedule; the first bytes of output reveal information about the key. This can be corrected by simply discarding some initial portion of the output stream. This is known as
245:. From there, it spread to many sites on the Internet. The leaked code was confirmed to be genuine, as its output was found to match that of proprietary software using licensed RC4. Because the algorithm is known, it is no longer a trade secret. The name
292:
weakening or breaking RC4 used in SSL/TLS. The main factors in RC4's success over such a wide range of applications have been its speed and simplicity: efficient implementations in both software and hardware were very easy to develop.
373:
algorithm is used to initialize the permutation in the array "S". "keylength" is defined as the number of bytes in the key and can be in the range 1 ≤ keylength ≤ 256, typically between 5 and 16, corresponding to a
153:. While it is remarkable for its simplicity and speed in software, multiple vulnerabilities have been discovered in RC4, rendering it insecure. It is especially vulnerable when the beginning of the output
987:
The
Fluhrer, Mantin and Shamir attack does not apply to RC4-based SSL, since SSL generates the encryption keys it uses for RC4 by hashing, meaning that different SSL sessions have unrelated keys.
1260:
Although stronger than RC4, this algorithm has also been attacked, with
Alexander Maximov and a team from NEC developing ways to distinguish its output from a truly random sequence.
1278:
iterating 3 × 256 = 768 times rather than 256, and with an optional additional 768 iterations to incorporate an initial vector. The output generation function operates as follows:
2308:
Mete Akgun, Pinar Kavak, Huseyin Demirci. New Results on the Key Scheduling Algorithm of RC4. INDOCRYPT 2008, pages 40–52, vol. 5365, Lecture Notes in Computer Science, Springer.
3120:
1102:. Dubbed the Numerous Occurrence MOnitoring & Recovery Exploit (NOMORE) attack, it is the first attack of its kind that was demonstrated in practice. Their attack against
1057:
to speculation that it is plausible that some state cryptologic agencies may already have better attacks that render RC4 insecure. Given that, as of 2013, a large amount of
1634:
1065:, if these hypothetical better attacks exist, then this would make the TLS-with-RC4 combination insecure against such attackers in a large number of practical scenarios.
2299:
Eli Biham and Yaniv Carmeli. Efficient Reconstruction of RC4 Keys from Internal States. FSE 2008, pages 270–288, vol. 5086, Lecture Notes in Computer Science, Springer.
1000:
972:
Protocols can defend against this attack by discarding the initial portion of the keystream. Such a modified algorithm is traditionally called "RC4-drop", where
4028:
3858:
1068:
In March 2015, researcher to Royal Holloway announced improvements to their attack, providing a 2 attack against passwords encrypted with RC4, as used in TLS.
1257:
Although the algorithm required the same number of operations per output byte, there is greater parallelism than RC4, providing a possible speed improvement.
1004:
651:
2370:
1110:
within 75 hours. The attack against WPA-TKIP can be completed within an hour and allows an attacker to decrypt and inject arbitrary packets.
1714:
939:
917:
853:
2647:
1017:
943:
1974:
3711:
3329:
2462:
914:
showed that the first and the second bytes of the RC4 were also biased. The number of required samples to detect this bias is 2 bytes.
3277:
2438:
575:
providing access to a random number generator originally based on RC4. The API allows no seeding, as the function initializes itself using
2265:
2262:
3206:
2355:
1471:
996:
207:
in 1987. While it is officially termed "Rivest Cipher 4", the RC acronym is alternatively understood to stand for "Ron's Code" (see also
995:
In 2005, Andreas Klein presented an analysis of the RC4 stream cipher, showing more correlations between the RC4 keystream and the key.
844:
It is noteworthy, however, that RC4, being a stream cipher, was for a period of time the only common cipher that was immune to the 2011
3258:
3124:
1750:
3574:
2100:
1269:
1131:
447:
For as many iterations as are needed, the PRGA modifies the state and outputs a byte of the keystream. In each iteration, the PRGA:
188:
1036:
known (all other elements can be assumed empty), then the maximum number of elements that can be produced deterministically is also
1461:
3248:
2286:
Goutam Paul and Subhamoy Maitra. Permutation after RC4 Key Scheduling Reveals the Secret Key. SAC 2007, pages 360–377, vol. 4876,
920:
and David McGrew also showed attacks that distinguished the keystream of the RC4 from a random stream given a gigabyte of output.
4086:
382:. S is then processed for 256 iterations in a similar way to the main PRGA, but also mixes in bytes of the key at the same time.
2214:
1549:
168:
As of 2015, there is speculation that some state cryptologic agencies may possess the capability to break RC4 when used in the
3030:
Banik, Subhadeep; Isobe, Takanori (20 March 2016). "Cryptanalysis of the Full Spritz Stream Cipher". In Peyrin, Thomas (ed.).
2981:
2897:
2790:
2737:
2197:
157:
is not discarded, or when nonrandom or related keys are used. Particularly problematic uses of RC4 have led to very insecure
2579:
1428:
884:. These types of biases are used in some of the later key reconstruction methods for increasing the success probability.
678:
These test vectors are not official, but convenient for anyone testing their own RC4 program. The keys and plaintext are
3186:
2125:
622:
until 2022. Instead, a separate library, libbsd, offers the function; it was updated to use ChaCha20 in 2016. In 2022,
3704:
3636:
3322:
3160:
3047:
2287:
933:
807:
269:
article on RC4 in his own course notes in 2008 and confirmed the history of RC4 and its code in a 2014 paper by him.
1493:
Where a protocol is marked with "(optionally)", RC4 is one of multiple ciphers the system can be configured to use.
1274:
Variably Modified Permutation Composition (VMPC) is another RC4 variant. It uses similar key schedule as RC4, with
892:
The keystream generated by the RC4 is biased to varying degrees towards certain sequences, making it vulnerable to
1403:
1099:
2463:"Interim technology for wireless LAN security: WPA to replace WEP while industry develops new security standard"
1674:
309:). As with any stream cipher, these can be used for encryption by combining it with the plaintext using bitwise
4081:
3907:
3631:
3621:
2443:
1417:
1091:
663:
302:
289:
3072:
2919:
2768:
2180:
Pouyan Sepehrdad; Serge Vaudenay; Martin Vuagnoux (2011). "Discovery and Exploitation of New Biases in RC4".
1799:
3697:
3315:
1524:
1082:
At the Black Hat Asia 2015 Conference, Itsik Mantin presented another attack against SSL using RC4 cipher.
849:
123:
17:
4023:
3978:
3791:
3234:
1340:
GeneratingOutput: i := i + 1 a := S j := j + a Swap S and S
1016:
A combinatorial problem related to the number of inputs and outputs of the RC4 cipher was first posed by
830:
822:
791:
2466:
328:
To generate the keystream, the cipher makes use of a secret internal state which consists of two parts:
3902:
3605:
3464:
3005:
2379:
2073:
961:. This caused a scramble for a standards-based replacement for WEP in the 802.11 market and led to the
242:
4018:
2839:
Yukiyasu Tsunoo; Teruo Saito; Hiroyasu Kubo; Maki Shigeri; Tomoyasu Suzaki; Takeshi Kawabata (2005),
2769:"A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher"
2480:
1783:
1502:
572:
2964:
2880:
2669:
4008:
3998:
3853:
3600:
2546:
2543:
A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher
1481:
1433:
1398:
1382:
1377:, Spritz can be used to build a cryptographic hash function, a deterministic random bit generator (
1103:
1095:
1058:
951:
811:
314:
285:
273:
169:
162:
1978:
1962:
Legacy arc4random(3) API from OpenBSD reimplemented using the ChaCha20 PRF, with per-thread state.
4076:
4003:
3993:
3796:
3756:
3749:
3739:
3734:
3034:. Lecture Notes in Computer Science. Vol. 9783. Springer Berlin Heidelberg. pp. 63–77.
1449:
1240:
522:
3289:
3243:
2542:
2448:
2346:
3744:
2959:
2875:
2815:
Two Linear Distinguishing Attacks on VMPC and RC4A and Weakness of RC4 Family of Stream Ciphers
2714:
2261:
Andrew Roos. A Class of Weak Keys in the RC4 Stream Cipher. Two posts in sci.crypt, message-id
2021:
1407:
966:
587:"A Replacement Call for Random" for ARC4 as a mnemonic, as it provides better random data than
510:) with the next byte of the message to produce the next byte of either ciphertext or plaintext.
277:
158:
3202:
2512:
A. Klein, Attacks on the RC4 stream cipher, Designs, Codes and Cryptography (2008) 48:269–286.
1308:
This was attacked in the same papers as RC4A, and can be distinguished within 2 output bytes.
856:
is used with all of the other ciphers supported by TLS 1.0, which are all block ciphers.
4091:
4051:
3897:
3843:
3672:
3646:
3499:
2866:
1474:, an early June 2008 computer virus for Microsoft Windows, which takes documents hostage for
1062:
1040:
in the next 256 rounds. This conjecture was put to rest in 2004 with a formal proof given by
893:
873:
647:
Proposed new random number generators are often compared to the RC4 random number generator.
238:
2141:"ssl - Safest ciphers to use with the BEAST? (TLS 1.0 exploit) I've read that RC4 is immune"
4013:
3937:
3667:
1760:
1616:
1437:
838:
379:
281:
109:
31:
8:
3776:
3595:
2000:
1795:
1455:
1422:
834:
795:
786:
357:
algorithm (KSA). Once this has been completed, the stream of bits is generated using the
288:
in 1999, until it was prohibited for all versions of TLS by RFC 7465 in 2015, due to the
2874:, Lecture Notes in Computer Science, vol. 3017, Springer-Verlag, pp. 210–225,
2775:, Lecture Notes in Computer Science, vol. 3017, Springer-Verlag, pp. 245–259,
2722:, Lecture Notes in Computer Science, vol. 2442, Springer-Verlag, pp. 304–319,
2398:"A Complete Characterization of the Evolution of RC4 Pseudo Random Generation Algorithm"
2238:
3882:
3866:
3813:
3662:
3077:
IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences
3053:
2560:
2419:
1834:
1077:
803:
798:. However, many applications that use RC4 simply concatenate key and nonce; RC4's weak
348:
3270:
2958:, Lecture Notes in Computer Science, vol. 5365, Springer-Verlag, pp. 27–39,
1366:
In 2014, Ronald Rivest gave a talk and co-wrote a paper on an updated redesign called
670:
with 255 (which is equivalent to taking the low-order byte of the value in question).
514:
Each element of S is swapped with another element at least once every 256 iterations.
3942:
3932:
3803:
3182:
3156:
3150:
3043:
2977:
2893:
2786:
2733:
2193:
2121:
2040:"VMPC-R: Cryptographically Secure Pseudo-Random Number Generator, Alternative to RC4"
266:
3057:
2840:
1917:
1692:
1558:
635:
According to manual pages shipped with the operating system, in the 2017 release of
3877:
3444:
3088:
3080:
3035:
2969:
2885:
2838:
2776:
2723:
2423:
2409:
2239:
Nadhem AlFardan; Dan Bernstein; Kenny Paterson; Bertram Poettering; Jacob Schuldt.
2185:
2082:
1854:
1812:
1787:
1606:
1425:(insecure implementation since nonce remains unchanged when documents get modified)
958:
643:
operating systems, Apple replaced RC4 with AES in its implementation of arc4random.
564:
2585:. Information Security Group, Royal Holloway, University of London. Archived from
1736:
521:
GeneratingOutput: i := (i + 1) mod 256 j := (j + S) mod 256
272:
RC4 became part of some commonly used encryption protocols and standards, such as
3564:
3559:
3534:
3408:
3252:
3084:
2889:
2781:
2760:
2534:
2338:
2115:
1946:
1374:
1142:
1041:
903:
427:
The lookup stage of RC4. The output byte is selected by looking up the values of
313:; decryption is performed the same way (since exclusive or with given data is an
3362:
3226:
3219:
3212:
3039:
2973:
2633:
2396:
Basu, Riddhipratim; Ganguly, Shirshendu; Maitra, Subhamoy; Paul, Goutam (2008).
2189:
2052:
1619:
1600:
265:
has never officially released the algorithm; Rivest has, however, linked to the
3952:
3872:
3833:
3781:
3766:
3626:
3479:
3434:
3170:
2499:
976:
is the number of initial keystream bytes that are dropped. The SCAN default is
2947:"Analysis of RC4 and Proposal of Additional Layers for Better Security Margin"
2586:
2158:
1635:"Microsoft continues RC4 encryption phase-out plan with .NET security updates"
4070:
4033:
3988:
3947:
3927:
3823:
3786:
3761:
3579:
3539:
3519:
3509:
3474:
3338:
3174:
2728:
2318:
Spain, pages 137–148, vol. 5527, Lecture Notes in Computer Science, Springer.
2179:
2086:
1913:
1130:
A number of attempts have been made to strengthen RC4, notably Spritz, RC4A,
818:
187:
A number of attempts have been made to strengthen RC4, notably Spritz, RC4A,
150:
3215:– Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer Protocol
1024:
in 2001, whereby, of the total 256 elements in the typical state of RC4, if
863:
The use of RC4 in TLS is prohibited by RFC 7465 published in February 2015.
579:. The use of RC4 has been phased out in most systems implementing this API.
3983:
3828:
3818:
3808:
3771:
3720:
2764:
2538:
2348:
Analysis of Non-fortuitous Predictive States of the RC4 Keystream Generator
2342:
2140:
1518:
1443:
1146:
1045:
962:
907:
845:
826:
799:
536:
507:
435:, adding them together modulo 256, and then using the sum as an index into
370:
353:
318:
310:
262:
226:, but in September 1994, a description of it was anonymously posted to the
223:
204:
134:
57:
1575:
3962:
3514:
3372:
2414:
2397:
1551:
Analysis of Energy Consumption of RC4 and AES Algorithms in Wireless LANs
1529:
1107:
683:
667:
333:
2500:"RSA Security Response to Weaknesses in Key Scheduling Algorithm of RC4"
2101:"RSA Security Response to Weaknesses in Key Scheduling Algorithm of RC4"
1835:"6.857 Computer and Network Security Spring 2008: Lectures and Handouts"
3922:
3892:
3887:
3848:
3641:
3175:"Chapter 17 – Other Stream Ciphers and Real Random-Sequence Generators"
3093:
2859:
2069:
1791:
1755:
1021:
947:
897:
866:
375:
227:
200:
53:
3259:
RSA Security Response to Weaknesses in Key Scheduling Algorithm of RC4
3003:
2950:
1878:
525:
of S and S t := (S + S) mod 256 K := S output K
3912:
3554:
3484:
3418:
2184:. Lecture Notes in Computer Science. Vol. 6544. pp. 74–91.
1675:"That earth-shattering NSA crypto-cracking: Have spooks smashed RC4?"
1611:
584:
306:
234:
231:
181:
154:
3957:
3917:
3367:
3108:
2923:
2696:"RC4 NOMORE: Numerous Occurrence MOnitoring & Recovery Exploit"
1411:
600:
580:
412:
255 j := (j + S + key) mod 256 swap values of S and S
80:
3071:
Banik, Subhadeep; Isobe, Takanori; Morii, Masakatu (1 June 2017).
2946:
2813:
2710:
2614:. Information Security Group, Royal Holloway, University of London
1547:
3413:
3387:
3179:
Applied Cryptography: Protocols, Algorithms, and Source Code in C
2611:
2240:
2039:
1892:
1440:(was optional and then the use of RC4 was prohibited in RFC 7465)
1247:
S2 + S1] j2 := j2 + S2 swap values of S2 and S2
1239:
GeneratingOutput: i := i + 1 j1 := j1 + S1
782:
604:
177:
378:
of 40–128 bits. First, the array "S" is initialized to the
3838:
3504:
3469:
3439:
3403:
1475:
955:
608:
588:
2561:"HTTPS cookie crypto CRUMBLES AGAIN in hands of stats boffins"
3549:
3203:
Original posting of RC4 algorithm to Cypherpunks mailing list
3107:
Hongjun Wu, "The Misuse of RC4 in Microsoft Word and Excel".
2695:
2522:
1693:"Mozilla Security Server Side TLS Recommended Configurations"
1514:
1486:
911:
679:
636:
623:
615:
337:
30:
This article is about the stream cipher. For other uses, see
3073:"Analysis and Improvements of the Full Spritz Stream Cipher"
1855:"Spritz – a spongy RC4-like stream cipher and hash function"
1521:
that, like RC4, are designed to be very simple to implement.
1061:
traffic uses RC4 to avoid attacks on block ciphers that use
418:
3569:
3544:
3494:
3489:
3357:
3352:
2759:
2693:
2372:
Statistical Analysis of the Alleged RC4 Keystream Generator
2368:
2022:"GNU C Library Finally Adds arc4random Functions For Linux"
1510:
1506:
1378:
173:
2944:
1715:"Security Advisory 2868725: Recommendation to disable RC4"
176:
has published RFC 7465 to prohibit the use of RC4 in TLS;
127:
Modified Alleged RC4 on Intel Core 2: 13.9 cycles per byte
2842:
The Most Efficient Distinguishing Attack on VMPC and RC4A
2157:
Isobe, Takanori; Ohigashi, Toshihiro (10–13 March 2013).
640:
216:
212:
208:
2117:
Hidden Keys to Software Break-Ins and Unauthorized Entry
1203:
Second, the operation is repeated (without incrementing
2337:
2053:"Pseudo-Random Number Generator RC4 Period Improvement"
3859:
Cryptographically secure pseudorandom number generator
2437:
Fluhrer, Scott R.; Mantin, Itsik; Shamir, Adi (2001).
2067:
1290:GeneratingOutput: a := S j := S
423:
347:
The permutation is initialized with a variable-length
2395:
1127:
is typically a multiple of 256, such as 768 or 1024.
558:
351:, typically between 40 and 2048 bits, using the
3299:
2001:"Update arc4random module from OpenBSD and LibreSSL"
1358:
This algorithm has not been analyzed significantly.
1149:
have proposed an RC4 variant, which they call RC4A.
980:= 768 bytes, but a conservative value would be
938:
In 2001, a new and surprising discovery was made by
927:
867:
Roos' biases and key reconstruction from permutation
576:
3275:
3148:
2439:"Weaknesses in the Key Scheduling Algorithm of RC4"
2436:
2945:Subhamoy Maitra; Goutam Paul (19 September 2008),
2521:Erik Tews, Ralf-Philipp Weinmann, Andrei Pyshkin.
2215:"Attack of the week: RC4 is kind of broken in TLS"
1478:by obscuring them with RC4 and RSA-1024 encryption
1182:First, the basic RC4 algorithm is performed using
954:("wired equivalent privacy") encryption used with
896:. The best such attack is due to Itsik Mantin and
852:. The attack exploits a known weakness in the way
2811:
1933:ChaCha based random number generator for OpenBSD.
1651:
1632:
364:
4068:
1759:(Mailing list). 9 September 1994. Archived from
1668:
1666:
1664:
781:Unlike a modern stream cipher (such as those in
3070:
3006:"Hardware Accelerator for Stream Cipher Spritz"
2694:Mathy Vanhoef; Frank Piessens (9 August 2015).
1871:
1853:Rivest, Ron; Schuldt, Jacob (27 October 2014).
343:Two 8-bit index-pointers (denoted "i" and "j").
249:is trademarked, so RC4 is often referred to as
3236:A Stream Cipher Encryption Algorithm "Arcfour"
3004:Debjyoti Bhattacharjee; Anupam Chattopadhyay.
2857:
2212:
3705:
3323:
3121:"Skype's encryption procedure partly exposed"
2156:
1852:
1848:
1846:
1844:
1661:
1548:P. Prasithsangaree; P. Krishnamurthy (2003).
652:distinguish its output from a random sequence
3276:Fluhrer; Mantin; Shamir (Summer–Fall 2002).
2986:, Cryptology ePrint Archive: Report 2008/396
2818:, Cryptology ePrint Archive: Report 2007/070
2742:, Cryptology ePrint Archive: Report 2002/067
2708:
1598:
887:
325:, rather than a prepared stream, are used.
2558:
1781:
1672:
3712:
3698:
3330:
3316:
3232:
3029:
2378:. FSE 2000. pp. 19–30. Archived from
1841:
1094:presented new attacks against RC4 in both
833:(MAC), then encryption is vulnerable to a
3092:
2963:
2879:
2860:"VMPC One-Way Function and Stream Cipher"
2780:
2727:
2687:
2413:
2277:123–134, vol. 49, no. 1-3, December 2008.
2063:
2061:
1944:
1610:
1594:
1592:
1381:), an encryption algorithm that supports
1270:Variably Modified Permutation Composition
1178:is incremented, two bytes are generated:
419:Pseudo-random generation algorithm (PRGA)
3222:– Test Vectors for the Stream Cipher RC4
3169:
2577:
2113:
1051:
1011:
495:as an index to fetch a third element of
422:
230:mailing list. It was soon posted on the
3239:. I-D draft-kaukonen-cipher-arcfour-03.
2952:Progress in Cryptology - INDOCRYPT 2008
2912:
2612:"On the Security of RC4 in TLS and WPA"
2580:"On the Security of RC4 in TLS and WPA"
2483:Standard Cryptographic Algorithm Naming
1912:
1283:All arithmetic is performed modulo 256.
603:. The implementations of arc4random in
149:, meaning Alleged RC4, see below) is a
14:
4069:
3149:Paul, Goutam; Subhamoy Maitra (2011).
2834:
2832:
2812:Alexander Maximov (22 February 2007),
2523:Breaking 104-bit WEP in under a minute
2058:
1589:
1392:
1344:b := S; S := S; S := b;
1298:b := S; S := b; S := a)
1235:i := 0 j1 := 0 j2 := 0
1232:All arithmetic is performed modulo 256
682:, the keystream and ciphertext are in
595:In OpenBSD 5.5, released in May 2014,
443:is used as a byte of the key stream K.
3693:
3311:
2578:AlFardan; et al. (8 July 2013).
2243:. Royal Holloway University of London
2120:. A-List Publishing. pp. 92–93.
2103:. RSA Laboratories. 1 September 2001.
1922:BSD Cross Reference, OpenBSD src/lib/
1071:
837:. The cipher is also vulnerable to a
829:. If not used together with a strong
280:in 2003/2004 for wireless cards; and
184:have issued similar recommendations.
2938:
2716:Advances in Cryptology – CRYPTO 2002
1951:BSD Cross Reference, NetBSD src/lib/
1557:. GLOBECOM '03. IEEE. Archived from
924:j is always leaked into the output.
2829:
2369:Scott R. Fluhrer; David A. McGrew.
2075:A Practical Attack on Broadcast RC4
1945:riastradh, ed. (16 November 2014).
1654:Introduction to Modern Cryptography
1429:Microsoft Point-to-Point Encryption
1090:In 2015, security researchers from
650:Several attacks on RC4 are able to
583:for the new arc4random include the
24:
3337:
3152:RC4 Stream Cipher and Its Variants
3142:
3123:. www.h-online.com. Archived from
2868:Fast Software Encryption, FSE 2004
2773:Fast Software Encryption, FSE 2004
2497:
2402:Journal of Mathematical Cryptology
1975:"arc4random – NetBSD Manual Pages"
1656:, Chapman and Hall/CRC, p. 77
1464:Mechanism Digest-MD5 (optionally,
1385:with associated data (AEAD), etc.
1294:S + 1]] Swap S and S
810:(which is famous for breaking the
559:RC4-based random number generators
359:pseudo-random generation algorithm
25:
4103:
3271:(in)Security of the WEP algorithm
3196:
2711:"(Not So) Random Shuffles of RC4"
2288:Lecture Notes in Computer Science
1782:Bob Jenkins (15 September 1994).
1633:Lucian Constantin (14 May 2014).
990:
934:Fluhrer, Mantin and Shamir attack
928:Fluhrer, Mantin and Shamir attack
808:Fluhrer, Mantin and Shamir attack
662:Many stream ciphers are based on
657:
4047:
4046:
3719:
3255: (archived 21 February 2015)
3109:https://eprint.iacr.org/2005/007
2213:Green, Matthew (12 March 2013).
1673:John Leyden (6 September 2013).
1085:
785:), RC4 does not take a separate
531:Thus, this produces a stream of
141:(Rivest Cipher 4, also known as
3229:– Prohibiting RC4 Cipher Suites
3113:
3101:
3064:
3023:
2997:
2851:
2805:
2753:
2702:
2662:
2648:"Briefings – March 26 & 27"
2640:
2626:
2604:
2571:
2552:
2528:
2515:
2506:
2491:
2473:
2455:
2430:
2389:
2362:
2331:
2321:
2311:
2302:
2293:
2280:
2270:
2255:
2241:"On the Security of RC4 in TLS"
2232:
2206:
2173:
2159:"Security of RC4 Stream Cipher"
2150:
2134:
2107:
2093:
2045:
2032:
2014:
1993:
1967:
1938:
1906:
1885:
1827:
1805:
1775:
1743:
1410:, but can be configured to use
1113:
673:
664:linear-feedback shift registers
596:
568:
261:) to avoid trademark problems.
4087:Pseudorandom number generators
3908:Information-theoretic security
2670:"Attacking SSL when using RC4"
2444:Selected Areas in Cryptography
2182:Selected Areas in Cryptography
2081:. FSE 2001. pp. 152–164.
1729:
1707:
1685:
1645:
1626:
1599:Andrei Popov (February 2015).
1568:
1541:
1418:BitTorrent protocol encryption
841:if not implemented correctly.
365:Key-scheduling algorithm (KSA)
296:
13:
1:
2559:John Leyden (15 March 2013).
2549:– FSE 2004, pp. 245–259.
1717:. Microsoft. 12 November 2013
1602:Prohibiting RC4 Cipher Suites
1535:
506:then bitwise exclusive ORed (
3622:block ciphers in stream mode
3085:10.1587/transfun.E100.A.1296
2890:10.1007/978-3-540-25937-4_14
2782:10.1007/978-3-540-25937-4_16
2709:Ilya Mironov (1 June 2002),
1652:J. Katz; Y. Lindell (2014),
1525:Advanced Encryption Standard
1322:All arithmetic modulo 256.
769:45A01F645FC35B383552544B9BF5
7:
4024:Message authentication code
3979:Cryptographic hash function
3792:Cryptographic hash function
3040:10.1007/978-3-662-52993-5_4
2974:10.1007/978-3-540-89754-5_3
2190:10.1007/978-3-642-19574-7_5
1576:"Crypto++ 5.6.0 Benchmarks"
1496:
1367:
1276:j := S + key) mod 256]
1152:RC4A uses two state arrays
831:message authentication code
776:
303:pseudorandom stream of bits
10:
4108:
3903:Harvest now, decrypt later
3606:alternating step generator
1813:"Manual Pages: arc4random"
1330:are left and right shift,
1267:
1075:
931:
854:cipher-block chaining mode
553:ciphertext = plaintext ⊕ K
317:). This is similar to the
284:in 1995 and its successor
194:
29:
4042:
4019:Post-quantum cryptography
3971:
3727:
3689:
3655:
3614:
3588:
3529:
3524:
3457:
3427:
3396:
3386:
3345:
3307:
3303:
3079:. E100.A (6): 1296–1305.
2481:"RC4-drop(nbytes) in the
2114:Sklyarov, Dmitry (2004).
1918:"libc/crypt/arc4random.c"
1361:
888:Biased outputs of the RC4
630:, also based on ChaCha20.
626:added its own version of
118:
108:
93:
79:
74:
64:
49:
44:
4009:Quantum key distribution
3999:Authenticated encryption
3854:Random number generation
3601:self-shrinking generator
3278:"Attacks On RC4 and WEP"
3032:Fast Software Encryption
2729:10.1007/3-540-45708-9_20
2547:Fast Software Encryption
2219:Cryptography Engineering
2087:10.1007/3-540-45473-X_13
1751:"Thank you Bob Anderson"
1468:, obsoleted in RFC 6331)
1434:Transport Layer Security
1383:authenticated encryption
1227:Thus, the algorithm is:
1192:, but in the last step,
571:, an API originating in
517:i := 0 j := 0
483:exchanges the values of
321:, except that generated
4004:Public-key cryptography
3994:Symmetric-key algorithm
3797:Key derivation function
3757:Cryptographic primitive
3750:Authentication protocol
3740:Outline of cryptography
3735:History of cryptography
3181:(2nd ed.). Wiley.
2858:Bartosz Zoltak (2004),
1947:"libc/gen/arc4random.c"
1450:Remote Desktop Protocol
1406:(default algorithm for
1311:
1263:
1137:
794:a long-term key with a
3745:Cryptographic protocol
2447:: 1–24. Archived from
2161:. Hiroshima University
1916:, ed. (21 July 2014).
894:distinguishing attacks
618:, which did not offer
444:
4082:Broken stream ciphers
3898:End-to-end encryption
3844:Cryptojacking malware
3673:stream cipher attacks
2358:2003. pp. 52–67.
1106:can decrypt a secure
1063:cipher block chaining
1052:Royal Holloway attack
1012:Combinatorial problem
1001:Ralf-Philipp Weinmann
874:initialization vector
614:Linux typically uses
499:(the keystream value
426:
122:7 cycles per byte on
4014:Quantum cryptography
3938:Trusted timestamping
3668:correlation immunity
3244:SCAN's entry for RC4
2920:"CryptoLounge: RC4A"
2592:on 22 September 2013
2415:10.1515/JMC.2008.012
1438:Secure Sockets Layer
1348:c := S + S
1028:number of elements (
839:stream cipher attack
712:EB9F7781B734CA72A719
599:was modified to use
491:, then uses the sum
396:255 S := i
380:identity permutation
340:(denoted "S" below).
336:of all 256 possible
222:RC4 was initially a
199:RC4 was designed by
32:RC4 (disambiguation)
3777:Cryptographic nonce
3596:shrinking generator
3346:Widely used ciphers
3288:(2). Archived from
1564:on 3 December 2013.
1515:Corrected Block TEA
1423:Microsoft Office XP
1393:RC4-based protocols
984:= 3072 bytes.
835:bit-flipping attack
804:related-key attacks
802:then gives rise to
611:also use ChaCha20.
474:, and adds that to
41:
3883:Subliminal channel
3867:Pseudorandom noise
3814:Key (cryptography)
3663:correlation attack
3295:on 2 January 2015.
3233:Kaukonen; Thayer.
1489:(in modified form)
1160:, and two indexes
1078:Bar mitzvah attack
1072:Bar mitzvah attack
723:BBF316E8D940AF0AD3
493:S + S (modulo 256)
445:
70:(designed in 1987)
39:
4064:
4063:
4060:
4059:
3943:Key-based routing
3933:Trapdoor function
3804:Digital signature
3685:
3684:
3681:
3680:
3453:
3452:
2983:978-3-540-89753-8
2926:on 1 October 2011
2899:978-3-540-22171-5
2792:978-3-540-22171-5
2739:978-3-540-44050-5
2199:978-3-642-19573-0
2051:Chefranov, A. G.
1243:of S1 and S1
963:IEEE 802.11i
959:wireless networks
817:Because RC4 is a
774:
773:
565:operating systems
323:pseudorandom bits
267:English Knowledge
131:
130:
16:(Redirected from
4099:
4050:
4049:
3878:Insecure channel
3714:
3707:
3700:
3691:
3690:
3394:
3393:
3332:
3325:
3318:
3309:
3308:
3305:
3304:
3301:
3300:
3296:
3294:
3240:
3207:Archived version
3192:
3166:
3137:
3136:
3134:
3132:
3117:
3111:
3105:
3099:
3098:
3096:
3068:
3062:
3061:
3027:
3021:
3020:
3018:
3016:
3010:
3001:
2995:
2994:
2993:
2991:
2967:
2957:
2942:
2936:
2935:
2933:
2931:
2922:. Archived from
2916:
2910:
2909:
2908:
2906:
2883:
2873:
2864:
2855:
2849:
2848:
2847:
2836:
2827:
2826:
2825:
2823:
2809:
2803:
2802:
2801:
2799:
2784:
2757:
2751:
2750:
2749:
2747:
2731:
2721:
2706:
2700:
2699:
2691:
2685:
2684:
2682:
2680:
2674:
2666:
2660:
2659:
2657:
2655:
2644:
2638:
2637:
2630:
2624:
2623:
2621:
2619:
2608:
2602:
2601:
2599:
2597:
2591:
2584:
2575:
2569:
2568:
2556:
2550:
2532:
2526:
2519:
2513:
2510:
2504:
2503:
2495:
2489:
2488:
2477:
2471:
2470:
2465:. Archived from
2459:
2453:
2452:
2434:
2428:
2427:
2417:
2393:
2387:
2386:
2384:
2377:
2366:
2360:
2359:
2353:
2335:
2329:
2325:
2319:
2315:
2309:
2306:
2300:
2297:
2291:
2284:
2278:
2274:
2268:
2259:
2253:
2252:
2250:
2248:
2236:
2230:
2229:
2227:
2225:
2210:
2204:
2203:
2177:
2171:
2170:
2168:
2166:
2154:
2148:
2138:
2132:
2131:
2111:
2105:
2104:
2097:
2091:
2090:
2080:
2065:
2056:
2049:
2043:
2038:Bartosz Zoltak.
2036:
2030:
2029:
2026:www.phoronix.com
2018:
2012:
2011:
2009:
2007:
1997:
1991:
1990:
1988:
1986:
1977:. Archived from
1971:
1965:
1964:
1959:
1957:
1942:
1936:
1935:
1930:
1928:
1910:
1904:
1903:
1901:
1899:
1889:
1883:
1882:
1875:
1869:
1868:
1866:
1864:
1859:
1850:
1839:
1838:
1831:
1825:
1824:
1822:
1820:
1809:
1803:
1802:
1784:"Re: RC4 ?"
1779:
1773:
1772:
1770:
1768:
1747:
1741:
1740:
1733:
1727:
1726:
1724:
1722:
1711:
1705:
1704:
1702:
1700:
1689:
1683:
1682:
1670:
1659:
1657:
1649:
1643:
1642:
1630:
1624:
1623:
1614:
1612:10.17487/RFC7465
1596:
1587:
1586:
1584:
1582:
1572:
1566:
1565:
1563:
1556:
1545:
1375:sponge functions
1347:
1336:
1302:i := i + 1
1301:
1285:
1277:
1234:
1222:
1218:
1212:
1208:
1199:
1196:is looked up in
1195:
1191:
1185:
1177:
1171:
1165:
1159:
1155:
1039:
983:
979:
975:
883:
879:
770:
765:
759:
758:04D46B053CA87B59
754:
747:
742:
736:
731:
724:
719:
713:
708:
689:
688:
598:
570:
554:
550:
544:
534:
502:
498:
494:
490:
486:
479:
473:
469:
465:
456:
442:
438:
434:
430:
301:RC4 generates a
124:original Pentium
103:
99:
88:
42:
38:
21:
4107:
4106:
4102:
4101:
4100:
4098:
4097:
4096:
4067:
4066:
4065:
4056:
4038:
3967:
3723:
3718:
3677:
3651:
3610:
3584:
3449:
3423:
3382:
3341:
3336:
3292:
3253:Wayback Machine
3199:
3189:
3171:Schneier, Bruce
3163:
3145:
3143:Further reading
3140:
3130:
3128:
3127:on 11 July 2010
3119:
3118:
3114:
3106:
3102:
3069:
3065:
3050:
3028:
3024:
3014:
3012:
3008:
3002:
2998:
2989:
2987:
2984:
2965:10.1.1.215.7178
2955:
2943:
2939:
2929:
2927:
2918:
2917:
2913:
2904:
2902:
2900:
2881:10.1.1.469.8297
2871:
2862:
2856:
2852:
2845:
2837:
2830:
2821:
2819:
2810:
2806:
2797:
2795:
2793:
2761:Souradyuti Paul
2758:
2754:
2745:
2743:
2740:
2719:
2707:
2703:
2692:
2688:
2678:
2676:
2672:
2668:
2667:
2663:
2653:
2651:
2646:
2645:
2641:
2632:
2631:
2627:
2617:
2615:
2610:
2609:
2605:
2595:
2593:
2589:
2582:
2576:
2572:
2557:
2553:
2535:Souradyuti Paul
2533:
2529:
2520:
2516:
2511:
2507:
2496:
2492:
2479:
2478:
2474:
2469:on 9 July 2012.
2461:
2460:
2456:
2451:on 2 June 2004.
2435:
2431:
2394:
2390:
2382:
2375:
2367:
2363:
2351:
2339:Souradyuti Paul
2336:
2332:
2326:
2322:
2316:
2312:
2307:
2303:
2298:
2294:
2285:
2281:
2275:
2271:
2260:
2256:
2246:
2244:
2237:
2233:
2223:
2221:
2211:
2207:
2200:
2178:
2174:
2164:
2162:
2155:
2151:
2145:serverfault.com
2139:
2135:
2128:
2112:
2108:
2099:
2098:
2094:
2078:
2066:
2059:
2050:
2046:
2037:
2033:
2020:
2019:
2015:
2005:
2003:
1999:
1998:
1994:
1984:
1982:
1973:
1972:
1968:
1955:
1953:
1943:
1939:
1926:
1924:
1911:
1907:
1897:
1895:
1891:
1890:
1886:
1879:"arc4random(3)"
1877:
1876:
1872:
1862:
1860:
1857:
1851:
1842:
1833:
1832:
1828:
1818:
1816:
1811:
1810:
1806:
1780:
1776:
1766:
1764:
1763:on 22 July 2001
1749:
1748:
1744:
1735:
1734:
1730:
1720:
1718:
1713:
1712:
1708:
1698:
1696:
1691:
1690:
1686:
1671:
1662:
1650:
1646:
1631:
1627:
1597:
1590:
1580:
1578:
1574:
1573:
1569:
1561:
1554:
1546:
1542:
1538:
1499:
1414:instead of RC4)
1395:
1389:substantially.
1364:
1356:
1341:
1334:is exclusive OR
1320:
1314:
1306:
1295:
1281:
1275:
1272:
1266:
1255:
1230:
1220:
1217:
1214:
1210:
1207:
1204:
1197:
1193:
1190:
1187:
1183:
1176:
1173:
1170:
1167:
1164:
1161:
1157:
1153:
1143:Souradyuti Paul
1140:
1116:
1088:
1080:
1074:
1054:
1042:Souradyuti Paul
1037:
1014:
1005:Andrei Pychkine
993:
981:
977:
973:
936:
930:
904:Souradyuti Paul
890:
881:
877:
869:
779:
768:
763:
757:
752:
745:
740:
734:
729:
722:
717:
711:
706:
676:
660:
561:
552:
546:
540:
532:
529:
500:
496:
492:
488:
484:
475:
471:
467:
461:
452:
440:
436:
432:
428:
421:
416:
367:
299:
241:within days by
237:, where it was
197:
126:
101:
97:
86:
69:
65:First published
35:
28:
23:
22:
15:
12:
11:
5:
4105:
4095:
4094:
4089:
4084:
4079:
4077:Stream ciphers
4062:
4061:
4058:
4057:
4055:
4054:
4043:
4040:
4039:
4037:
4036:
4031:
4029:Random numbers
4026:
4021:
4016:
4011:
4006:
4001:
3996:
3991:
3986:
3981:
3975:
3973:
3969:
3968:
3966:
3965:
3960:
3955:
3953:Garlic routing
3950:
3945:
3940:
3935:
3930:
3925:
3920:
3915:
3910:
3905:
3900:
3895:
3890:
3885:
3880:
3875:
3873:Secure channel
3870:
3864:
3863:
3862:
3851:
3846:
3841:
3836:
3834:Key stretching
3831:
3826:
3821:
3816:
3811:
3806:
3801:
3800:
3799:
3794:
3784:
3782:Cryptovirology
3779:
3774:
3769:
3767:Cryptocurrency
3764:
3759:
3754:
3753:
3752:
3742:
3737:
3731:
3729:
3725:
3724:
3717:
3716:
3709:
3702:
3694:
3687:
3686:
3683:
3682:
3679:
3678:
3676:
3675:
3670:
3665:
3659:
3657:
3653:
3652:
3650:
3649:
3644:
3639:
3634:
3629:
3627:shift register
3624:
3618:
3616:
3612:
3611:
3609:
3608:
3603:
3598:
3592:
3590:
3586:
3585:
3583:
3582:
3577:
3572:
3567:
3562:
3557:
3552:
3547:
3542:
3537:
3532:
3527:
3522:
3517:
3512:
3507:
3502:
3497:
3492:
3487:
3482:
3477:
3472:
3467:
3461:
3459:
3455:
3454:
3451:
3450:
3448:
3447:
3442:
3437:
3431:
3429:
3425:
3424:
3422:
3421:
3416:
3411:
3406:
3400:
3398:
3391:
3384:
3383:
3381:
3380:
3375:
3370:
3365:
3360:
3355:
3349:
3347:
3343:
3342:
3339:Stream ciphers
3335:
3334:
3327:
3320:
3312:
3298:
3297:
3273:
3267:
3266:
3262:
3261:
3256:
3249:Attacks on RC4
3246:
3241:
3230:
3223:
3216:
3209:
3198:
3197:External links
3195:
3194:
3193:
3188:978-0471117094
3187:
3167:
3161:
3144:
3141:
3139:
3138:
3112:
3100:
3063:
3048:
3022:
3011:. Secrypt 2016
2996:
2982:
2937:
2911:
2898:
2850:
2828:
2804:
2791:
2752:
2738:
2701:
2686:
2661:
2639:
2634:"RC4 must die"
2625:
2603:
2570:
2551:
2527:
2514:
2505:
2490:
2472:
2454:
2429:
2408:(3): 257–289.
2388:
2385:on 2 May 2014.
2361:
2330:
2320:
2310:
2301:
2292:
2279:
2269:
2254:
2231:
2205:
2198:
2172:
2149:
2133:
2127:978-1931769303
2126:
2106:
2092:
2068:Itsik Mantin;
2057:
2044:
2031:
2013:
1992:
1981:on 6 July 2020
1966:
1937:
1905:
1884:
1870:
1840:
1826:
1804:
1774:
1742:
1728:
1706:
1684:
1660:
1644:
1625:
1588:
1567:
1539:
1537:
1534:
1533:
1532:
1527:
1522:
1517:– A family of
1509:also known as
1498:
1495:
1491:
1490:
1484:
1479:
1469:
1459:
1453:
1447:
1441:
1431:
1426:
1420:
1415:
1401:
1394:
1391:
1363:
1360:
1319:
1313:
1310:
1280:
1268:Main article:
1265:
1262:
1229:
1225:
1224:
1215:
1205:
1201:
1188:
1174:
1168:
1162:
1139:
1136:
1115:
1112:
1087:
1084:
1076:Main article:
1073:
1070:
1053:
1050:
1013:
1010:
992:
991:Klein's attack
989:
932:Main article:
929:
926:
889:
886:
868:
865:
778:
775:
772:
771:
766:
764:Attack at dawn
761:
755:
749:
748:
743:
738:
732:
726:
725:
720:
715:
709:
703:
702:
699:
696:
693:
675:
672:
659:
658:Implementation
656:
645:
644:
633:
632:
631:
560:
557:
545:to obtain the
516:
512:
511:
504:
481:
466:th element of
458:
420:
417:
384:
371:key-scheduling
366:
363:
354:key-scheduling
345:
344:
341:
298:
295:
196:
193:
129:
128:
120:
116:
115:
112:
106:
105:
95:
91:
90:
83:
77:
76:
72:
71:
68:Leaked in 1994
66:
62:
61:
51:
47:
46:
26:
9:
6:
4:
3:
2:
4104:
4093:
4090:
4088:
4085:
4083:
4080:
4078:
4075:
4074:
4072:
4053:
4045:
4044:
4041:
4035:
4034:Steganography
4032:
4030:
4027:
4025:
4022:
4020:
4017:
4015:
4012:
4010:
4007:
4005:
4002:
4000:
3997:
3995:
3992:
3990:
3989:Stream cipher
3987:
3985:
3982:
3980:
3977:
3976:
3974:
3970:
3964:
3961:
3959:
3956:
3954:
3951:
3949:
3948:Onion routing
3946:
3944:
3941:
3939:
3936:
3934:
3931:
3929:
3928:Shared secret
3926:
3924:
3921:
3919:
3916:
3914:
3911:
3909:
3906:
3904:
3901:
3899:
3896:
3894:
3891:
3889:
3886:
3884:
3881:
3879:
3876:
3874:
3871:
3868:
3865:
3860:
3857:
3856:
3855:
3852:
3850:
3847:
3845:
3842:
3840:
3837:
3835:
3832:
3830:
3827:
3825:
3824:Key generator
3822:
3820:
3817:
3815:
3812:
3810:
3807:
3805:
3802:
3798:
3795:
3793:
3790:
3789:
3788:
3787:Hash function
3785:
3783:
3780:
3778:
3775:
3773:
3770:
3768:
3765:
3763:
3762:Cryptanalysis
3760:
3758:
3755:
3751:
3748:
3747:
3746:
3743:
3741:
3738:
3736:
3733:
3732:
3730:
3726:
3722:
3715:
3710:
3708:
3703:
3701:
3696:
3695:
3692:
3688:
3674:
3671:
3669:
3666:
3664:
3661:
3660:
3658:
3654:
3648:
3645:
3643:
3640:
3638:
3635:
3633:
3630:
3628:
3625:
3623:
3620:
3619:
3617:
3613:
3607:
3604:
3602:
3599:
3597:
3594:
3593:
3591:
3587:
3581:
3578:
3576:
3573:
3571:
3568:
3566:
3563:
3561:
3558:
3556:
3553:
3551:
3548:
3546:
3543:
3541:
3538:
3536:
3533:
3531:
3528:
3526:
3523:
3521:
3518:
3516:
3513:
3511:
3508:
3506:
3503:
3501:
3498:
3496:
3493:
3491:
3488:
3486:
3483:
3481:
3478:
3476:
3473:
3471:
3468:
3466:
3463:
3462:
3460:
3458:Other ciphers
3456:
3446:
3443:
3441:
3438:
3436:
3433:
3432:
3430:
3426:
3420:
3417:
3415:
3412:
3410:
3407:
3405:
3402:
3401:
3399:
3395:
3392:
3389:
3385:
3379:
3376:
3374:
3371:
3369:
3366:
3364:
3361:
3359:
3356:
3354:
3351:
3350:
3348:
3344:
3340:
3333:
3328:
3326:
3321:
3319:
3314:
3313:
3310:
3306:
3302:
3291:
3287:
3283:
3279:
3274:
3272:
3269:
3268:
3264:
3263:
3260:
3257:
3254:
3250:
3247:
3245:
3242:
3238:
3237:
3231:
3228:
3224:
3221:
3217:
3214:
3210:
3208:
3204:
3201:
3200:
3190:
3184:
3180:
3176:
3172:
3168:
3164:
3162:9781439831359
3158:
3155:. CRC Press.
3154:
3153:
3147:
3146:
3126:
3122:
3116:
3110:
3104:
3095:
3090:
3086:
3082:
3078:
3074:
3067:
3059:
3055:
3051:
3049:9783662529928
3045:
3041:
3037:
3033:
3026:
3007:
3000:
2985:
2979:
2975:
2971:
2966:
2961:
2954:
2953:
2948:
2941:
2925:
2921:
2915:
2901:
2895:
2891:
2887:
2882:
2877:
2870:
2869:
2861:
2854:
2844:
2843:
2835:
2833:
2817:
2816:
2808:
2794:
2788:
2783:
2778:
2774:
2770:
2766:
2762:
2756:
2741:
2735:
2730:
2725:
2718:
2717:
2712:
2705:
2697:
2690:
2671:
2665:
2649:
2643:
2635:
2629:
2613:
2607:
2588:
2581:
2574:
2566:
2562:
2555:
2548:
2544:
2540:
2536:
2531:
2524:
2518:
2509:
2501:
2498:Rivest, Ron.
2494:
2486:
2484:
2476:
2468:
2464:
2458:
2450:
2446:
2445:
2440:
2433:
2425:
2421:
2416:
2411:
2407:
2403:
2399:
2392:
2381:
2374:
2373:
2365:
2357:
2350:
2349:
2344:
2340:
2334:
2324:
2314:
2305:
2296:
2289:
2283:
2273:
2266:
2263:
2258:
2242:
2235:
2220:
2216:
2209:
2201:
2195:
2191:
2187:
2183:
2176:
2160:
2153:
2146:
2142:
2137:
2129:
2123:
2119:
2118:
2110:
2102:
2096:
2088:
2084:
2077:
2076:
2071:
2064:
2062:
2054:
2048:
2041:
2035:
2027:
2023:
2017:
2002:
1996:
1980:
1976:
1970:
1963:
1952:
1948:
1941:
1934:
1923:
1919:
1915:
1909:
1894:
1893:"OpenBSD 5.5"
1888:
1880:
1874:
1856:
1849:
1847:
1845:
1836:
1830:
1815:. 5 June 2013
1814:
1808:
1800:
1797:
1793:
1789:
1785:
1778:
1762:
1758:
1757:
1752:
1746:
1738:
1732:
1716:
1710:
1694:
1688:
1680:
1676:
1669:
1667:
1665:
1655:
1648:
1640:
1639:ComputerWorld
1636:
1629:
1621:
1618:
1613:
1608:
1604:
1603:
1595:
1593:
1577:
1571:
1560:
1553:
1552:
1544:
1540:
1531:
1528:
1526:
1523:
1520:
1519:block ciphers
1516:
1512:
1508:
1504:
1501:
1500:
1494:
1488:
1485:
1483:
1480:
1477:
1473:
1470:
1467:
1463:
1460:
1457:
1454:
1451:
1448:
1445:
1442:
1439:
1435:
1432:
1430:
1427:
1424:
1421:
1419:
1416:
1413:
1409:
1405:
1402:
1400:
1397:
1396:
1390:
1386:
1384:
1380:
1376:
1371:
1369:
1359:
1355:
1351:
1345:
1339:
1335:
1331:
1327:
1323:
1318:
1309:
1305:
1299:
1293:
1289:
1284:
1279:
1271:
1261:
1258:
1254:
1250:
1246:
1242:
1238:
1233:
1228:
1202:
1181:
1180:
1179:
1172:. Each time
1150:
1148:
1144:
1135:
1133:
1128:
1126:
1122:
1111:
1109:
1105:
1101:
1097:
1093:
1086:NOMORE attack
1083:
1079:
1069:
1066:
1064:
1060:
1049:
1047:
1043:
1035:
1031:
1027:
1023:
1019:
1009:
1008:probability.
1006:
1002:
998:
988:
985:
970:
968:
964:
960:
957:
953:
949:
945:
941:
935:
925:
921:
919:
918:Scott Fluhrer
915:
913:
909:
905:
901:
899:
895:
885:
875:
864:
861:
857:
855:
851:
847:
842:
840:
836:
832:
828:
827:block ciphers
824:
821:, it is more
820:
819:stream cipher
815:
813:
809:
805:
801:
797:
793:
788:
784:
767:
762:
756:
751:
750:
744:
739:
733:
728:
727:
721:
716:
710:
705:
704:
700:
697:
694:
691:
690:
687:
685:
681:
671:
669:
665:
655:
653:
648:
642:
638:
634:
629:
625:
621:
617:
613:
612:
610:
606:
602:
594:
593:
592:
590:
586:
582:
578:
574:
566:
556:
549:
543:
538:
528:
524:
520:
515:
509:
505:
482:
478:
464:
460:looks up the
459:
455:
450:
449:
448:
425:
415:
411:
407:
403:
399:
395:
391:
387:
383:
381:
377:
372:
362:
360:
356:
355:
350:
342:
339:
335:
331:
330:
329:
326:
324:
320:
316:
312:
308:
304:
294:
291:
287:
283:
279:
275:
270:
268:
264:
260:
256:
252:
248:
244:
240:
236:
233:
229:
225:
220:
218:
214:
210:
206:
202:
192:
190:
185:
183:
179:
175:
171:
166:
164:
160:
156:
152:
151:stream cipher
148:
144:
140:
136:
125:
121:
117:
113:
111:
107:
96:
92:
84:
82:
78:
75:Cipher detail
73:
67:
63:
59:
55:
52:
48:
43:
37:
33:
27:Stream cipher
19:
4092:Free ciphers
3984:Block cipher
3829:Key schedule
3819:Key exchange
3809:Kleptography
3772:Cryptosystem
3721:Cryptography
3377:
3293:(PostScript)
3290:the original
3285:
3281:
3235:
3178:
3151:
3129:. Retrieved
3125:the original
3115:
3103:
3076:
3066:
3031:
3025:
3013:. Retrieved
2999:
2988:, retrieved
2951:
2940:
2928:. Retrieved
2924:the original
2914:
2903:, retrieved
2867:
2853:
2841:
2820:, retrieved
2814:
2807:
2796:, retrieved
2772:
2765:Bart Preneel
2755:
2744:, retrieved
2715:
2704:
2689:
2677:. Retrieved
2664:
2652:. Retrieved
2642:
2628:
2616:. Retrieved
2606:
2594:. Retrieved
2587:the original
2573:
2565:The Register
2564:
2554:
2539:Bart Preneel
2530:
2517:
2508:
2493:
2482:
2475:
2467:the original
2457:
2449:the original
2442:
2432:
2405:
2401:
2391:
2380:the original
2371:
2364:
2347:
2343:Bart Preneel
2333:
2323:
2313:
2304:
2295:
2282:
2272:
2257:
2245:. Retrieved
2234:
2222:. Retrieved
2218:
2208:
2181:
2175:
2163:. Retrieved
2152:
2144:
2136:
2116:
2109:
2095:
2074:
2047:
2034:
2025:
2016:
2004:. Retrieved
1995:
1983:. Retrieved
1979:the original
1969:
1961:
1954:. Retrieved
1950:
1940:
1932:
1925:. Retrieved
1921:
1908:
1898:21 September
1896:. Retrieved
1887:
1873:
1861:. Retrieved
1829:
1817:. Retrieved
1807:
1777:
1765:. Retrieved
1761:the original
1754:
1745:
1737:"Rivest FAQ"
1731:
1719:. Retrieved
1709:
1697:. Retrieved
1687:
1679:The Register
1678:
1653:
1647:
1638:
1628:
1601:
1581:22 September
1579:. Retrieved
1570:
1559:the original
1550:
1543:
1511:eXtended TEA
1492:
1465:
1458:(optionally)
1452:(optionally)
1446:(optionally)
1444:Secure Shell
1387:
1372:
1365:
1357:
1353:
1352:(S + S) ⊕ S
1349:
1343:
1337:
1333:
1329:
1325:
1321:
1315:
1307:
1303:
1297:
1291:
1287:
1286:i := 0
1282:
1273:
1259:
1256:
1252:
1248:
1244:
1236:
1231:
1226:
1151:
1147:Bart Preneel
1141:
1129:
1124:
1120:
1117:
1114:RC4 variants
1089:
1081:
1067:
1055:
1046:Bart Preneel
1033:
1029:
1025:
1018:Itsik Mantin
1015:
994:
986:
971:
937:
922:
916:
908:Bart Preneel
902:
891:
870:
862:
858:
850:TLS 1.0
846:BEAST attack
843:
825:than common
816:
800:key schedule
780:
735:6044DB6D41B7
677:
674:Test vectors
661:
649:
646:
627:
619:
562:
547:
541:
530:
526:
518:
513:
476:
462:
453:
446:
413:
409:
405:
401:
400:j := 0
397:
393:
389:
385:
368:
358:
352:
346:
327:
322:
319:one-time pad
311:exclusive or
300:
276:in 1997 and
271:
263:RSA Security
258:
254:
250:
246:
224:trade secret
221:
205:RSA Security
198:
186:
170:TLS protocol
167:
146:
142:
138:
135:cryptography
132:
58:RSA Security
36:
18:RC4 (cipher)
3972:Mathematics
3963:Mix network
3282:CryptoBytes
3094:10356/81487
2679:19 November
2654:19 November
2618:6 September
2596:6 September
2290:, Springer.
1756:Cypherpunks
1530:CipherSaber
1373:Like other
1317:basic RC4.
1241:swap values
1134:, and RC4.
1108:HTTP cookie
1032:≤ 256) are
965:effort and
814:standard).
806:, like the
701:Ciphertext
684:hexadecimal
668:bitwise AND
577:/dev/random
523:swap values
451:increments
334:permutation
297:Description
290:RC4 attacks
259:alleged RC4
243:Bob Jenkins
228:Cypherpunks
191:, and RC4.
4071:Categories
3923:Ciphertext
3893:Decryption
3888:Encryption
3849:Ransomware
3642:T-function
3589:Generators
3465:Achterbahn
3265:RC4 in WEP
2990:4 November
2930:4 November
2905:4 November
2822:4 November
2798:4 November
2746:4 November
2165:27 October
2070:Adi Shamir
1956:13 January
1927:13 January
1881:. OpenBSD.
1863:26 October
1819:2 February
1721:4 December
1536:References
1223:is output.
1209:again) on
1022:Adi Shamir
898:Adi Shamir
746:1021BF0420
628:arc4random
620:arc4random
597:arc4random
569:arc4random
548:ciphertext
535:which are
376:key length
315:involution
201:Ron Rivest
104:effective)
94:State size
54:Ron Rivest
3913:Plaintext
3555:SOBER-128
3485:KCipher-2
3419:SOSEMANUK
3390:Portfolio
3225:RFC
3218:RFC
3211:RFC
2960:CiteSeerX
2876:CiteSeerX
2485:database"
2356:Indocrypt
2328:Springer.
2006:6 January
1985:6 January
1792:sci.crypt
1788:Newsgroup
1699:3 January
1695:. Mozilla
1507:Block TEA
1472:Gpcode.AK
1251:S1 + S2]
1092:KU Leuven
997:Erik Tews
823:malleable
718:Plaintext
698:Plaintext
695:Keystream
585:backronym
581:Man pages
542:plaintext
539:with the
533:K, K, ...
307:keystream
257:(meaning
235:newsgroup
232:sci.crypt
182:Microsoft
159:protocols
155:keystream
81:Key sizes
50:Designers
4052:Category
3958:Kademlia
3918:Codetext
3861:(CSPRNG)
3428:Hardware
3397:Software
3368:Crypto-1
3173:(1995).
3058:16296315
2767:(2004),
2247:13 March
2224:12 March
2072:(2001).
1497:See also
1466:historic
1456:Kerberos
1412:AES-CCMP
1354:endwhile
1328:>>
1324:<<
1304:endwhile
1253:endwhile
1123:, where
1119:RC4-drop
1100:WPA-TKIP
777:Security
601:ChaCha20
567:include
563:Several
527:endwhile
441:S(S + S)
361:(PRGA).
161:such as
3728:General
3656:Attacks
3445:Trivium
3414:Salsa20
3388:eSTREAM
3251:at the
3015:29 July
2424:9613837
2267:, 1995.
2055:. 2006.
2042:. 2010?
1914:deraadt
1796:Usenet:
1790::
940:Fluhrer
792:hashing
783:eSTREAM
605:FreeBSD
573:OpenBSD
503:below);
251:ARCFOUR
195:History
178:Mozilla
147:ARCFOUR
45:General
3839:Keygen
3615:Theory
3565:Turing
3560:Spritz
3535:Scream
3505:Phelix
3500:Panama
3470:F-FCSR
3440:MICKEY
3409:Rabbit
3404:HC-128
3363:ChaCha
3185:
3159:
3131:8 July
3056:
3046:
2980:
2962:
2896:
2878:
2789:
2736:
2675:. 2015
2650:. 2015
2422:
2196:
2124:
1798:
1767:28 May
1476:ransom
1368:Spritz
1362:Spritz
1350:output
1292:output
1249:output
1245:output
1221:S1+S2]
1219:, and
1003:, and
956:802.11
948:Shamir
944:Mantin
753:Secret
609:NetBSD
591:does.
589:rand()
414:endfor
398:endfor
239:broken
110:Rounds
100:bits (
3869:(PRN)
3637:NLFSR
3550:SOBER
3480:ISAAC
3435:Grain
3054:S2CID
3009:(PDF)
2956:(PDF)
2872:(PDF)
2863:(PDF)
2846:(PDF)
2720:(PDF)
2673:(PDF)
2590:(PDF)
2583:(PDF)
2420:S2CID
2383:(PDF)
2376:(PDF)
2352:(PDF)
2079:(PDF)
1858:(PDF)
1562:(PDF)
1555:(PDF)
1487:Skype
1338:while
1288:while
1237:while
1194:S1+S1
912:COSIC
796:nonce
787:nonce
741:pedia
680:ASCII
637:macOS
624:glibc
616:glibc
551:. So
537:XORed
519:while
508:XORed
338:bytes
119:Speed
3632:LFSR
3580:WAKE
3575:VMPC
3570:VEST
3545:SNOW
3540:SEAL
3530:RC4A
3525:RC4+
3520:QUAD
3510:Pike
3495:ORYX
3490:MUGI
3475:FISH
3358:A5/2
3353:A5/1
3227:7465
3220:6229
3213:4345
3183:ISBN
3157:ISBN
3133:2010
3044:ISBN
3017:2016
2992:2011
2978:ISBN
2932:2011
2907:2011
2894:ISBN
2824:2011
2800:2011
2787:ISBN
2748:2011
2734:ISBN
2681:2016
2656:2016
2620:2013
2598:2013
2537:and
2264:and
2249:2013
2226:2013
2194:ISBN
2167:2014
2122:ISBN
2008:2016
1987:2015
1958:2015
1929:2015
1900:2014
1865:2014
1821:2018
1769:2007
1723:2013
1701:2015
1620:7465
1583:2015
1513:and
1462:SASL
1404:TKIP
1379:DRBG
1326:and
1264:VMPC
1213:and
1186:and
1166:and
1156:and
1145:and
1138:RC4A
1132:VMPC
1098:and
1044:and
1034:only
1020:and
946:and
906:and
730:Wiki
639:and
487:and
431:and
406:from
390:from
369:The
255:ARC4
215:and
189:VMPC
180:and
174:IETF
143:ARC4
102:1684
98:2064
89:bits
87:2048
3378:RC4
3089:hdl
3081:doi
3036:doi
2970:doi
2886:doi
2777:doi
2724:doi
2410:doi
2186:doi
2083:doi
1617:RFC
1607:doi
1503:TEA
1482:PDF
1408:WPA
1399:WEP
1312:RC4
1104:TLS
1096:TLS
1059:TLS
967:WPA
952:WEP
910:of
882:S]]
880:or
848:on
812:WEP
707:Key
692:Key
641:iOS
402:for
386:for
349:key
305:(a
286:TLS
282:SSL
278:WPA
274:WEP
253:or
247:RC4
219:).
217:RC6
213:RC5
209:RC2
203:of
163:WEP
145:or
139:RC4
133:In
85:40–
40:RC4
4073::
3647:IV
3515:Py
3373:E0
3284:.
3280:.
3205:,
3177:.
3087:.
3075:.
3052:.
3042:.
2976:,
2968:,
2949:,
2892:,
2884:,
2865:,
2831:^
2785:,
2771:,
2763:;
2732:,
2713:,
2563:.
2545:.
2541:,
2441:.
2418:.
2404:.
2400:.
2354:.
2345:.
2341:;
2217:.
2192:.
2143:.
2060:^
2024:.
1960:.
1949:.
1931:.
1920:.
1843:^
1794:.
1786:.
1753:.
1677:.
1663:^
1637:.
1615:.
1605:.
1591:^
1505:,
1436:/
1216:j2
1211:S2
1198:S2
1189:j1
1184:S1
1169:j2
1163:j1
1158:S2
1154:S1
1048:.
999:,
969:.
942:,
878:S]
686:.
654:.
607:,
555:.
470:,
439:;
410:to
408:0
404:i
394:to
392:0
388:i
332:A
211:,
172:.
165:.
137:,
3713:e
3706:t
3699:v
3331:e
3324:t
3317:v
3286:5
3191:.
3165:.
3135:.
3097:.
3091::
3083::
3060:.
3038::
3019:.
2972::
2934:.
2888::
2779::
2726::
2698:.
2683:.
2658:.
2636:.
2622:.
2600:.
2567:.
2525:.
2502:.
2487:.
2426:.
2412::
2406:2
2251:.
2228:.
2202:.
2188::
2169:.
2147:.
2130:.
2089:.
2085::
2028:.
2010:.
1989:.
1902:.
1867:.
1837:.
1823:.
1801:.
1771:.
1739:.
1725:.
1703:.
1681:.
1658:.
1641:.
1622:.
1609::
1585:.
1346:)
1342:(
1332:⊕
1300:)
1296:(
1206:i
1200:.
1175:i
1125:N
1121:N
1038:x
1030:x
1026:x
982:n
978:n
974:n
760:…
737:…
714:…
501:K
497:S
489:S
485:S
480:;
477:j
472:S
468:S
463:i
457:;
454:i
437:S
433:S
429:S
114:1
60:)
56:(
34:.
20:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.