Fast and Efficient Key Recovery from RC4 Permutation after KSA

The RC4 stream cipher has been designed by Ron Rivest for RSA Data Security in 1987, and was a propriety algorithm until 1994. Currently, RC4 is extremely popular in commercial domain and widely used in network protocols such as Secure Sockets Layer (SSL), Transport Layer Security (TLS), Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA) etc. RC4 uses an S-Box S = (S[0], . . . , S[N − 1]) of N bytes, initialized as the identity permutation. Typically, N = 256. A secret key k of size l bytes (typically, 5 ≤ l ≤ 16) is used to scramble this permutation. An array K = (K[0], . . . , K[N − 1]) is used to hold the secret key, the key is repeated in the array K at key length boundaries. where K[y] = k[y mod l] for any y, 0 ≤ y ≤ N − 1, i.e., The RC4 cipher has two components, namely, the Key Scheduling Algorithm (KSA) and the Pseudo-Random Generation Algorithm (PRGA). The KSA turns the random key K into a random looking permutation S of 0, 1, . . . , N − 1 and the PRGA uses this permutation to generate the pseudo-random keystream bytes z. Both the KSA and the PRGA uses a deterministic index i and a secret pseudo-random index j to scramble the permutation by transposition. Any addition used related to the RC4 description is in general addition modulo N unless specified otherwise.