The Perils of Repeating Patterns: Observation of Some Weak Keys in RC4

We describe some observed trivially weak keys for the stream cipher RC4. Keys with repeating patterns are found to be key length invariant. The cause of the problem is the simplistic key dependent state permutation in the RC4 initialization. Introduction While writing the draft for RFC 6229 [1] and testing suitable test vectors, we observed that for some keys with different lengths, the stream cipher RC4 [2] generated identical keystreams. Typical test patterns we tested were patterns where odd or even bits are set, as well as repeated sequences of byte values. What we saw was that these patterns generated the same keystream irrespectively of the key length used. The following two sets of keys illustrates the behaviour: Key k1 = [0x55,0x55,0x55,0x55,0x55] (40 bit) Key k2 = [0x55,0x55,0x55,0x55,0x55,0x55,0x55,0x55] (64 bit) Generated keystream: 0x06,0xfe,0x68,0xd8,0x0,0xf9,... Key k3 = [0x01,0x02,0x03,0x04] (32 bit) Key k4 = [0x01,0x02,0x03,0x04,0x01,0x02,0x03,0x04] (64 bit) Generated keystream: 0x1c,0xea,0x91,0x61,0xee,0xbc,... Problem Description and Analysis The RC4 stream cipher contains a Key Scheduling Algorithm (KSA) as given by the following pseudo code: for i from 0 to 255 (1) S[i] = i (2) j = 0 (3) for i from 0 to 255 (4) j = (j + S[i] + key[i mod keylength]) mod 256 (5) swap(S[i], S[j]) (6) The only key dependent operation of the KSA is the update of the j pointer in (5). Using the values of the bytes in the key, we add a displacement to j, which then affects the byte swap operation of the state S in (6). Since the byte values in the key are accessed in sequence and cyclicly in (5), any key that consists 1 Joachim at secworks.se 2 Simon at josefsson.org