Weaknesses in the Key Scheduling Algorithm of RC4

Scott Fluhrer

Cisco Systems

We analyze the key scheduling algorithm of RC4, and show two distinct weaknesses. We identify a large number of weak keys, in which knowledge of a small number of key bits suffices to determine many state and output bits with non-negligible probability. In addition, we show that the first byte generated by RC4 leaks information about individual key bytes, which makes it completely insecure in a mode of operation which is used in the widely deployed Wired Equivalent Privacy protocol.

Gates 4B (opposite 490), 10/16/01, 4:30 PM