1

I have two messages that are encrypted with the same partial key. For example:

   C1 = RC4(M1, "(VARIABLE_DATA)XXXXYYYY")
   C2 = RC4(M2, "(VARIABLE_DATA)XXXXYYYY")

Is it possible with RC4, if C1 and C2 are known to atleast recover the partial key of "XXXXYYYY" since that never changes?

user974896
  • 1,795
  • 4
  • 28
  • 48

3 Answers3

4

I think there's some confusion about your question. The way stream ciphers work is by generating a keystream that gets (usually) exclusive-or'ed with the message. You are correct that if you use the same key and IV, and thus the same keystream, that this leaks information about the messages.

Here, K is the key stream generated by RC4:

C1 = K ^ M1

C2 = K ^ M2

And by rearranging:

C1 ^ C2 = (K ^ M1) ^ (K ^ M2)

the keystream cancels out here, and you're left with

C1 ^ C2 = M1 ^ M2

Since the attacker knows the two ciphertext values, he can compute the difference of the two messages. If the attacker knows one of the inputs (perhaps a fixed header), he can compute the second message.

M2 = (C1 ^ C2) ^ M1

There's also some statistical tests using cribs, if the messages are natural language.

To answer your question, RC4 should generate an entirely different keystream under related keys, so this attack won't work. There are other attacks against the key scheduling algorithm though, and plenty of reasons to prefer an alternative to RC4.

If you're asking about recovering the initial key from the keystream, there are a few

mfanto
  • 14,168
  • 6
  • 51
  • 61
  • 1
    Tried this: M2 = (C1 ^ C2) ^ M1. Theoretically it looks like makes sense, but actually getting the expected result seems like a different thing. What exactly means XORing these? – Devela Oct 26 '17 at 19:14
0

In general keys of uncompromised encryption techniques are only recoverable using brute force, which in turn requires some method of verifying that the decryption was successful.

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
  • I thought with stream ciphers (which are basically XOR ciphers) if you have two ciphertexts encrypted with the same key you can recover the key or plaintext by reversing. – user974896 Dec 06 '12 at 16:36
  • @owlstead: there are other attacks against stream ciphers (including AES-CTR) whereby reusing the same keys and IV's make it trivial to recover messages. I think he's asking if this is also true for related keys. – mfanto Dec 06 '12 at 19:11
  • @user974896 you can at least recover the key *stream* and the plain text, given enough information within multiple streams. – Maarten Bodewes Dec 06 '12 at 19:15
0

Trying to solve this exact question i've stumbled across several threads with almost the same question and absolutely the same answer... which didn't work for me. BUT! The answers were absolutely correct and @mfanto gives very accurate description of what needs to be done (though the brackets make no sense as u can see in my code)!

Here is my C code which worked for me:

#include <stdio.h>
#include <string.h>

int main(int argc, char *argv[])
{
    if(argc != 4)
    {
        printf("usage: ./rc4_pa cipher1 cipher2 message1\n");
        return 1;
    }
    char *c1 = argv[1]; 
    char *c2 = argv[2];
    char *m1 = argv[3];

    int len_c1 = strlen(c1);
    int len_m1 = strlen(m1);
    char m2[len_m1 + 1];
    m2[len_m1] = '\0';

    for(int i = 0; i < len_m1; i++)
    {
        m2[i] = c1[i] ^ m1[i] ^ c2[i];
    } 
    printf("decrypted: %s\n", m2);
}

Why my code didn't work out of the box? I've got my cipher text from a web server and usually some chars of a ciphertext are not really printable. The only way to pass them further is to encode once more. In my case that was base64.

save the code to rc4_pa.c and make rc4_pa than use it like this

$ ./rc4_pa $(echo L1Gd8F5g | base64 -d) $(echo MFuD8FVg | base64 -d) hello

hope someone else might find it helpful.

Igor Voltaic
  • 742
  • 1
  • 7
  • 20