Vulnerabilities
RC4 is especially vulnerable when the beginning of the output key-stream is not discarded, but
RC4-dropN, being N a multiple of 256 is a improvement to solve this issue.
It is also vulnerable when non-random or related keys are used, because it
can lead to very insecure system, such as WEP.
Erik Tews, Ralf-Philipp Weinmann, and Andrei Pychkine created a tool called
aircrack-ptw, which cracks 104-bit RC4 used in 128-bit WEP in less than a minute.
The aircrack-ptw attack
“The aircrack team were able to extend Klein’s attack and optimize it for usage against
WEP. Using this version, it is possible to recover a 104 bit WEP key with probability 50% using
just 40,000 captured packets. For 60,000 available data packets, the success probability is
about 80% and for 85,000 data packets about 95%. Using active techniques like deauth and
ARP re-injection, 40,000 packets can be captured in less than one minute under good condition.
The actual computation takes about 3 seconds and 3 MB main memory on a Pentium-M 1.7
GHz and can additionally be optimized for devices with slower CPUs. The same attack can be
used for 40 bit keys too with an even higher success probability.”
The best such attack is due to Itsik Mantin and Adi Shamir who showed that the
second output byte of the cipher was biased toward zero with probability 1/128
(instead of 1/256). This is due to the fact that if the third byte of the original state
is zero, and the second byte is not equal to 2, then the second output byte is always
zero. Such bias can be detected by observing 256 bytes.