Upgrade to Pro — share decks privately, control downloads, hide ads and more …

反復性のある鍵相関を用いたWPA-TKIPに対する平文回復攻撃

 反復性のある鍵相関を用いたWPA-TKIPに対する平文回復攻撃

研究発表 @ ISEC(2018年7月)

Ryoma Ito

July 26, 2018
Tweet

More Decks by Ryoma Ito

Other Decks in Research

Transcript

  1. ͸͡Ίʹ ݚڀഎܠɿRC4 ͱ WPA-TKIP RC4 ▶ KSA ͱ PRGA ʹΑΔΩʔετϦʔϜͷੜ੒

    WPA-TKIP ▶ ಛ௃ɿTKIP ʹΑΔ RC4 ൿີݤ {K[0], K[1], K[2]} ͷੜ੒खॱ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 2 / 36
  2. ͸͡Ίʹ ݚڀഎܠɿRC4 ͱ WPA-TKIP RC4 ▶ KSA ͱ PRGA ʹΑΔΩʔετϦʔϜͷੜ੒

    WPA-TKIP ▶ ಛ௃ɿTKIP ʹΑΔ RC4 ൿີݤ {K[0], K[1], K[2]} ͷੜ੒खॱ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 2 / 36
  3. ͸͡Ίʹ ݚڀഎܠɿSSL/TLS, WEP. WPA-TKIP ͷݱঢ় ▶ SSL/TLS Ͱͷ RC4 ར༻ېࢭ

    [Pop15] ▶ શ΢Σϒϒϥ΢βʗαʔόͷ͏ͪ໿ 18.7%͕ RC4 Λະͩαϙʔτத ▶ WEP, WPA-TKIP ར༻ͷඇਪ঑ ▶ ࣗ୐ແઢ LAN (Wi-Fi) ͷ҉߸Խʹؔ͢Δݱঢ় [IPA, 2016] ▶ ແઢ LAN ʹର͢Δμ΢ϯάϨʔυΞλοΫͷݱ࣮తͳڴҖ [VP16] ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 3 / 36
  4. ͸͡Ίʹ ݚڀഎܠɿSSL/TLS, WEP. WPA-TKIP ͷݱঢ় ▶ SSL/TLS Ͱͷ RC4 ར༻ېࢭ

    [Pop15] ▶ શ΢Σϒϒϥ΢βʗαʔόͷ͏ͪ໿ 18.7%͕ RC4 Λະͩαϙʔτத ▶ WEP, WPA-TKIP ར༻ͷඇਪ঑ ▶ ࣗ୐ແઢ LAN (Wi-Fi) ͷ҉߸Խʹؔ͢Δݱঢ় [IPA, 2016] ▶ ແઢ LAN ʹର͢Δμ΢ϯάϨʔυΞλοΫͷݱ࣮తͳڴҖ [VP16] ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 3 / 36
  5. ͸͡Ίʹ ݚڀഎܠɿSSL/TLS, WEP. WPA-TKIP ͷݱঢ় ▶ SSL/TLS Ͱͷ RC4 ར༻ېࢭ

    [Pop15] ▶ શ΢Σϒϒϥ΢βʗαʔόͷ͏ͪ໿ 18.7%͕ RC4 Λະͩαϙʔτத ▶ WEP, WPA-TKIP ར༻ͷඇਪ঑ ▶ ࣗ୐ແઢ LAN (Wi-Fi) ͷ҉߸Խʹؔ͢Δݱঢ় [IPA, 2016] ▶ ແઢ LAN ʹର͢Δμ΢ϯάϨʔυΞλοΫͷݱ࣮తͳڴҖ [VP16] ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 3 / 36
  6. ͸͡Ίʹ ؔ࿈ݚڀɿNew Iterated RC4 Key Correlations [IM18] ൓෮ੑͷ͋Δݤ૬ؔ Zr =

    K[0] − K[r mod ℓ] − r (K[0], K[r mod ℓ]) ϖΞ͕ ℓ ϥ΢ϯυ͝ͱ൓෮͢Δݤ૬ؔʢݤ௕ɿℓ = 16ʣ Ϟνϕʔγϣϯɿ (K[0], K[1]) ϖΞͱ (K[0], K[2]) ϖΞΛ༻͍ͨฏจճ෮߈ܸ Table 1 : {P17 , P18 , P33 , P34 , P49 , P50 , P66 , P82} ͷ෮ݩʹඞཁͳ҉߸จ਺ͷൺֱ [IM18] [IOWM13] λʔήοτ ݤ૬ؔ ҉߸จ਺ ࠷దͳࣄ৅ ҉߸จ਺ P17 Z17 = K[0] − K[1] − 17 217.727 Z17 = 17 223.178 P18 Z18 = K[0] − K[2] − 18 217.800 Z18 = 18 223.210 P33 Z33 = K[0] − K[1] − 33 218.955 Z33 = 0 223.770 P34 Z34 = K[0] − K[2] − 34 219.035 Z34 = 0 223.791 P49 Z49 = K[0] − K[1] − 49 220.297 Z49 = 0 224.114 P50 Z50 = K[0] − K[2] − 50 220.386 Z50 = 0 224.135 P66 Z66 = K[0] − K[2] − 66 221.869 Z66 = 0 224.479 P82 Z82 = K[0] − K[2] − 82 223.505 Z82 = 0 224.820 ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 4 / 36
  7. ͸͡Ίʹ ؔ࿈ݚڀɿNew Iterated RC4 Key Correlations [IM18] ൓෮ੑͷ͋Δݤ૬ؔ Zr =

    K[0] − K[r mod ℓ] − r (K[0], K[r mod ℓ]) ϖΞ͕ ℓ ϥ΢ϯυ͝ͱ൓෮͢Δݤ૬ؔʢݤ௕ɿℓ = 16ʣ Ϟνϕʔγϣϯɿ (K[0], K[1]) ϖΞͱ (K[0], K[2]) ϖΞΛ༻͍ͨฏจճ෮߈ܸ Table 1 : {P17 , P18 , P33 , P34 , P49 , P50 , P66 , P82} ͷ෮ݩʹඞཁͳ҉߸จ਺ͷൺֱ [IM18] [IOWM13] λʔήοτ ݤ૬ؔ ҉߸จ਺ ࠷దͳࣄ৅ ҉߸จ਺ P17 Z17 = K[0] − K[1] − 17 217.727 Z17 = 17 223.178 P18 Z18 = K[0] − K[2] − 18 217.800 Z18 = 18 223.210 P33 Z33 = K[0] − K[1] − 33 218.955 Z33 = 0 223.770 P34 Z34 = K[0] − K[2] − 34 219.035 Z34 = 0 223.791 P49 Z49 = K[0] − K[1] − 49 220.297 Z49 = 0 224.114 P50 Z50 = K[0] − K[2] − 50 220.386 Z50 = 0 224.135 P66 Z66 = K[0] − K[2] − 66 221.869 Z66 = 0 224.479 P82 Z82 = K[0] − K[2] − 82 223.505 Z82 = 0 224.820 ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 4 / 36
  8. ͸͡Ίʹ ؔ࿈ݚڀɿNew Iterated RC4 Key Correlations [IM18] ൓෮ੑͷ͋Δݤ૬ؔ Zr =

    K[0] − K[r mod ℓ] − r (K[0], K[r mod ℓ]) ϖΞ͕ ℓ ϥ΢ϯυ͝ͱ൓෮͢Δݤ૬ؔʢݤ௕ɿℓ = 16ʣ Ϟνϕʔγϣϯɿ (K[0], K[1]) ϖΞͱ (K[0], K[2]) ϖΞΛ༻͍ͨฏจճ෮߈ܸ Table 1 : {P17 , P18 , P33 , P34 , P49 , P50 , P66 , P82} ͷ෮ݩʹඞཁͳ҉߸จ਺ͷൺֱ [IM18] [IOWM13] λʔήοτ ݤ૬ؔ ҉߸จ਺ ࠷దͳࣄ৅ ҉߸จ਺ P17 Z17 = K[0] − K[1] − 17 217.727 Z17 = 17 223.178 P18 Z18 = K[0] − K[2] − 18 217.800 Z18 = 18 223.210 P33 Z33 = K[0] − K[1] − 33 218.955 Z33 = 0 223.770 P34 Z34 = K[0] − K[2] − 34 219.035 Z34 = 0 223.791 P49 Z49 = K[0] − K[1] − 49 220.297 Z49 = 0 224.114 P50 Z50 = K[0] − K[2] − 50 220.386 Z50 = 0 224.135 P66 Z66 = K[0] − K[2] − 66 221.869 Z66 = 0 224.479 P82 Z82 = K[0] − K[2] − 82 223.505 Z82 = 0 224.820 ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 4 / 36
  9. ͸͡Ίʹ ϞνϕʔγϣϯɿϕετΞλοΫ [PPS14, VP15] ͱͷൺֱ Table 2 : ฏจճ෮߈ܸ [MS01,

    IOWM13, ABP+13, PPS14, VP15] ؔ࿈ݚڀ ֓ཁ Z2 = 0 ͷόΠΞεɼ෼෍ͷࣝผʹඞཁͳαϯϓϧ਺ͷධՁɼ [MS01] ϒϩʔυΩϟετηοςΟϯάʹ͓͚Δ߈ܸख๏ΛॳΊͯఏҊ ઌ಄ 257 όΠτͷΩʔετϦʔϜʹؔ͢Δ࠷దͳόΠΞεηοτɼ [IOWM13] 232 ݸͷ҉߸จ͔Βઌ಄ 257 όΠτͷฏจΛ໿ 80%ͷ֬཰Ͱ෮ݩ ઌ಄ 256 όΠτͷΩʔετϦʔϜʹؔ͢Δ෼෍Λแׅతʹར༻ɼ [ABP+13] 232 ݸͷ҉߸จ͔Βઌ಄ 256 όΠτͷฏจΛ໿ 100%ͷ֬཰Ͱ෮ݩ [ABP+13] Λ֦ுɼWPA-TKIP ʹ͓͚Δ IV ຖͷ෼෍Λར༻ɼ [PPS14] 228 ݸͷ҉߸จ͔Βઌ಄ 256 όΠτͷฏจΛ໿ 80%ͷ֬཰Ͱ෮ݩ [VP15] [ABP+13] ͱ [PPS14] + ฏจީิϦετʢ༏ઌॱҐʣ ϞνϕʔγϣϯɿϕετΞλοΫ [PPS14, VP15] ͱͷൺֱ ▶ ݤ૬ؔ [GMM+14, IM18] Λ༻͍ͨ߈ܸ͸ϕετΞλοΫΑΓ΋ޮ཰త͔ʁ ▶ όΠτ୯ҐͰ࠷దͳ߈ܸΛબ୒͢Δ͜ͱͰϕετΞλοΫΛߋ৽Ͱ͖Δ͔ʁ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 5 / 36
  10. ͸͡Ίʹ ϞνϕʔγϣϯɿϕετΞλοΫ [PPS14, VP15] ͱͷൺֱ Table 2 : ฏจճ෮߈ܸ [MS01,

    IOWM13, ABP+13, PPS14, VP15] ؔ࿈ݚڀ ֓ཁ Z2 = 0 ͷόΠΞεɼ෼෍ͷࣝผʹඞཁͳαϯϓϧ਺ͷධՁɼ [MS01] ϒϩʔυΩϟετηοςΟϯάʹ͓͚Δ߈ܸख๏ΛॳΊͯఏҊ ઌ಄ 257 όΠτͷΩʔετϦʔϜʹؔ͢Δ࠷దͳόΠΞεηοτɼ [IOWM13] 232 ݸͷ҉߸จ͔Βઌ಄ 257 όΠτͷฏจΛ໿ 80%ͷ֬཰Ͱ෮ݩ ઌ಄ 256 όΠτͷΩʔετϦʔϜʹؔ͢Δ෼෍Λแׅతʹར༻ɼ [ABP+13] 232 ݸͷ҉߸จ͔Βઌ಄ 256 όΠτͷฏจΛ໿ 100%ͷ֬཰Ͱ෮ݩ [ABP+13] Λ֦ுɼWPA-TKIP ʹ͓͚Δ IV ຖͷ෼෍Λར༻ɼ [PPS14] 228 ݸͷ҉߸จ͔Βઌ಄ 256 όΠτͷฏจΛ໿ 80%ͷ֬཰Ͱ෮ݩ [VP15] [ABP+13] ͱ [PPS14] + ฏจީิϦετʢ༏ઌॱҐʣ ϞνϕʔγϣϯɿϕετΞλοΫ [PPS14, VP15] ͱͷൺֱ ▶ ݤ૬ؔ [GMM+14, IM18] Λ༻͍ͨ߈ܸ͸ϕετΞλοΫΑΓ΋ޮ཰త͔ʁ ▶ όΠτ୯ҐͰ࠷దͳ߈ܸΛબ୒͢Δ͜ͱͰϕετΞλοΫΛߋ৽Ͱ͖Δ͔ʁ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 5 / 36
  11. ͸͡Ίʹ ݚڀ੒Ռɿݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 1. ࠷దͳόΠΞεηοτΛར༻ͨ͠ฏจճ෮߈ܸ ▶ ࠷దͳόΠΞεηοτͷ༗ޮੑΛ֬ೝ ▶ {Z1,

    Z3, Z17, Z18, Z33, Z34, Z49, Z50, Z66, Z82, Z256, Z257} ͷ 12 όΠτ ▶ 230 ݸͷ҉߸จ͔Βઌ಄ 257 όΠτͷฏจΛ໿ 57.2% ͷ֬཰Ͱ෮ݩ ▶ [IOWM13] ͷ߈ܸΑΓ΋ 3.0% ௿͍֬཰ 2. ݤ૬ؔʹ͓͚Δ෼෍Λแׅతʹར༻ͨ͠ฏจճ෮߈ܸ ▶ ݤ૬ؔ [GMM+14, IM18] Λ [ABP+13, PPS14] ͷ߈ܸʹԠ༻ ▶ [PPS14] ͷ߈ܸΑΓ΋ {P3, P18, P34, P50, P66, P82} ͷ 6 όΠτΛޮ཰తʹ෮ݩ 3. ݤ૬ؔΛར༻ͨ͠࠷దͳฏจճ෮߈ܸ ▶ όΠτ୯ҐͰ࠷దͳฏจͷ෮ݩํ๏Λબ୒ ▶ 230 ݸͷ҉߸จ͔Βઌ಄ 257 όΠτͷฏจΛ໿ 90.8% ͷ֬཰Ͱ෮ݩ ▶ ैདྷͷ߈ܸΑΓ΋ 6.0% ߴ͍֬཰ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 6 / 36
  12. ͸͡Ίʹ ݚڀ੒Ռɿݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 1. ࠷దͳόΠΞεηοτΛར༻ͨ͠ฏจճ෮߈ܸ ▶ ࠷దͳόΠΞεηοτͷ༗ޮੑΛ֬ೝ ▶ {Z1,

    Z3, Z17, Z18, Z33, Z34, Z49, Z50, Z66, Z82, Z256, Z257} ͷ 12 όΠτ ▶ 230 ݸͷ҉߸จ͔Βઌ಄ 257 όΠτͷฏจΛ໿ 57.2% ͷ֬཰Ͱ෮ݩ ▶ [IOWM13] ͷ߈ܸΑΓ΋ 3.0% ௿͍֬཰ 2. ݤ૬ؔʹ͓͚Δ෼෍Λแׅతʹར༻ͨ͠ฏจճ෮߈ܸ ▶ ݤ૬ؔ [GMM+14, IM18] Λ [ABP+13, PPS14] ͷ߈ܸʹԠ༻ ▶ [PPS14] ͷ߈ܸΑΓ΋ {P3, P18, P34, P50, P66, P82} ͷ 6 όΠτΛޮ཰తʹ෮ݩ 3. ݤ૬ؔΛར༻ͨ͠࠷దͳฏจճ෮߈ܸ ▶ όΠτ୯ҐͰ࠷దͳฏจͷ෮ݩํ๏Λબ୒ ▶ 230 ݸͷ҉߸จ͔Βઌ಄ 257 όΠτͷฏจΛ໿ 90.8% ͷ֬཰Ͱ෮ݩ ▶ ैདྷͷ߈ܸΑΓ΋ 6.0% ߴ͍֬཰ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 6 / 36
  13. ͸͡Ίʹ ݚڀ੒Ռɿݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 1. ࠷దͳόΠΞεηοτΛར༻ͨ͠ฏจճ෮߈ܸ ▶ ࠷దͳόΠΞεηοτͷ༗ޮੑΛ֬ೝ ▶ {Z1,

    Z3, Z17, Z18, Z33, Z34, Z49, Z50, Z66, Z82, Z256, Z257} ͷ 12 όΠτ ▶ 230 ݸͷ҉߸จ͔Βઌ಄ 257 όΠτͷฏจΛ໿ 57.2% ͷ֬཰Ͱ෮ݩ ▶ [IOWM13] ͷ߈ܸΑΓ΋ 3.0% ௿͍֬཰ 2. ݤ૬ؔʹ͓͚Δ෼෍Λแׅతʹར༻ͨ͠ฏจճ෮߈ܸ ▶ ݤ૬ؔ [GMM+14, IM18] Λ [ABP+13, PPS14] ͷ߈ܸʹԠ༻ ▶ [PPS14] ͷ߈ܸΑΓ΋ {P3, P18, P34, P50, P66, P82} ͷ 6 όΠτΛޮ཰తʹ෮ݩ 3. ݤ૬ؔΛར༻ͨ͠࠷దͳฏจճ෮߈ܸ ▶ όΠτ୯ҐͰ࠷దͳฏจͷ෮ݩํ๏Λબ୒ ▶ 230 ݸͷ҉߸จ͔Βઌ಄ 257 όΠτͷฏจΛ໿ 90.8% ͷ֬཰Ͱ෮ݩ ▶ ैདྷͷ߈ܸΑΓ΋ 6.0% ߴ͍֬཰ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 6 / 36
  14. ͸͡Ίʹ ൃද಺༰ 1 ؔ࿈ݚڀɿฏจճ෮߈ܸͱݤ૬ؔ Mantin ͱ Shamir ͷ߈ܸ [MS01] Isobe

    Βͷ࠷దͳόΠΞεηοτ [IOWM13] AlFardan Βͷ߈ܸ [ABP+13] Paterson Βͷ߈ܸ [PPS14] Sen Gupta Βͷݤ૬ؔ [GMM+14] Ito ͱ Miyaji ͷ൓෮ੑͷ͋Δݤ૬ؔ [IM18] 2 ݚڀ੒Ռɿݤ૬ؔΛ༻͍ͨฏจճ෮߈ܸ ࠷దͳόΠΞεηοτΛར༻ͨ͠߈ܸ ݤ૬ؔʹ͓͚Δ෼෍Λแׅతʹར༻ͨ͠߈ܸ ݤ૬ؔΛར༻ͨ͠࠷దͳ߈ܸ 3 ·ͱΊ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 7 / 36
  15. ؔ࿈ݚڀɿฏจճ෮߈ܸͱݤ૬ؔ ؔ࿈ݚڀɿฏจճ෮߈ܸͱݤ૬ؔ Table 3 : ฏจճ෮߈ܸ [MS01, IOWM13, ABP+13, PPS14,

    VP15] ؔ࿈ݚڀ ֓ཁ Z2 = 0 ͷόΠΞεɼ෼෍ͷࣝผʹඞཁͳαϯϓϧ਺ͷධՁɼ [MS01] ϒϩʔυΩϟετηοςΟϯάʹ͓͚Δ߈ܸख๏ΛॳΊͯఏҊ ઌ಄ 257 όΠτͷΩʔετϦʔϜʹؔ͢Δ࠷దͳόΠΞεηοτɼ [IOWM13] 232 ݸͷ҉߸จ͔Βઌ಄ 257 όΠτͷฏจΛ໿ 80%ͷ֬཰Ͱ෮ݩ ઌ಄ 256 όΠτͷΩʔετϦʔϜʹؔ͢Δ෼෍Λแׅతʹར༻ɼ [ABP+13] 232 ݸͷ҉߸จ͔Βઌ಄ 256 όΠτͷฏจΛ໿ 100%ͷ֬཰Ͱ෮ݩ [ABP+13] Λ֦ுɼWPA-TKIP ʹ͓͚Δ IV ຖͷ෼෍Λར༻ɼ [PPS14] 228 ݸͷ҉߸จ͔Βઌ಄ 256 όΠτͷฏจΛ໿ 80%ͷ֬཰Ͱ෮ݩ [VP15] [ABP+13] ͱ [PPS14] + ฏจީิϦετʢ༏ઌॱҐʣ Table 4 : ݤ૬ؔ [GMM+14, IM18] ؔ࿈ݚڀ ֓ཁ Zr = a · K[0] + b · K[1] + c · K[2] + d ʢWPA-TKIP Ͱͷݤ૬ؔʣ ɼ [GMM+14] {P1, P3, P256, P257} Λ [IOWM13] ΑΓ΋ޮ཰తʹ෮ݩ [IM18] Zr = K[0] − K[r mod ℓ] − r ʢ൓෮ੑͷ͋Δݤ૬ؔʣ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 8 / 36
  16. ؔ࿈ݚڀɿฏจճ෮߈ܸͱݤ૬ؔ ؔ࿈ݚڀɿฏจճ෮߈ܸͱݤ૬ؔ Table 3 : ฏจճ෮߈ܸ [MS01, IOWM13, ABP+13, PPS14,

    VP15] ؔ࿈ݚڀ ֓ཁ Z2 = 0 ͷόΠΞεɼ෼෍ͷࣝผʹඞཁͳαϯϓϧ਺ͷධՁɼ [MS01] ϒϩʔυΩϟετηοςΟϯάʹ͓͚Δ߈ܸख๏ΛॳΊͯఏҊ ઌ಄ 257 όΠτͷΩʔετϦʔϜʹؔ͢Δ࠷దͳόΠΞεηοτɼ [IOWM13] 232 ݸͷ҉߸จ͔Βઌ಄ 257 όΠτͷฏจΛ໿ 80%ͷ֬཰Ͱ෮ݩ ઌ಄ 256 όΠτͷΩʔετϦʔϜʹؔ͢Δ෼෍Λแׅతʹར༻ɼ [ABP+13] 232 ݸͷ҉߸จ͔Βઌ಄ 256 όΠτͷฏจΛ໿ 100%ͷ֬཰Ͱ෮ݩ [ABP+13] Λ֦ுɼWPA-TKIP ʹ͓͚Δ IV ຖͷ෼෍Λར༻ɼ [PPS14] 228 ݸͷ҉߸จ͔Βઌ಄ 256 όΠτͷฏจΛ໿ 80%ͷ֬཰Ͱ෮ݩ [VP15] [ABP+13] ͱ [PPS14] + ฏจީิϦετʢ༏ઌॱҐʣ Table 4 : ݤ૬ؔ [GMM+14, IM18] ؔ࿈ݚڀ ֓ཁ Zr = a · K[0] + b · K[1] + c · K[2] + d ʢWPA-TKIP Ͱͷݤ૬ؔʣ ɼ [GMM+14] {P1, P3, P256, P257} Λ [IOWM13] ΑΓ΋ޮ཰తʹ෮ݩ [IM18] Zr = K[0] − K[r mod ℓ] − r ʢ൓෮ੑͷ͋Δݤ૬ؔʣ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 8 / 36
  17. ؔ࿈ݚڀɿฏจճ෮߈ܸͱݤ૬ؔ ؔ࿈ݚڀ 1ɿMantin ͱ Shamir ͷ߈ܸ [MS01] ఆཧ 1 [MS01,

    Theorem 1] PRGA ͷॳظ಺෦ঢ়ଶ S0 ͕ϥϯμϜͳঢ়ଶͰ͋ΔͱԾఆ͢Δɽ͜ͷ࣌ɼRC4 ʹ ͓͚Δ 2 όΠτ໨ͷΩʔετϦʔϜ͕ 0 ͱͳΔ֬཰͸ɼ 2 N ʹۙࣅ͞ΕΔɽ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 9 / 36
  18. ؔ࿈ݚڀɿฏจճ෮߈ܸͱݤ૬ؔ ؔ࿈ݚڀ 1ɿMantin ͱ Shamir ͷ߈ܸ [MS01] ఆཧ 1 [MS01,

    Theorem 1] PRGA ͷॳظ಺෦ঢ়ଶ S0 ͕ϥϯμϜͳঢ়ଶͰ͋ΔͱԾఆ͢Δɽ͜ͷ࣌ɼRC4 ʹ ͓͚Δ 2 όΠτ໨ͷΩʔετϦʔϜ͕ 0 ͱͳΔ֬཰͸ɼ 2 N ʹۙࣅ͞ΕΔɽ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 9 / 36
  19. ؔ࿈ݚڀɿฏจճ෮߈ܸͱݤ૬ؔ ؔ࿈ݚڀ 1ɿMantin ͱ Shamir ͷ߈ܸ [MS01] ϒϩʔυΩϟετηοςΟϯά ▶ ಉҰͷฏจ

    P ΛҟͳΔෳ਺ͷൿີݤ K Λ༻͍ͯ҉߸Խͨ͠৘ใ C Λૹ৴ ఆཧ 3 [MS01, Theorem 3] P2 Λ 2 όΠτ໨ͷฏจͱ͠ɼC(1) 2 , . . . , C(k) 2 ΛҰ༷ϥϯμϜʹબΜͩ k ݸͷൿີ ݤͰ RC4 ʹΑΓ҉߸Խ͞Εͨ҉߸จͱ͢Δɽ͜ͷ࣌ɼk = Ω(N) ͳΒ͹ɼk ݸͷ ҉߸จ͔Β P2 Λಋग़ՄೳͰ͋Δɽ P2 ͷ෮ݩํ๏ ▶ RC4 ͷ҉߸ԽɿC2 = P2 ⊕ Z2 ▶ ʢఆཧ 1ʣ 2 N ͷ֬཰Ͱ C2 = Z2 ͕੒ཱ ▶ ࠷΋ස౓ͷߴ͍ C2 ͷ஋Λ P2 ͱͯ͠෮ݩ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 10 / 36
  20. ؔ࿈ݚڀɿฏจճ෮߈ܸͱݤ૬ؔ ؔ࿈ݚڀ 1ɿMantin ͱ Shamir ͷ߈ܸ [MS01] ϒϩʔυΩϟετηοςΟϯά ▶ ಉҰͷฏจ

    P ΛҟͳΔෳ਺ͷൿີݤ K Λ༻͍ͯ҉߸Խͨ͠৘ใ C Λૹ৴ ఆཧ 3 [MS01, Theorem 3] P2 Λ 2 όΠτ໨ͷฏจͱ͠ɼC(1) 2 , . . . , C(k) 2 ΛҰ༷ϥϯμϜʹબΜͩ k ݸͷൿີ ݤͰ RC4 ʹΑΓ҉߸Խ͞Εͨ҉߸จͱ͢Δɽ͜ͷ࣌ɼk = Ω(N) ͳΒ͹ɼk ݸͷ ҉߸จ͔Β P2 Λಋग़ՄೳͰ͋Δɽ P2 ͷ෮ݩํ๏ ▶ RC4 ͷ҉߸ԽɿC2 = P2 ⊕ Z2 ▶ ʢఆཧ 1ʣ 2 N ͷ֬཰Ͱ C2 = Z2 ͕੒ཱ ▶ ࠷΋ස౓ͷߴ͍ C2 ͷ஋Λ P2 ͱͯ͠෮ݩ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 10 / 36
  21. ؔ࿈ݚڀɿฏจճ෮߈ܸͱݤ૬ؔ ؔ࿈ݚڀ 1ɿMantin ͱ Shamir ͷ߈ܸ [MS01] ϒϩʔυΩϟετηοςΟϯά ▶ ಉҰͷฏจ

    P ΛҟͳΔෳ਺ͷൿີݤ K Λ༻͍ͯ҉߸Խͨ͠৘ใ C Λૹ৴ ఆཧ 3 [MS01, Theorem 3] P2 Λ 2 όΠτ໨ͷฏจͱ͠ɼC(1) 2 , . . . , C(k) 2 ΛҰ༷ϥϯμϜʹબΜͩ k ݸͷൿີ ݤͰ RC4 ʹΑΓ҉߸Խ͞Εͨ҉߸จͱ͢Δɽ͜ͷ࣌ɼk = Ω(N) ͳΒ͹ɼk ݸͷ ҉߸จ͔Β P2 Λಋग़ՄೳͰ͋Δɽ P2 ͷ෮ݩํ๏ ▶ RC4 ͷ҉߸ԽɿC2 = P2 ⊕ Z2 ▶ ʢఆཧ 1ʣ 2 N ͷ֬཰Ͱ C2 = Z2 ͕੒ཱ ▶ ࠷΋ස౓ͷߴ͍ C2 ͷ஋Λ P2 ͱͯ͠෮ݩ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 10 / 36
  22. ؔ࿈ݚڀɿฏจճ෮߈ܸͱݤ૬ؔ ؔ࿈ݚڀ 2ɿIsobe Βͷ࠷దͳόΠΞεηοτ [IOWM13] ϥ΢ϯυ r ࠷దͳࣄ৅ Zr ֬཰ʢཧ࿦஋ʣ

    1 Z1 = 0 | Z2 = 0 2−8 · (1 + 2−1.009) 2 Z2 = 0 2−8 · (1 + 20) 3 Z3 = 131 2−8 · (1 + 2−8.089) 4 Z4 = 0 2−8 · (1 + 2−7.581) 5-15 Zr = r max: 2−8 · (1 + 2−7.627), min: 2−8 · (1 + 2−7.737) 16 Z16 = 240 2−8 · (1 + 2−4.671) 17-31 Zr = r max: 2−8 · (1 + 2−7.759), min: 2−8 · (1 + 2−7.912) 32 Z32 = 224 2−8 · (1 + 2−5.176) 33-47 Zr = 0 max: 2−8 · (1 + 2−7.897), min: 2−8 · (1 + 2−8.050) 48 Z48 = 208 2−8 · (1 + 2−5.651) 49-63 Zr = 0 max: 2−8 · (1 + 2−8.072), min: 2−8 · (1 + 2−8.224) 64 Z64 = 192 2−8 · (1 + 2−6.085) 65-79 Zr = 0 max: 2−8 · (1 + 2−8.246), min: 2−8 · (1 + 2−8.398) 80 Z80 = 176 2−8 · (1 + 2−6.574) 81-95 Zr = 0 max: 2−8 · (1 + 2−8.420), min: 2−8 · (1 + 2−8.571) 96 Z96 = 160 2−8 · (1 + 2−6.970) 97-111 Zr = 0 max: 2−8 · (1 + 2−8.592), min: 2−8 · (1 + 2−8.741) 112 Z112 = 144 2−8 · (1 + 2−7.300) 113-255 Zr = 0 max: 2−8 · (1 + 2−8.763), min: 2−8 · (1 + 2−10.052) 256 Z256 = 0 2−8 · (1 − 2−9.474) 257 Z257 = 0 2−8 · (1 + 2−9.474) ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 11 / 36
  23. ؔ࿈ݚڀɿฏจճ෮߈ܸͱݤ૬ؔ ؔ࿈ݚڀ 3ɿAlFardan Βͷ߈ܸ [ABP+13] ϒϩʔυΩϟετηοςΟϯά ▶ ಉҰͷฏจ P ΛҟͳΔෳ਺ͷൿີݤ

    K Λ༻͍ͯ҉߸Խͨ͠৘ใ C Λૹ৴ ࠷໬ਪఆ๏ɿΩʔετϦʔϜͷ෼෍Λแׅతʹར༻ 1. ϒϩʔυΩϟετηοςΟϯάͷঢ়گԼͰ҉߸จ {C(1), . . . , C(S)} Λऩू 2. ฏจީิ஋ µ Λਪଌ ▶ ީิ஋ʹ͓͚ΔΩʔετϦʔϜͷ෼෍දΛ࡞੒ 3. ཧ࿦஋ʹ͓͚ΔΩʔετϦʔϜͷ෼෍දͱൺֱ ▶ ฏจͷ࠷໬ਪఆ஋ P∗ Λग़ྗ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 12 / 36
  24. ؔ࿈ݚڀɿฏจճ෮߈ܸͱݤ૬ؔ ؔ࿈ݚڀ 3ɿAlFardan Βͷ߈ܸ [ABP+13] 1. ཧ࿦஋ʹ͓͚ΔΩʔετϦʔϜͷ෼෍Λ࡞੒ pr,k := Pr(Zr

    = k), k = 0x00, ..., 0xFF 2. ฏจީิ஋ µ ʹ͓͚ΔΩʔετϦʔϜͷ෼෍ (N(µ) 0x00 , . . . , N(µ) 0xFF ) Λ࡞੒ N(µ) k = |{j | Cj,r = k ⊕ µ}1≤j≤S |, k = 0x00, ..., 0xFF 3. ฏจ͕ µ ͱͳΔ֬཰ λµ Λಋग़ 1 λµ = S! N(µ) 0x00 ! · · · N(µ) 0xFF ! ∏ k∈{0x00, . . . , 0xFF} pN(µ) k r,k 4. λµ ͕࠷େͱͳΔฏจީิ஋ µ Λग़ྗ 1N = (N(µ) 0x00 , . . . , N(µ) 0xFF ) ͸ɼp = (pr,0x00, . . . , pr,0xFF) ͱ S Λύϥϝʔλͱ͢Δଟ߲෼෍ʹै͏ɽ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 13 / 36
  25. ؔ࿈ݚڀɿฏจճ෮߈ܸͱݤ૬ؔ ؔ࿈ݚڀ 3ɿAlFardan Βͷ߈ܸ [ABP+13] 1. ཧ࿦஋ʹ͓͚ΔΩʔετϦʔϜͷ෼෍Λ࡞੒ pr,k := Pr(Zr

    = k), k = 0x00, ..., 0xFF 2. ฏจީิ஋ µ ʹ͓͚ΔΩʔετϦʔϜͷ෼෍ (N(µ) 0x00 , . . . , N(µ) 0xFF ) Λ࡞੒ N(µ) k = |{j | Cj,r = k ⊕ µ}1≤j≤S |, k = 0x00, ..., 0xFF 3. ฏจ͕ µ ͱͳΔ֬཰ λµ Λಋग़ 1 λµ = S! N(µ) 0x00 ! · · · N(µ) 0xFF ! ∏ k∈{0x00, . . . , 0xFF} pN(µ) k r,k 4. λµ ͕࠷େͱͳΔฏจީิ஋ µ Λग़ྗ 1N = (N(µ) 0x00 , . . . , N(µ) 0xFF ) ͸ɼp = (pr,0x00, . . . , pr,0xFF) ͱ S Λύϥϝʔλͱ͢Δଟ߲෼෍ʹै͏ɽ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 13 / 36
  26. ؔ࿈ݚڀɿฏจճ෮߈ܸͱݤ૬ؔ ؔ࿈ݚڀ 3ɿAlFardan Βͷ߈ܸ [ABP+13] 1. ཧ࿦஋ʹ͓͚ΔΩʔετϦʔϜͷ෼෍Λ࡞੒ pr,k := Pr(Zr

    = k), k = 0x00, ..., 0xFF 2. ฏจީิ஋ µ ʹ͓͚ΔΩʔετϦʔϜͷ෼෍ (N(µ) 0x00 , . . . , N(µ) 0xFF ) Λ࡞੒ N(µ) k = |{j | Cj,r = k ⊕ µ}1≤j≤S |, k = 0x00, ..., 0xFF 3. ฏจ͕ µ ͱͳΔ֬཰ λµ Λಋग़ 1 λµ = S! N(µ) 0x00 ! · · · N(µ) 0xFF ! ∏ k∈{0x00, . . . , 0xFF} pN(µ) k r,k 4. λµ ͕࠷େͱͳΔฏจީิ஋ µ Λग़ྗ 1N = (N(µ) 0x00 , . . . , N(µ) 0xFF ) ͸ɼp = (pr,0x00, . . . , pr,0xFF) ͱ S Λύϥϝʔλͱ͢Δଟ߲෼෍ʹै͏ɽ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 13 / 36
  27. ؔ࿈ݚڀɿฏจճ෮߈ܸͱݤ૬ؔ ؔ࿈ݚڀ 3ɿAlFardan Βͷ߈ܸ [ABP+13] 1. ཧ࿦஋ʹ͓͚ΔΩʔετϦʔϜͷ෼෍Λ࡞੒ pr,k := Pr(Zr

    = k), k = 0x00, ..., 0xFF 2. ฏจީิ஋ µ ʹ͓͚ΔΩʔετϦʔϜͷ෼෍ (N(µ) 0x00 , . . . , N(µ) 0xFF ) Λ࡞੒ N(µ) k = |{j | Cj,r = k ⊕ µ}1≤j≤S |, k = 0x00, ..., 0xFF 3. ฏจ͕ µ ͱͳΔ֬཰ λµ Λಋग़ 1 λµ = S! N(µ) 0x00 ! · · · N(µ) 0xFF ! ∏ k∈{0x00, . . . , 0xFF} pN(µ) k r,k 4. λµ ͕࠷େͱͳΔฏจީิ஋ µ Λग़ྗ 1N = (N(µ) 0x00 , . . . , N(µ) 0xFF ) ͸ɼp = (pr,0x00, . . . , pr,0xFF) ͱ S Λύϥϝʔλͱ͢Δଟ߲෼෍ʹै͏ɽ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 13 / 36
  28. ؔ࿈ݚڀɿฏจճ෮߈ܸͱݤ૬ؔ ؔ࿈ݚڀ 4ɿPaterson Βͷ߈ܸ [PPS14] 1. ཧ࿦஋ʹ͓͚ΔΩʔετϦʔϜͷ෼෍Λ IV = (IV0,

    IV1 ) ͝ͱʹ࡞੒ p IV,r,k := Pr(Zr = k), IV = (0x00, 0x00), . . . , (0xFF, 0xFF), k = 0x00, ..., 0xFF 2. ฏจީิ஋ µ ʹ͓͚ΔΩʔετϦʔϜͷ෼෍ (N(µ) 0x00 , . . . , N(µ) 0xFF ) Λ࡞੒ N(µ) IV,k = |{j | C IV,j,r = k ⊕ µ}1≤j≤S |, k = 0x00, ..., 0xFF 3. IV ͝ͱʹฏจ͕ µ ͱͳΔ֬཰ λ IV,µ Λಋग़ λ IV,µ = S! N(µ) IV,0x00 ! · · · N(µ) IV,0xFF ! ∏ k∈{0x00, . . . , 0xFF} p N(µ) IV,k IV,r,k 4. ฏจ͕ µ ͱͳΔ֬཰ λµ Λಋग़ λµ = ∏ (0x00, 0x00)≤IV≤(0xFF, 0xFF) λ IV,µ 5. λµ ͕࠷େͱͳΔฏจީิ஋ µ Λग़ྗ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 15 / 36
  29. ؔ࿈ݚڀɿฏจճ෮߈ܸͱݤ૬ؔ ؔ࿈ݚڀ 5ɿSen Gupta Βͷݤ૬ؔ [GMM+14] Ϟνϕʔγϣϯɿ WPA-TKIP ʹର͢Δฏจճ෮߈ܸΛޮ཰Խ ެ։৘ใ

    {K[0], K[1], K[2]} Λ༻͍ͨΩʔετϦʔϜʹؔ͢Δݤ૬ؔ Zr = a · K[0] + b · K[1] + c · K[2] + d r ∈ [1, 257], a, b, c ∈ {−1, 0, 1}, d ∈ {−3, −2, −1, 0, 1, 2, 3} Table 5 : {P1, P3, P256, P257} ͷ෮ݩʹඞཁͳ҉߸จ਺ͷൺֱ [GMM+14] [IOWM13] λʔήοτ ݤ૬ؔ ҉߸จ਺ ࠷దͳࣄ৅ ҉߸จ਺ P1 Z1 = −K[0] − K[1] 210.896 Z1 = 0 | Z2 = 0 218.072 P3 Z3 = K[0] + K[1] + K[2] + 3 213.939 Z3 = 131 224.218 P256 Z256 = −K[0] 213.803 Z256 = 0 226.814 P257 Z257 = −K[0] − K[1] 216.758 Z257 = 0 227.062 ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 16 / 36
  30. ؔ࿈ݚڀɿฏจճ෮߈ܸͱݤ૬ؔ ؔ࿈ݚڀ 6ɿIto ͱ Miyaji ͷ൓෮ੑͷ͋Δݤ૬ؔ [IM18] ൓෮ੑͷ͋Δݤ૬ؔ Zr =

    K[0] − K[r mod ℓ] − r (K[0], K[r mod ℓ]) ϖΞ͕ ℓ ϥ΢ϯυ͝ͱ൓෮͢Δݤ૬ؔʢݤ௕ɿℓ = 16ʣ Ϟνϕʔγϣϯɿ (K[0], K[1]) ϖΞͱ (K[0], K[2]) ϖΞΛ༻͍ͨฏจճ෮߈ܸ Table 6 : {P17 , P18 , P33 , P34 , P49 , P50 , P66 , P82} ͷ෮ݩʹඞཁͳ҉߸จ਺ͷൺֱ [IM18] [IOWM13] λʔήοτ ݤ૬ؔ ҉߸จ਺ ࠷దͳࣄ৅ ҉߸จ਺ P17 Z17 = K[0] − K[1] − 17 217.727 Z17 = 17 223.178 P18 Z18 = K[0] − K[2] − 18 217.800 Z18 = 18 223.210 P33 Z33 = K[0] − K[1] − 33 218.955 Z33 = 0 223.770 P34 Z34 = K[0] − K[2] − 34 219.035 Z34 = 0 223.791 P49 Z49 = K[0] − K[1] − 49 220.297 Z49 = 0 224.114 P50 Z50 = K[0] − K[2] − 50 220.386 Z50 = 0 224.135 P66 Z66 = K[0] − K[2] − 66 221.869 Z66 = 0 224.479 P82 Z82 = K[0] − K[2] − 82 223.505 Z82 = 0 224.820 ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 17 / 36
  31. ݚڀ੒Ռɿݤ૬ؔΛ༻͍ͨฏจճ෮߈ܸ ݚڀ੒Ռɿݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 1. ࠷దͳόΠΞεηοτΛར༻ͨ͠ฏจճ෮߈ܸ ▶ ࠷దͳόΠΞεηοτͷ༗ޮੑΛ֬ೝ ▶ {Z1,

    Z3, Z17, Z18, Z33, Z34, Z49, Z50, Z66, Z82, Z256, Z257} ͷ 12 όΠτ ▶ 230 ݸͷ҉߸จ͔Βઌ಄ 257 όΠτͷฏจΛ໿ 57.2% ͷ֬཰Ͱ෮ݩ ▶ [IOWM13] ͷ߈ܸΑΓ΋ 3.0% ௿͍֬཰ 2. ݤ૬ؔʹ͓͚Δ෼෍Λแׅతʹར༻ͨ͠ฏจճ෮߈ܸ ▶ ݤ૬ؔ [GMM+14, IM18] Λ [ABP+13, PPS14] ͷ߈ܸʹԠ༻ ▶ [PPS14] ͷ߈ܸΑΓ΋ {P3, P18, P34, P50, P66, P82} ͷ 6 όΠτΛޮ཰తʹ෮ݩ 3. ݤ૬ؔΛར༻ͨ͠࠷దͳฏจճ෮߈ܸ ▶ όΠτ୯ҐͰ࠷దͳฏจͷ෮ݩํ๏Λબ୒ ▶ 230 ݸͷ҉߸จ͔Βઌ಄ 257 όΠτͷฏจΛ໿ 90.8% ͷ֬཰Ͱ෮ݩ ▶ ैདྷͷ߈ܸΑΓ΋ 6.0% ߴ͍֬཰ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 18 / 36
  32. ݚڀ੒Ռɿݤ૬ؔΛ༻͍ͨฏจճ෮߈ܸ ݚڀ੒Ռ 1ɿ࠷దͳόΠΞεηοτΛར༻ͨ͠߈ܸ Table 7 : WPA-TKIP ʹ͓͚Δ࠷దͳόΠΞεηοτ [GMM+14, IM18]

    [IOWM13] λʔήοτ ݤ૬ؔ ҉߸จ਺ ࠷దͳࣄ৅ ҉߸จ਺ P1 Z1 = −K[0] − K[1] 210.896 Z1 = 0 | Z2 = 0 218.072 P3 Z3 = K[0] + K[1] + K[2] + 3 213.939 Z3 = 131 224.218 P17 Z17 = K[0] − K[1] − 17 217.727 Z17 = 17 223.178 P18 Z18 = K[0] − K[2] − 18 217.800 Z18 = 18 223.210 P33 Z33 = K[0] − K[1] − 33 218.955 Z33 = 0 223.770 P34 Z34 = K[0] − K[2] − 34 219.035 Z34 = 0 223.791 P49 Z49 = K[0] − K[1] − 49 220.297 Z49 = 0 224.114 P50 Z50 = K[0] − K[2] − 50 220.386 Z50 = 0 224.135 P66 Z66 = K[0] − K[2] − 66 221.869 Z66 = 0 224.479 P82 Z82 = K[0] − K[2] − 82 223.505 Z82 = 0 224.820 P256 Z256 = −K[0] 213.803 Z256 = 0 226.814 P257 Z257 = −K[0] − K[1] 216.758 Z257 = 0 227.062 ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 19 / 36
  33. ݚڀ੒Ռɿݤ૬ؔΛ༻͍ͨฏจճ෮߈ܸ ݚڀ੒Ռ 1ɿ࠷దͳόΠΞεηοτΛར༻ͨ͠߈ܸ ࣮ݧํ๏ 1. ઌ಄ 257 όΠτͷฏจ P ΛҰ༷ϥϯμϜʹੜ੒͢Δɽ

    2. Ұ༷ϥϯμϜʹੜ੒ͨ͠ k ∈ {26, 27, . . . , 230} ݸͷൿີݤΛ༻͍ͯ P Λ҉߸ Խ͠ɼk ݸͷ҉߸จ C(1), . . . , C(k) Λੜ੒͢Δɽ 3. ҉߸จ Cr Λूܭ͠ɼ෼෍දΛ࡞੒͢Δɽ 4. ࠷΋ස౓ͷߴ͍ Cr ͷ஋ͱΩʔετϦʔϜ Zr ͷ࠷దͳόΠΞεηοτ͔Β Pr = Cr ⊕ Zr ʹΑΓฏจΛ෮ݩ͢Δɽ 5. 1. ͔Β 4. Λ 256 ճࢼߦ͠ɼฏจͷ෮ݩ੒ޭ֬཰Λಋग़͢Δɽ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 20 / 36
  34. ݚڀ੒Ռɿݤ૬ؔΛ༻͍ͨฏจճ෮߈ܸ ݚڀ੒Ռ 1ɿ࠷దͳόΠΞεηοτΛར༻ͨ͠߈ܸ ࣮ݧํ๏ 1. ઌ಄ 257 όΠτͷฏจ P ΛҰ༷ϥϯμϜʹੜ੒͢Δɽ

    2. Ұ༷ϥϯμϜʹੜ੒ͨ͠ k ∈ {26, 27, . . . , 230} ݸͷൿີݤΛ༻͍ͯ P Λ҉߸ Խ͠ɼk ݸͷ҉߸จ C(1), . . . , C(k) Λੜ੒͢Δɽ 3. ҉߸จ Cr Λूܭ͠ɼ෼෍දΛ࡞੒͢Δɽ 4. ࠷΋ස౓ͷߴ͍ Cr ͷ஋ͱΩʔετϦʔϜ Zr ͷ࠷దͳόΠΞεηοτ͔Β Pr = Cr ⊕ Zr ʹΑΓฏจΛ෮ݩ͢Δɽ 5. 1. ͔Β 4. Λ 256 ճࢼߦ͠ɼฏจͷ෮ݩ੒ޭ֬཰Λಋग़͢Δɽ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 20 / 36
  35. ݚڀ੒Ռɿݤ૬ؔΛ༻͍ͨฏจճ෮߈ܸ ݚڀ੒Ռ 1ɿ࠷దͳόΠΞεηοτΛར༻ͨ͠߈ܸ ࣮ݧํ๏ 1. ઌ಄ 257 όΠτͷฏจ P ΛҰ༷ϥϯμϜʹੜ੒͢Δɽ

    2. Ұ༷ϥϯμϜʹੜ੒ͨ͠ k ∈ {26, 27, . . . , 230} ݸͷൿີݤΛ༻͍ͯ P Λ҉߸ Խ͠ɼk ݸͷ҉߸จ C(1), . . . , C(k) Λੜ੒͢Δɽ 3. ҉߸จ Cr Λूܭ͠ɼ෼෍දΛ࡞੒͢Δɽ 4. ࠷΋ස౓ͷߴ͍ Cr ͷ஋ͱΩʔετϦʔϜ Zr ͷ࠷దͳόΠΞεηοτ͔Β Pr = Cr ⊕ Zr ʹΑΓฏจΛ෮ݩ͢Δɽ 5. 1. ͔Β 4. Λ 256 ճࢼߦ͠ɼฏจͷ෮ݩ੒ޭ֬཰Λಋग़͢Δɽ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 20 / 36
  36. ݚڀ੒Ռɿݤ૬ؔΛ༻͍ͨฏจճ෮߈ܸ ݚڀ੒Ռ 1ɿ࠷దͳόΠΞεηοτΛར༻ͨ͠߈ܸ ࣮ݧํ๏ 1. ઌ಄ 257 όΠτͷฏจ P ΛҰ༷ϥϯμϜʹੜ੒͢Δɽ

    2. Ұ༷ϥϯμϜʹੜ੒ͨ͠ k ∈ {26, 27, . . . , 230} ݸͷൿີݤΛ༻͍ͯ P Λ҉߸ Խ͠ɼk ݸͷ҉߸จ C(1), . . . , C(k) Λੜ੒͢Δɽ 3. ҉߸จ Cr Λूܭ͠ɼ෼෍දΛ࡞੒͢Δɽ 4. ࠷΋ස౓ͷߴ͍ Cr ͷ஋ͱΩʔετϦʔϜ Zr ͷ࠷దͳόΠΞεηοτ͔Β Pr = Cr ⊕ Zr ʹΑΓฏจΛ෮ݩ͢Δɽ 5. 1. ͔Β 4. Λ 256 ճࢼߦ͠ɼฏจͷ෮ݩ੒ޭ֬཰Λಋग़͢Δɽ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 20 / 36
  37. ݚڀ੒Ռɿݤ૬ؔΛ༻͍ͨฏจճ෮߈ܸ ݚڀ੒Ռ 1ɿ࠷దͳόΠΞεηοτΛར༻ͨ͠߈ܸ ࣮ݧํ๏ 1. ઌ಄ 257 όΠτͷฏจ P ΛҰ༷ϥϯμϜʹੜ੒͢Δɽ

    2. Ұ༷ϥϯμϜʹੜ੒ͨ͠ k ∈ {26, 27, . . . , 230} ݸͷൿີݤΛ༻͍ͯ P Λ҉߸ Խ͠ɼk ݸͷ҉߸จ C(1), . . . , C(k) Λੜ੒͢Δɽ 3. ҉߸จ Cr Λूܭ͠ɼ෼෍දΛ࡞੒͢Δɽ 4. ࠷΋ස౓ͷߴ͍ Cr ͷ஋ͱΩʔετϦʔϜ Zr ͷ࠷దͳόΠΞεηοτ͔Β Pr = Cr ⊕ Zr ʹΑΓฏจΛ෮ݩ͢Δɽ 5. 1. ͔Β 4. Λ 256 ճࢼߦ͠ɼฏจͷ෮ݩ੒ޭ֬཰Λಋग़͢Δɽ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 20 / 36
  38. ݚڀ੒Ռɿݤ૬ؔΛ༻͍ͨฏจճ෮߈ܸ ݚڀ੒Ռ 1ɿ࠷దͳόΠΞεηοτΛར༻ͨ͠߈ܸ Table 8 : ߈ܸʹඞཁͳ҉߸จ਺ͱ੒ޭ֬཰ͷൺֱ λʔήοτ [GMM+14, IM18]

    [IOWM13] ҉߸จ਺ ੒ޭ֬཰ (%) ੒ޭ֬཰ (%) P1 217 100 3.91 P3 220 100 1.17 P17 223 100 5.47 P18 224 100 8.59 P33 225 100 7.03 P34 225 100 8.98 P49 227 100 28.1 P50 226 100 18.8 P66 228 100 53.5 P82 229 100 69.9 P256 219 100 0.39 P257 222 100 0.78 ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 21 / 36
  39. ݚڀ੒Ռɿݤ૬ؔΛ༻͍ͨฏจճ෮߈ܸ ݚڀ੒Ռ 1ɿ࠷దͳόΠΞεηοτΛར༻ͨ͠߈ܸ Figure 5 : ੒ޭ֬཰ͷൺֱɿ222 − 230 ݸͷ҉߸จʹΑΔฏจճ෮߈ܸ

    ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 26 / 36
  40. ݚڀ੒Ռɿݤ૬ؔΛ༻͍ͨฏจճ෮߈ܸ ؔ࿈ݚڀ 2ɿAlFardan Βͷ߈ܸ [ABP+13]ʢ࠶ܝʣ 1. ཧ࿦஋ʹ͓͚ΔΩʔετϦʔϜͷ෼෍Λ࡞੒ pr,k := Pr(Zr

    = k), k = 0x00, ..., 0xFF 2. ฏจީิ஋ µ ʹ͓͚ΔΩʔετϦʔϜͷ෼෍ (N(µ) 0x00 , . . . , N(µ) 0xFF ) Λ࡞੒ N(µ) k = |{j | Cj,r = k ⊕ µ}1≤j≤S |, k = 0x00, ..., 0xFF 3. ฏจ͕ µ ͱͳΔ֬཰ λµ Λಋग़ 2 λµ = S! N(µ) 0x00 ! · · · N(µ) 0xFF ! ∏ k∈{0x00, . . . , 0xFF} pN(µ) k r,k 4. λµ ͕࠷େͱͳΔฏจީิ஋ µ Λग़ྗ 2N = (N(µ) 0x00 , . . . , N(µ) 0xFF ) ͸ɼp = (pr,0x00, . . . , pr,0xFF) ͱ S Λύϥϝʔλͱ͢Δଟ߲෼෍ʹै͏ɽ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 27 / 36
  41. ݚڀ੒Ռɿݤ૬ؔΛ༻͍ͨฏจճ෮߈ܸ ݚڀ੒Ռ 2ɿݤ૬ؔʹ͓͚Δ෼෍Λแׅతʹར༻ͨ͠߈ܸ p1,k := Pr(Z1 = −K[0] − K[1]

    + k), p3,k := Pr(Z3 = K[0] + K[1] + K[2] + k), p17,k := Pr(Z17 = K[0] − K[1] + k), p18,k := Pr(Z18 = K[0] − K[2] + k), p33,k := Pr(Z33 = K[0] − K[1] + k), p34,k := Pr(Z34 = K[0] − K[2] + k), p49,k := Pr(Z49 = K[0] − K[1] + k), p50,k := Pr(Z50 = K[0] − K[2] + k), p66,k := Pr(Z66 = K[0] − K[2] + k), p82,k := Pr(Z82 = K[0] − K[2] + k), p256,k := Pr(Z256 = −K[0] + k), p257,k := Pr(Z257 = −K[0] − K[1] + k). 3ଟ߲෼෍ͷύϥϝʔλ p = (pr,0x00, . . . , pr,0xFF) ͷ૯࿨͕ 1 Ͱͳ͚Ε͹ͳΒͳ͍ɽ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 28 / 36
  42. ݚڀ੒Ռɿݤ૬ؔΛ༻͍ͨฏจճ෮߈ܸ ݚڀ੒Ռ 2ɿݤ૬ؔʹ͓͚Δ෼෍Λแׅతʹར༻ͨ͠߈ܸ Table 9 : ߈ܸʹඞཁͳ҉߸จ਺ͱ੒ޭ֬཰ͷൺֱ ఏҊํ๏ [PPS14] λʔήοτ

    ҉߸จ਺ ੒ޭ֬཰ (%) ੒ޭ֬཰ (%) P1 216 99.6 100 P3 220 100 3.52 P17 223 100 100 P18 224 100 32.4 P33 223 92.2 100 P34 225 100 98.0 P49 224 50.0 100 P50 226 100 61.3 P66 228 100 94.1 P82 229 100 97.3 P256 219 100 100 P257 222 99.6 100 ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 29 / 36
  43. ݚڀ੒Ռɿݤ૬ؔΛ༻͍ͨฏจճ෮߈ܸ ݚڀ੒Ռ 3ɿݤ૬ؔΛར༻ͨ͠࠷దͳ߈ܸ Figure 10 : ੒ޭ֬཰ͷൺֱɿ222 − 230 ݸͷ҉߸จʹΑΔฏจճ෮߈ܸ

    ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 34 / 36
  44. ·ͱΊ ·ͱΊ 1. ࠷దͳόΠΞεηοτΛར༻ͨ͠ฏจճ෮߈ܸ ▶ ࠷దͳόΠΞεηοτͷ༗ޮੑΛ֬ೝ ▶ {Z1, Z3, Z17,

    Z18, Z33, Z34, Z49, Z50, Z66, Z82, Z256, Z257} ͷ 12 όΠτ ▶ 230 ݸͷ҉߸จ͔Βઌ಄ 257 όΠτͷฏจΛ໿ 57.2% ͷ֬཰Ͱ෮ݩ ▶ [IOWM13] ͷ߈ܸΑΓ΋ 3.0% ௿͍֬཰ 2. ݤ૬ؔʹ͓͚Δ෼෍Λแׅతʹར༻ͨ͠ฏจճ෮߈ܸ ▶ ݤ૬ؔ [GMM+14, IM18] Λ [ABP+13, PPS14] ͷ߈ܸʹԠ༻ ▶ [PPS14] ͷ߈ܸΑΓ΋ {P3, P18, P34, P50, P66, P82} ͷ 6 όΠτΛޮ཰తʹ෮ݩ 3. ݤ૬ؔΛར༻ͨ͠࠷దͳฏจճ෮߈ܸ ▶ όΠτ୯ҐͰ࠷దͳฏจͷ෮ݩํ๏Λબ୒ ▶ 230 ݸͷ҉߸จ͔Βઌ಄ 257 όΠτͷฏจΛ໿ 90.8% ͷ֬཰Ͱ෮ݩ ▶ ैདྷͷ߈ܸΑΓ΋ 6.0% ߴ͍֬཰ ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 35 / 36
  45. References I [ABP+13] Nadhem J. AlFardan, Daniel J. Bernstein, Keneth

    G. Paterson, Bertram Poettering, and Jacob C. N. Schuldt. On the Security of RC4 in TLS. In USENIX Security Symposium 2013, 2013. [GMM+14] Sourav Sen Gupta, Subhamoy Maitra, Willi Meier, Goutam Paul, and Santanu Sarkar. Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA. In Carlos Cid and Christian Rechberger, editors, Fast Software Encryption - FSE 2014, volume 8540 of Lecture Notes in Computer Science, pages 350–369. Springer Berlin Heidelberg, 2014. [IM18] Ryoma Ito and Atsuko Miyaji. New Iterated RC4 Key Correlations. In Willy Susilo and Guomin Yang, editors, Information Security and Privacy - ACISP 2018, volume 10946 of Lecture Notes in Computer Science, pages 154–171. Springer International Publishing, 2018. [IOWM13] Takanori Isobe, Toshihiro Ohigashi, Yuhei Watanabe, and Masakatu Morii. Full Plaintext Recovery Attack on Broadcast RC4. In Shiho Moriai, editor, Fast Software Encryption - FSE 2013, volume 8424 of Lecture Notes in Computer Science. Springer Berlin Heidelberg, 2013. [MS01] Itsik Mantin and Adi Shamir. Practical Attack on Broadcast RC4. In Mitsuru Matsui, editor, Fast Software Encryption - FSE 2001, volume 2355 of Lecture Notes in Computer Science, pages 152–164. Springer Berlin Heidelberg, 2001. [PPS14] Kenneth G. Paterson, Bertram Poettering, and Jacob C.N. Schuldt. Plaintext Recovery Attacks Against WPA/TKIP. In Carlos Cid and Christian Rechberger, editors, Fast Software Encryption - FSE 2014, volume 8540 of Lecture Notes in Computer Science, pages 325–349. Springer Berlin Heidelberg, 2014. [VP15] Mathy Vanhoef and Frank Piessens. All Your Biases Belong to Us: Breaking RC4 in WPA-TKIP and TLS. In USENIX Security Symposium 2015, pages 97–112, 2015. [VP16] Mathy Vanhoef and Frank Piessens. Predicting, Decrypting, and Abusing WPA2/802.11 Group Keys. In USENIX Security Symposium 2016, 2016. ҏ౻ཽഅ (େࡕେֶ) ൓෮ੑͷ͋Δݤ૬ؔΛ༻͍ͨ WPA-TKIP ʹର͢Δฏจճ෮߈ܸ 2018. 7. 26 36 / 36