In cryptography, a related-key attack is any form of cryptanalysis where the attacker can observe the operation of a cipher under several different keys whose values are initially unknown, but where some mathematical relationship connecting the keys is known to the attacker. For example, the attacker might know that the last 80 bits of the keys are always the same, even though he doesn't know, at first, what the bits are. This appears, at first glance, to be an unrealistic model; it would certainly be unlikely that an attacker could persuade a human cryptographer to encrypt plaintexts under numerous secret keys related in some way. However, modern cryptography is implemented using complex computer protocols, often not vetted by cryptographers, and in some cases a related-key attack is made very feasible.
An important example of a cryptographic protocol that failed because of a related-key attack is Wired Equivalent Privacy
(WEP) used in WiFi
wireless networks. Each client Wi-Fi network card
and access point
in a WEP-protected network shares the same WEP key. Encryption uses the RC4
algorithm, a stream cipher
. It is essential that the same key never be used twice with a stream cipher. To prevent this from happening, WEP includes a 24-bit initialization vector
(IV) in each message packet. The RC4 key for that packet is the IV concatenated with the WEP key. WEP keys have to be changed manually and this typically happens infrequently. An attacker therefore can assume that all the keys used to encrypt packets are related by a known IV. This fact opened up WEP to a series of attacks which proved devastating. The simplest to understand uses the fact that the 24-bit IV only allows a little under 17 million possibilities. Because of the birthday paradox
, it is likely that for every 4096 packets, two will share the same IV and hence the same RC4 key, allowing the packets to be attacked. Far more deadly attacks take advantage of certain weak keys
in RC4 and eventually allow the WEP key itself to be recovered. In 2005
, agents from the U.S. Federal Bureau of Investigation
publicly demonstrated the ability to do this with widely available software tools in about three minutes.
Preventing related-key attacks
To prevent related-key attacks, a replacement for WEP, Wi-Fi Protected Access
(WPA), uses three levels of keys: master key, working key and RC4 key. The master WPA key is shared with each client and access point and is used in a protocol called TKIP
to create new working keys frequently enough to thwart known attack methods. The working keys are then combined with a longer, 48-bit IV to form the RC4 key for each packet. This design mimics the WEP approach enough to allow WPA to be used with first-generation Wi-Fi network cards, some of which implemented portions of WEP in hardware. However, not all first-generation access points can run WPA.
Another, more conservative approach is to employ a cipher designed to prevent related-key attacks altogether, usually by incorporating a strong key schedule. A newer version of Wi-Fi Protected Access, WPA2, uses the AES block cipher instead of RC4, in part for this reason. Many older network cards, however, cannot run WPA2.
A more aggressive approach is to use a Hardware random number generator to generate truly random keys. Some systems even use a new key every session.