我有两条使用相同的部分密钥加密的消息。例如:
C1 = RC4(M1, "(VARIABLE_DATA)XXXXYYYY")
C2 = RC4(M2, "(VARIABLE_DATA)XXXXYYYY")
如果已知 C1 和 C2 至少可以恢复“XXXXYYYY”的部分密钥,那么 RC4 是否有可能,因为它永远不会改变?
我有两条使用相同的部分密钥加密的消息。例如:
C1 = RC4(M1, "(VARIABLE_DATA)XXXXYYYY")
C2 = RC4(M2, "(VARIABLE_DATA)XXXXYYYY")
如果已知 C1 和 C2 至少可以恢复“XXXXYYYY”的部分密钥,那么 RC4 是否有可能,因为它永远不会改变?
我认为您的问题有些混乱。流密码的工作方式是生成一个密钥流,该密钥流(通常)与消息进行异或。您是正确的,如果您使用相同的密钥和 IV,因此使用相同的密钥流,这会泄漏有关消息的信息。
这里,K 是 RC4 生成的密钥流:
C1 = K ^ M1
C2 = K ^ M2
并通过重新排列:
C1 ^ C2 = (K ^ M1) ^ (K ^ M2)
密钥流在这里取消了,剩下的就是
C1 ^ C2 = M1 ^ M2
由于攻击者知道这两个密文值,他可以计算两个消息的差异。如果攻击者知道其中一个输入(可能是一个固定的标头),他就可以计算第二条消息。
M2 = (C1 ^ C2) ^ M1
如果消息是自然语言,还有一些使用婴儿床的统计测试。
为了回答你的问题,RC4 应该在相关密钥下生成一个完全不同的密钥流,所以这种攻击不会起作用。但是,还有其他针对密钥调度算法的攻击,并且有很多理由更喜欢 RC4 的替代方案。
一般来说,不妥协的加密技术的密钥只能通过暴力破解来恢复,而暴力破解又需要某种方法来验证解密是否成功。
Trying to solve this exact question i've stumbled across several threads with almost the same question and absolutely the same answer... which didn't work for me. BUT! The answers were absolutely correct and @mfanto gives very accurate description of what needs to be done (though the brackets make no sense as u can see in my code)!
Here is my C code which worked for me:
#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[])
{
if(argc != 4)
{
printf("usage: ./rc4_pa cipher1 cipher2 message1\n");
return 1;
}
char *c1 = argv[1];
char *c2 = argv[2];
char *m1 = argv[3];
int len_c1 = strlen(c1);
int len_m1 = strlen(m1);
char m2[len_m1 + 1];
m2[len_m1] = '\0';
for(int i = 0; i < len_m1; i++)
{
m2[i] = c1[i] ^ m1[i] ^ c2[i];
}
printf("decrypted: %s\n", m2);
}
Why my code didn't work out of the box? I've got my cipher text from a web server and usually some chars of a ciphertext are not really printable. The only way to pass them further is to encode once more. In my case that was base64.
save the code to rc4_pa.c
and make rc4_pa
than use it like this
$ ./rc4_pa $(echo L1Gd8F5g | base64 -d) $(echo MFuD8FVg | base64 -d) hello
hope someone else might find it helpful.