This repo includes a key recovery attack against a mock encryption scheme I've called RC4-CTR. This scheme builds a block cipher using poorly borrowed ideas from AES's counter mode. The attack is similar to the WEP attack used by tools such as aircrack-ng but the initialisation vector is placed before the long term key.

This is a chosen-plaintext attack that recovers the private key in around 100,000 blocks. It works when ephemeral keys are generated by concatenating a public nonce before the long-term key (ala Section 4.3 in "Attacks on the RC4 stream cipher" by Andreas Klein). In doing this, the scheme introduces a relationship between ephemeral keys. The key scheduling algorithm of RC4 isn't very strong, and it's PRNG output leaks enough information about the keys that related-key attacks do work. This attack code should be generalisable to any situation where ephermeral keys are generated by concatenating a known public nonce with the long-term key.

• server.py implements the encryption scheme, exposed via an API endpoint. Check the docstring and source code for a description of the scheme.
• solve.py implements the attack. Check the docstring and source code for implementation details on how the attack works.
• attack.md is a write-up of the attack, intended to accompany and explain the code in solve.py (work-in-progress).

This was all written as a learning exercise, and I've tried to document how and why it works. Hopefully this is a useful accompaniment to the original paper.

There is a live version of the server on my website. You can extract it's key by running:

$ python3 solve.py --cache=samples-djwj.csv --server=https://danielwilshirejones.com

Be warned, the call above is slow and probably not worth it. It takes me over 100 times longer to run the attack on a remote server compared with locally.