Requesting feedback on patched RC4-variant

Greg Rose ggr at
Mon Apr 23 17:12:25 EDT 2001

At 12:22 AM 4/22/2001 +0200, Matthijs van Duin wrote:
>Too short key length wasn't the only problem in WEP: Another problem arose 
>from the fact that when you toggle a single bit in the ciphertext, that 
>*same* bit is toggled in the plaintext.

As Perry points out, you need integrity protection anyway, whether using 
RC4 or not. But I'd like to point out that this is one of the few things 
*not* really wrong with WEP. Remember that the signal is being send using 
DSSS (Direct sequence spread spectrum, similar to CDMA digital phones) and 
the chances of an attacker being able to change just one bit, or a targeted 
selection of bits, in a message, is essentially zero.

>Therefore, if the contents of part of the ciphertext is known, that part 
>could be modified. WEP has integrity checking to protect against this, 
>however they did this in a flawed way. (the propogation of a bit toggle 
>can be tracked through the CRC algorithm to determine which bits of the 
>CRC should be toggled to make sure the change will not be detected)

Mathematically true, and they shouldn't have done it this way, but 
essentially impossible in practice ... in THIS standard. It is certainly a 
more important mistake in some other (eg. IP) contexts.

>in general, I'm not comfortable with this bit-toggle property, but RB is 
>too sucky to implement a decent algorithm.

But you think that CBC mode of a (non-sucky) block cipher is adequate 
protection? Sigh.


Greg Rose                                       INTERNET: ggr at
Qualcomm Australia          VOICE:  +61-2-9817 4188   FAX: +61-2-9817 5199
Level 3, 230 Victoria Road,      
Gladesville NSW 2111    232B EC8F 44C6 C853 D68F  E107 E6BF CD2F 1081 A37C

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list