This paper identifies and analyzes several weaknesses in the key scheduling algorithm (KSA) of the RC4 stream cipher, which is widely used in software applications. The authors, Scott Fluhrer, Itsik Martin, and Adi Shamir, from Cisco Systems and the Weizmann Institute, respectively, describe two significant weaknesses in the KSA: 1. **Weak Keys**: They identify a large number of weak keys where a small portion of the key bits can determine a significant portion of the initial permutation and output bits with non-negligible probability. These weak keys have lengths divisible by a non-trivial power of two. 2. **Related Key Vulnerability**: They show that if part of the key is exposed to an attacker, an attacker can derive the secret key by analyzing the initial word of the keystreams with relatively little effort. This vulnerability is particularly relevant in the Wired Equivalent Privacy (WEP) protocol, which uses a fixed secret key concatenated with known IV modifiers to encrypt different messages. The paper also discusses the implications of these weaknesses, including: - **Cryptanalytic Applications**: Using the weak keys to construct new distinguishers for RC4 and to mount related key attacks with practical complexities. - **Security of WEP**: Demonstrating that RC4 is completely insecure in the common mode of operation used in WEP, where a fixed secret key is concatenated with known IV modifiers. The authors show that a passive ciphertext-only attack can recover an arbitrarily long key in a negligible amount of time, growing only linearly with its size. The paper concludes with recommendations to mitigate these weaknesses, such as discarding the first $N$ words of each generated stream and avoiding the use of certain modes of operation in WEP.This paper identifies and analyzes several weaknesses in the key scheduling algorithm (KSA) of the RC4 stream cipher, which is widely used in software applications. The authors, Scott Fluhrer, Itsik Martin, and Adi Shamir, from Cisco Systems and the Weizmann Institute, respectively, describe two significant weaknesses in the KSA: 1. **Weak Keys**: They identify a large number of weak keys where a small portion of the key bits can determine a significant portion of the initial permutation and output bits with non-negligible probability. These weak keys have lengths divisible by a non-trivial power of two. 2. **Related Key Vulnerability**: They show that if part of the key is exposed to an attacker, an attacker can derive the secret key by analyzing the initial word of the keystreams with relatively little effort. This vulnerability is particularly relevant in the Wired Equivalent Privacy (WEP) protocol, which uses a fixed secret key concatenated with known IV modifiers to encrypt different messages. The paper also discusses the implications of these weaknesses, including: - **Cryptanalytic Applications**: Using the weak keys to construct new distinguishers for RC4 and to mount related key attacks with practical complexities. - **Security of WEP**: Demonstrating that RC4 is completely insecure in the common mode of operation used in WEP, where a fixed secret key is concatenated with known IV modifiers. The authors show that a passive ciphertext-only attack can recover an arbitrarily long key in a negligible amount of time, growing only linearly with its size. The paper concludes with recommendations to mitigate these weaknesses, such as discarding the first $N$ words of each generated stream and avoiding the use of certain modes of operation in WEP.