Editing Weak key (section)

==List of algorithms with weak keys==<!-- This section is linked from [[Stream cipher]] -->
{{Expand list|date=August 2008}}
* DES, as detailed above.
* [[RC4]]. RC4's weak initialization vectors allow an attacker to mount a [[known-plaintext attack]] and have been widely used to compromise the security of [[Wired Equivalent Privacy|WEP]]<ref>Fluhrer, S., Mantin, I., Shamir, A. Weaknesses in the key scheduling algorithm of RC4 Eighth Annual Workshop on Selected Areas in Cryptography (August 2001), http://citeseer.ist.psu.edu/fluhrer01weaknesses.html</ref> and [[Digital_mobile_radio#Weaknesses_in_ARC4_DMRA|ARC4 DMRA DMR]].
* [[IDEA (cipher)|IDEA]]. IDEA's weak keys are identifiable in a [[chosen-plaintext attack]]. They make the relationship between the XOR sum of plaintext bits and ciphertext bits predictable. There is no list of these keys, but they can be identified by their "structure".
* [[Blowfish (cipher)|Blowfish]]. Blowfish's weak keys produce ''bad'' [[S-box]]es, since Blowfish's S-boxes are key-dependent. There is a chosen plaintext attack against a reduced-round variant of Blowfish that is made easier by the use of weak keys. This is not a concern for full 16-round Blowfish.
* [[Galois/Counter Mode|GMAC]]. Frequently used in the AES-GCM construction. Weak keys can be identified by the group order of the authentication key H (for AES-GCM, H is derived from the encryption key by encrypting the zero block).
* [[RSA (cryptosystem)|RSA]] and [[Digital Signature Algorithm|DSA]]. August 2012 Nadia Heninger, Zakir Durumeric, Eric Wustrow, J. Alex Halderman found that TLS certificates they assessed share keys due to insufficient entropy during key generation, and were able to obtain DSA and RSA private keys of TLS and SSH hosts knowing only the public key.<ref>{{Cite web|title=Research Paper - factorable.net|url=https://factorable.net/paper.html|access-date=2020-06-26|website=factorable.net}}</ref>