Requesting feedback on patched RC4-variant
Greg Rose
ggr at qualcomm.com
Mon Apr 23 17:12:25 EDT 2001
At 12:22 AM 4/22/2001 +0200, Matthijs van Duin wrote:
>Too short key length wasn't the only problem in WEP: Another problem arose
>from the fact that when you toggle a single bit in the ciphertext, that
>*same* bit is toggled in the plaintext.
As Perry points out, you need integrity protection anyway, whether using
RC4 or not. But I'd like to point out that this is one of the few things
*not* really wrong with WEP. Remember that the signal is being send using
DSSS (Direct sequence spread spectrum, similar to CDMA digital phones) and
the chances of an attacker being able to change just one bit, or a targeted
selection of bits, in a message, is essentially zero.
>Therefore, if the contents of part of the ciphertext is known, that part
>could be modified. WEP has integrity checking to protect against this,
>however they did this in a flawed way. (the propogation of a bit toggle
>can be tracked through the CRC algorithm to determine which bits of the
>CRC should be toggled to make sure the change will not be detected)
Mathematically true, and they shouldn't have done it this way, but
essentially impossible in practice ... in THIS standard. It is certainly a
more important mistake in some other (eg. IP) contexts.
>in general, I'm not comfortable with this bit-toggle property, but RB is
>too sucky to implement a decent algorithm.
But you think that CBC mode of a (non-sucky) block cipher is adequate
protection? Sigh.
Greg.
Greg Rose INTERNET: ggr at qualcomm.com
Qualcomm Australia VOICE: +61-2-9817 4188 FAX: +61-2-9817 5199
Level 3, 230 Victoria Road, http://people.qualcomm.com/ggr/
Gladesville NSW 2111 232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list