Requesting feedback on patched RC4-variant
Steven M. Bellovin
smb at research.att.com
Tue Apr 24 18:23:48 EDT 2001
In message <4.3.1.0.20010425074018.01ae4660 at 203.30.171.11>, Greg Rose writes:
>
>Anyway, as a lover of stream ciphers, I just get upset when people point
>out the bit-twiddling attack, without realising that they are implicitly
>endorsing using block ciphers without robust integrity protection instead.
>If it needs integrity protection, add a MAC, and the ciphers are on even
>ground again.
>
Not quite, for reasons that are illustrated by the WEP incident.
If you reuse a key with a stream cipher, the results are catastrophic.
That isn't true with, say, CBC and a block cipher. Furthermore, the
bit-twiddling attack on a stream cipher without a MAC is more serious
than the corresponding attack on CBC, since the attacker can change
particular bits without error propagation.
To be sure, MACs are very much needed with either cipher, but the
failure modes aren't always the same.
--Steve Bellovin, http://www.research.att.com/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list