RC4 [was: RE: Passport Passwords Stored in Plaintext]

Trei, Peter ptrei at rsasecurity.com
Mon Oct 8 10:25:30 EDT 2001 

[This response probably can't get to all of the lists to which 
 the original message was addressed to. Feel free to forward 
 it to those lists, if you can, and to other addresses as needed.
 -pt]

> Alex Alten[SMTP:Alten at home.com] wrote:
	[.discussion of .NET weaknesses deleted]]
> RC4 is broken.  Period.  The key setup machinery has been broken and the 
> internal PRNG/pad generation machinery has been partially broken.
> 
> Just say NO to RC4.
> 
> Alex Alten
> Alten at Home.Com
> 
---------------------

[I work for RSA, which owns RC4]

I strongly suggest that Alex and other interested parties read
Ron Rivest's recent paper on precisely this issue. It can be 
found at 
http://www.rsasecurity.com/rsalabs/technotes/wep.html

(extract)
[...]
In protocols such as WEP, it is often necessary to generate 
different RC4 keys from different messages (or packets) from 
a common base key. A method frequently suggested to obtain 
the keys is to add or concatenate a counter to the base key. The
key-scheduling algorithm of RC4 has been widely recognized 
to be rather lightweight for this purpose, particularly when the 
initial few bytes of plaintext are easily predictable. 

RSA Security has discouraged such key derivation methods, 
recommending instead that users consider strengthening the 
key scheduling algorithm by pre-processing the base key and 
any counter or initialization vector by passing them through a hash
function such as MD5. Alternatively, weaknesses in the key 
scheduling algorithm can be prevented by discarding the first 
256 output bytes of the pseudo-random generator before 
beginning encryption. Either or both of these techniques suffice 
to defeat the new attacks on WEP and WEP2.
[...]
(end extract)

Essentially, WEP sends successive packets (with well
known headers) using the initial output of RC4 keyed
with successive keys. This opens WEP up to a 
related-key attack.

I'm really curious what led to the use of RC4 in this
weird mode; a block cipher in CBC mode would have 
been more appropriate. I suspect that the selection 
was made  at a time when 40bit RC4 was [relatively] 
easy to export, while stronger block ciphers such as 
56 bit DES were not. 

The moral re crypto restrictions is left to the reader.

Peter Trei
[Disclaimer: I work for RSA, but this note contains
my own opinions.]








---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list