RC4 [was: RE: Passport Passwords Stored in Plaintext]
Trei, Peter
ptrei at rsasecurity.com
Mon Oct 8 10:25:30 EDT 2001
[This response probably can't get to all of the lists to which
the original message was addressed to. Feel free to forward
it to those lists, if you can, and to other addresses as needed.
-pt]
> Alex Alten[SMTP:Alten at home.com] wrote:
[.discussion of .NET weaknesses deleted]]
> RC4 is broken. Period. The key setup machinery has been broken and the
> internal PRNG/pad generation machinery has been partially broken.
>
> Just say NO to RC4.
>
> Alex Alten
> Alten at Home.Com
>
---------------------
[I work for RSA, which owns RC4]
I strongly suggest that Alex and other interested parties read
Ron Rivest's recent paper on precisely this issue. It can be
found at
http://www.rsasecurity.com/rsalabs/technotes/wep.html
(extract)
[...]
In protocols such as WEP, it is often necessary to generate
different RC4 keys from different messages (or packets) from
a common base key. A method frequently suggested to obtain
the keys is to add or concatenate a counter to the base key. The
key-scheduling algorithm of RC4 has been widely recognized
to be rather lightweight for this purpose, particularly when the
initial few bytes of plaintext are easily predictable.
RSA Security has discouraged such key derivation methods,
recommending instead that users consider strengthening the
key scheduling algorithm by pre-processing the base key and
any counter or initialization vector by passing them through a hash
function such as MD5. Alternatively, weaknesses in the key
scheduling algorithm can be prevented by discarding the first
256 output bytes of the pseudo-random generator before
beginning encryption. Either or both of these techniques suffice
to defeat the new attacks on WEP and WEP2.
[...]
(end extract)
Essentially, WEP sends successive packets (with well
known headers) using the initial output of RC4 keyed
with successive keys. This opens WEP up to a
related-key attack.
I'm really curious what led to the use of RC4 in this
weird mode; a block cipher in CBC mode would have
been more appropriate. I suspect that the selection
was made at a time when 40bit RC4 was [relatively]
easy to export, while stronger block ciphers such as
56 bit DES were not.
The moral re crypto restrictions is left to the reader.
Peter Trei
[Disclaimer: I work for RSA, but this note contains
my own opinions.]
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list