IETF Logo Mail Archive

Re: draft-harris-ssh-arcfour-fixes-02: informational or proposed?

Bill Sommerfeld <sommerfeld@sun.com> Thu, 02 June 2005 14:37 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DdqpU-00061D-Tq; Thu, 02 Jun 2005 10:37:52 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DdqpT-000614-OD; Thu, 02 Jun 2005 10:37:51 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA21282; Thu, 2 Jun 2005 10:37:49 -0400 (EDT)
Received: from brmea-mail-3.sun.com ([192.18.98.34]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1Ddr9V-0000o8-I8; Thu, 02 Jun 2005 10:58:34 -0400
Received: from sfbaymail1sca.SFBay.Sun.COM ([129.145.154.35]) by brmea-mail-3.sun.com (8.12.10/8.12.9) with ESMTP id j52Ebkn0005809; Thu, 2 Jun 2005 08:37:46 -0600 (MDT)
Received: from 129.148.19.3 (punchin-sommerfeld.East.Sun.COM [129.148.19.3]) by sfbaymail1sca.SFBay.Sun.COM (8.12.10+Sun/8.12.10/ENSMAIL,v2.2) with ESMTP id j52EbiPu010450; Thu, 2 Jun 2005 07:37:45 -0700 (PDT)
From: Bill Sommerfeld <sommerfeld@sun.com>
To: Sam Hartman <hartmans-ietf@mit.edu>
In-Reply-To: <tslu0khg8or.fsf@cz.mit.edu>
References: <20050601192238.B4BD53BFFFA@berkshire.machshav.com> <tslu0khg8or.fsf@cz.mit.edu>
Content-Type: text/plain; charset="ASCII"
Message-Id: <1117723009.44321.3229.camel@unknown.hamachi.org>
Mime-Version: 1.0
X-Mailer: Ximian Evolution 1.4.6.311
Date: Thu, 02 Jun 2005 10:36:52 -0400
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 9182cfff02fae4f1b6e9349e01d62f32
Content-Transfer-Encoding: 7bit
Cc: iesg@ietf.org, ietf@ietf.org, "Steven M. Bellovin" <smb@cs.columbia.edu>
Subject: Re: draft-harris-ssh-arcfour-fixes-02: informational or proposed?
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org

On Wed, 2005-06-01 at 15:48, Sam Hartman wrote:

> That's what I thought too.  However that seems to be false.  The one
> reference currently in the security considerations section is for an
> attack to distinguish an RC4 stream from a random stream. 

A critical parameter to such attacks is the amount of keystream required
under a single key before the attack becomes feasible.  

Assuming I've read it correctly, the most recent paper I've found on the
topic mentions a threshold of 2^24 bytes if you don't discard the start
of the keystream, and 2^32 if you discard the first 256 bytes. 

As the sshv2 protocol allows for either party to trigger a rekey of both
directions of the communication, it certainly seems like a cautionary
note to set rekey thresholds appropriately would be in order.  given the
extremely lightweight nature of the algorithm you may still come out
ahead from a cpu time/power/battery-life perspective even with frequent
rekey...

						- Bill





_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

v2.23.0 | Report a Bug | By Email