IETF Logo Mail Archive

Re: draft-harris-ssh-arcfour-fixes-02: informational or proposed?

Ben Harris <bjh21@bjh21.me.uk> Fri, 03 June 2005 09:53 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1De8rz-0008W0-Ot; Fri, 03 Jun 2005 05:53:39 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1De8ri-0008JW-NC for ietf@megatron.ietf.org; Fri, 03 Jun 2005 05:53:22 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id FAA11531 for <ietf@ietf.org>; Fri, 3 Jun 2005 05:53:20 -0400 (EDT)
Received: from chiark.greenend.org.uk ([193.201.200.170] ident=mail) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1De9Bv-0007rb-JR for ietf@ietf.org; Fri, 03 Jun 2005 06:14:15 -0400
Received: by chiark.greenend.org.uk (Debian Exim 3.35 #1) with local (return-path bjharris@chiark.greenend.org.uk) id 1De8rg-0008TJ-00 for ietf@ietf.org; Fri, 03 Jun 2005 10:53:20 +0100
From: Ben Harris <bjh21@bjh21.me.uk>
To: ietf@ietf.org
In-Reply-To: <tsloeaqgc2s.fsf@cz.mit.edu>
References: <tsloeaqgc2s.fsf@cz.mit.edu>
Organization: Linux Unlimited
Message-Id: <E1De8rg-0008TJ-00@chiark.greenend.org.uk>
Date: Fri, 03 Jun 2005 10:53:20 +0100
X-Spam-Score: 0.9 (/)
X-Scan-Signature: 244a2fd369eaf00ce6820a760a3de2e8
Subject: Re: draft-harris-ssh-arcfour-fixes-02: informational or proposed?
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org

In article <tsloeaqgc2s.fsf@cz.mit.edu> you write:
>Hi, folks.  The IESG has received a last call comment recommending
>that the new rc4 cipher for ssh be published as informational rather
>than as a proposed standard because of weaknesses in rc4.  It would be
>inappropriate to make a decision based on one comment so I am
>soliciting comments on this point.

I think it may be worth my explaining a little of the background here, and
what I'm trying to achieve.  I don't know that a Standards Track RFC is the
correct approach, but it seemed the most appropriate to me.

SSH finally got approved for publication as a Proposed Standard earlier this
year.  It supports many symmetric ciphers, one of which is "arcfour".  This
is RC4 with a 128-bit key, using the keystream from the beginning. 
"arcfour" is notable for being, in software implementations, both the
fastest and the simplest of the symmetric ciphers specified for SSH in any
Standards Track document (except for "none", of course).  This makes its use
tempting in circumstances where code size or CPU usage are important.

RC4 has several weaknesses, some of which can be eliminated by discarding
the start of the keystream, which is a trivial operation.  Increasing its
key size is also trivial.  Some of RC4's other weaknesses are inherent in
its keystream generator.

My aim in writing draft-harris-ssh-arcfour-fixes was to ensure that the
fastest and simplest standard SSH cipher (a) wasn't unnecessarily weak and
(b) had its necessary weaknesses documented.  Other ways to accomplish the
same thing would be to somehow deprecate "arcfour" and force people to use
"blowfish-ctr" instead, or to standardise a new cipher that's faster,
simpler, and more secure than "arcfour".

It occurs to me that if someone could come up with a procedure for doing so,
my ideal here would be to cause "arcfour" to become NOT RECOMMENDED, and to
introduce "arcfour-128" and "arcfour-256" with the same status.

People wishing to read the papers referenced might find these URLs useful. 
The Fluhrer and McGrew paper is the scary one:

>S. Fluhrer, I. Mantin, & A. Shamir, "Weaknesses in the Key Scheduling
>Algorithm of RC4", Proceedings of 8th Annual International Workshop
>on Selected areas in Cryptography (SAC 2001), Toronto, ON, CA,
>August 2001.
<http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/Rc4_ksa.ps>

>J. D. Golic, "Linear Statistical Weakness of RC4 Key Generator",
>Procedings of EuroCrypt 1997, Konstanz, DE, May 1997.
<http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/Golic.PDF>

>S. Fluhrer & D. McGrew, "Statistical Analysis of the RC4 Key
>Generator", Proceedings of 7th International Workshop on Fast
>Software Encryption (FSE 2000), New York, NY, US, April 2000.
<http://www.mindspring.com/~dmcgrew/rc4-03.pdf>

>L. Knudsen, W. Meier, B. Preneel, V. Rijmen, & S. Verdoolaege,
>"Analysis Method for RC4", Proceedings of AsiaCrypt 1998.
<http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/Knudsen.ps>

>S. Paul & B. Preneel, "Analysis of Non-fortuitous Predictive States
>of the RC4 Key Generator", Proceedings of 4th International Conference
>on Cryptology in India (IndoCrypt 2003), New Delhi, IN, December 2003.
<http://www.cosic.esat.kuleuven.be/publications/article-86.pdf>

-- 
Ben Harris

_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

v2.23.0 | Report a Bug | By Email