Re: draft-harris-ssh-arcfour-fixes-02: informational or proposed?
Ben Harris <bjh21@bjh21.me.uk> Fri, 03 June 2005 12:54 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DeBh1-0001uz-UM; Fri, 03 Jun 2005 08:54:31 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1De888-0002j8-5b for ietf@megatron.ietf.org; Fri, 03 Jun 2005 05:06:16 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id FAA06861 for <ietf@ietf.org>; Fri, 3 Jun 2005 05:06:14 -0400 (EDT)
Received: from chiark.greenend.org.uk ([193.201.200.170] ident=mail) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1De8SK-000710-Je for ietf@ietf.org; Fri, 03 Jun 2005 05:27:08 -0400
Received: by chiark.greenend.org.uk (Debian Exim 3.35 #1) with local (return-path bjharris@chiark.greenend.org.uk) id 1De885-0004XJ-00; Fri, 03 Jun 2005 10:06:13 +0100
From: Ben Harris <bjh21@bjh21.me.uk>
To: ietf@ietf.org, sommerfeld@sun.com
In-Reply-To: <1117723009.44321.3229.camel@unknown.hamachi.org>
References: <20050601192238.B4BD53BFFFA@berkshire.machshav.com> <tslu0khg8or.fsf@cz.mit.edu> <tslu0khg8or.fsf@cz.mit.edu> <1117723009.44321.3229.camel@unknown.hamachi.org>
Organization: Linux Unlimited
Message-Id: <E1De885-0004XJ-00@chiark.greenend.org.uk>
Date: Fri, 03 Jun 2005 10:06:13 +0100
X-Spam-Score: 0.9 (/)
X-Scan-Signature: 9466e0365fc95844abaf7c3f15a05c7d
X-Mailman-Approved-At: Fri, 03 Jun 2005 08:54:24 -0400
Cc:
Subject: Re: draft-harris-ssh-arcfour-fixes-02: informational or proposed?
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org
In article <1117723009.44321.3229.camel@unknown.hamachi.org> you write: >On Wed, 2005-06-01 at 15:48, Sam Hartman wrote: > >> That's what I thought too. However that seems to be false. The one >> reference currently in the security considerations section is for an >> attack to distinguish an RC4 stream from a random stream. > >A critical parameter to such attacks is the amount of keystream required >under a single key before the attack becomes feasible. > >Assuming I've read it correctly, the most recent paper I've found on the >topic mentions a threshold of 2^24 bytes if you don't discard the start >of the keystream, and 2^32 if you discard the first 256 bytes. > >As the sshv2 protocol allows for either party to trigger a rekey of both >directions of the communication, it certainly seems like a cautionary >note to set rekey thresholds appropriately would be in order. I don't believe that rekeying is sufficient, which is why the draft doesn't recommend it. The distinguisher relies on the non-uniform distribution of digraphs in all RC4 keystreams, so if it needs to it can work on two bytes from each of 2^32 separate keystreams. I think (and I'd be happy for a crytographer to contradict me here) this means that if you encrypt the same thing (e.g. an SSH password packet) 2^32 times under different RC4 keys, an attacker can deduce one bit of information about it, or more accurately one bit of information per digraph. -- Ben Harris _______________________________________________ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
- draft-harris-ssh-arcfour-fixes-02: informational … Sam Hartman
- Re: draft-harris-ssh-arcfour-fixes-02: informatio… Keith Moore
- Re: draft-harris-ssh-arcfour-fixes-02: informatio… Simon Josefsson
- Re: draft-harris-ssh-arcfour-fixes-02: informatio… Sam Hartman
- Re: draft-harris-ssh-arcfour-fixes-02: informatio… Steven M. Bellovin
- Re: draft-harris-ssh-arcfour-fixes-02: informatio… Keith Moore
- Re: [saag] [Sam Hartman] draft-harris-ssh-arcfour… Jeffrey Altman
- Re: draft-harris-ssh-arcfour-fixes-02: informatio… Sam Hartman
- Re: draft-harris-ssh-arcfour-fixes-02: informatio… william(at)elan.net
- Re: draft-harris-ssh-arcfour-fixes-02: informatio… william(at)elan.net
- Re: [saag] [Sam Hartman] draft-harris-ssh-arcfour… Brian E Carpenter
- Re: draft-harris-ssh-arcfour-fixes-02: informatio… Bill Sommerfeld
- Re: draft-harris-ssh-arcfour-fixes-02: informatio… Ben Harris
- Re: draft-harris-ssh-arcfour-fixes-02: informatio… Ben Harris
- Re: draft-harris-ssh-arcfour-fixes-02: informatio… Ben Harris