IETF Logo Mail Archive

Re: draft-harris-ssh-arcfour-fixes-02: informational or proposed?

Ben Harris <bjh21@bjh21.me.uk> Fri, 03 June 2005 12:54 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DeBh1-0001uz-UM; Fri, 03 Jun 2005 08:54:31 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1De888-0002j8-5b for ietf@megatron.ietf.org; Fri, 03 Jun 2005 05:06:16 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id FAA06861 for <ietf@ietf.org>; Fri, 3 Jun 2005 05:06:14 -0400 (EDT)
Received: from chiark.greenend.org.uk ([193.201.200.170] ident=mail) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1De8SK-000710-Je for ietf@ietf.org; Fri, 03 Jun 2005 05:27:08 -0400
Received: by chiark.greenend.org.uk (Debian Exim 3.35 #1) with local (return-path bjharris@chiark.greenend.org.uk) id 1De885-0004XJ-00; Fri, 03 Jun 2005 10:06:13 +0100
From: Ben Harris <bjh21@bjh21.me.uk>
To: ietf@ietf.org, sommerfeld@sun.com
In-Reply-To: <1117723009.44321.3229.camel@unknown.hamachi.org>
References: <20050601192238.B4BD53BFFFA@berkshire.machshav.com> <tslu0khg8or.fsf@cz.mit.edu> <tslu0khg8or.fsf@cz.mit.edu> <1117723009.44321.3229.camel@unknown.hamachi.org>
Organization: Linux Unlimited
Message-Id: <E1De885-0004XJ-00@chiark.greenend.org.uk>
Date: Fri, 03 Jun 2005 10:06:13 +0100
X-Spam-Score: 0.9 (/)
X-Scan-Signature: 9466e0365fc95844abaf7c3f15a05c7d
X-Mailman-Approved-At: Fri, 03 Jun 2005 08:54:24 -0400
Cc:
Subject: Re: draft-harris-ssh-arcfour-fixes-02: informational or proposed?
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org

In article <1117723009.44321.3229.camel@unknown.hamachi.org> you write:
>On Wed, 2005-06-01 at 15:48, Sam Hartman wrote:
>
>> That's what I thought too.  However that seems to be false.  The one
>> reference currently in the security considerations section is for an
>> attack to distinguish an RC4 stream from a random stream. 
>
>A critical parameter to such attacks is the amount of keystream required
>under a single key before the attack becomes feasible.  
>
>Assuming I've read it correctly, the most recent paper I've found on the
>topic mentions a threshold of 2^24 bytes if you don't discard the start
>of the keystream, and 2^32 if you discard the first 256 bytes. 
>
>As the sshv2 protocol allows for either party to trigger a rekey of both
>directions of the communication, it certainly seems like a cautionary
>note to set rekey thresholds appropriately would be in order.

I don't believe that rekeying is sufficient, which is why the draft doesn't
recommend it.  The distinguisher relies on the non-uniform distribution of
digraphs in all RC4 keystreams, so if it needs to it can work on two bytes
from each of 2^32 separate keystreams.  I think (and I'd be happy for a
crytographer to contradict me here) this means that if you encrypt the same
thing (e.g. an SSH password packet) 2^32 times under different RC4 keys, an
attacker can deduce one bit of information about it, or more accurately one
bit of information per digraph.

-- 
Ben Harris

_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

v2.23.0 | Report a Bug | By Email