Re: [saag] AD review of draft-iab-crypto-alg-agility-06

"Paterson, Kenny" <> Tue, 25 August 2015 22:54 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 06BF11B2F17 for <>; Tue, 25 Aug 2015 15:54:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id HbjxXL10GsO6 for <>; Tue, 25 Aug 2015 15:54:14 -0700 (PDT)
Received: from ( [IPv6:2a01:111:f400:fe04::684]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 236AC1B2F14 for <>; Tue, 25 Aug 2015 15:54:14 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Tue, 25 Aug 2015 22:53:54 +0000
Received: from ([]) by ([]) with mapi id 15.01.0243.020; Tue, 25 Aug 2015 22:53:54 +0000
From: "Paterson, Kenny" <>
To: Stephen Farrell <>, Yoav Nir <>
Thread-Topic: [saag] AD review of draft-iab-crypto-alg-agility-06
Date: Tue, 25 Aug 2015 22:53:54 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-GB, en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
authentication-results: spf=none (sender IP is );
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: []
x-microsoft-exchange-diagnostics: 1; DBXPR03MB384; 5:fVOV6fQxjCjRWBX/Hjn5ZId4Ku3crYIWpJUFwLIxwfY9YwdDG5/c4rkhpgEZiPfCqAz+FNI4+nVLmpQ2L2xR+Ganl+SnpAwViIJ9Ev3B5+10w+sfAT1CUDvxdXcFTYzlr82X1Ffkj3cs0cMeGuUlYg==; 24:4gW6voXBifHPB1Y4NgFu+40gcegODxTUvXLlocIyJpDvy39vRBy//gL0G/OjyzhnA3uT4ZpejRZ9tAoOwXHbwUleedpLfSWeeWRwI3w/hKc=; 20:zzY1j8iTTSDGb+hPerFNjm7hrBDokpLWEj4NO5wq0m17fVpTbpZmW70TYrQjyph2574IwOl6kY7cw80UHB32bA==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DBXPR03MB384;
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5005006)(8121501046)(3002001); SRVR:DBXPR03MB384; BCL:0; PCL:0; RULEID:; SRVR:DBXPR03MB384;
x-forefront-prvs: 06793E740F
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(479174004)(189002)(199003)(24454002)(62966003)(54356999)(77156002)(5007970100001)(105586002)(2900100001)(106356001)(106116001)(74482002)(230783001)(5004730100002)(122556002)(19580395003)(92566002)(93886004)(40100003)(19580405001)(5001770100001)(77096005)(76176999)(97736004)(50986999)(46102003)(87936001)(15975445007)(64706001)(81156007)(4001540100001)(36756003)(83506001)(4001350100001)(5001960100002)(86362001)(2656002)(2950100001)(189998001)(5001860100001)(5002640100001)(101416001)(102836002)(68736005)(66066001)(5001830100001)(10400500002)(7756004); DIR:OUT; SFP:1101; SCL:1; SRVR:DBXPR03MB384;; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None ( does not designate permitted sender hosts)
Content-Type: text/plain; charset="us-ascii"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Aug 2015 22:53:54.3764 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2efd699a-1922-4e69-b601-108008d28a2e
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBXPR03MB384
Archived-At: <>
Cc: Security Area Advisory Group <>
Subject: Re: [saag] AD review of draft-iab-crypto-alg-agility-06
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 25 Aug 2015 22:54:17 -0000


On 25/08/2015 23:17, "saag on behalf of Stephen Farrell"
< on behalf of>; wrote:

>Mostly fair point, though one might speculate as to whether RC4
>may end up easier than single DES. (Actually, do we have any good
>information about that? I guess there aren't many publications on
>the relative weaknesses of weak ciphers.)

This is something I can say a bit about.

Let's take TLS with DES and RC4.

To break a DES-protected connection aqap, you'd use an exhaustive key
search, needing a couple of known plaintext/ciphertext blocks (not a
problem for most application protocols running over TLS). Cost: a few
thousand dollars for the FPGAs; time: depends on budget of course, but
embarrassingly parallelisable. You've then got the key and can decrypt the
whole TLS connection.

To break RC4 in TLS, with the current public state of the art [1,2], you'd
somehow need to gather 2^26 - 2^30 encryptions of the same plaintext. That
can be done in some circumstances, e.g. malicious javascript running the
browser, with the target being HTTP cookie, but it's a bit of a stretch.
What you get back is that (short) plaintext, rather than the key.

So with the *current* state of the art, the attack requirements and attack
results are quite different. Despite the strict incomparability, I think
it's reasonable to say that DES is currently *much* less secure than RC4
in the TLS context.

What we don't know is how the attacks will evolve in future.

My guess is that the DES attack will not get any better in an interesting
way (that is, save for falling costs of hardware). DES is a good block
cipher with too small a key (and too small a block).

And it feels to me that, for RC4, the currently known public techniques
are starting to run out of steam. Maybe someone will come up with some
fresh ideas. Meanwhile, we don't really know the capabilities of
government agencies against RC4.