IETF Logo Mail Archive

Re: [TLS] RC4 Considered Harmful (Was: RC4 deprecation path)

mrex@sap.com (Martin Rex) Wed, 23 April 2014 21:02 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EA8A1A0656 for <tls@ietfa.amsl.com>; Wed, 23 Apr 2014 14:02:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.552
X-Spam-Level:
X-Spam-Status: No, score=-6.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jRs9jU6W1xsh for <tls@ietfa.amsl.com>; Wed, 23 Apr 2014 14:02:52 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id F11B61A019E for <tls@ietf.org>; Wed, 23 Apr 2014 14:02:51 -0700 (PDT)
Received: from mail05.wdf.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id s3NL2h2k004295 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 23 Apr 2014 23:02:43 +0200 (MEST)
In-Reply-To: <CF7DBB70.1C4C6%kenny.paterson@rhul.ac.uk>
To: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
Date: Wed, 23 Apr 2014 23:02:43 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20140423210243.B43451ACDD@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/9ffSpmBz0LrqASjMnu_pCv4XRS8
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] RC4 Considered Harmful (Was: RC4 deprecation path)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Apr 2014 21:02:54 -0000

Paterson, Kenny wrote:
>
> "Watson Ladd" <watsonbladd@gmail.com> wrote:
>>
>> Martin Rex <mrex@sap.com> wrote:
>>> 
>>> RC4 is a stream cipher, and operates by xoring plaintext with
>>> a pseudo-random keystream.  In order to "completely break" RC4,
>>> it would be necessary to precompute future RC4 outputs from
>>> some amount of *known* RC4 keystream, essentially re-creating
>>> the internal state of the RC4 algorithm.
>>
>>Yes, that would be terribly bad of a break. We don't have one like
>>that now. 5 years from now I would not be surprised. We need to start
>>moving now to be ready for the inevitable. I would prefer not to have
>>my banking secrets spread across the Internet before we decide we have
>>a problem.
>>
>>However, even before you predict keystream from a handful of bytes you
>>can do the following:
>>-Use multiple connections sharing similar data together with hidden
>>markov models to recover text
> 
> 
> Indeed, the use of language models is mentioned as an enhancement in our
> paper. Based on my experience of using such models in a different context,
> I think they would make a big difference in reducing the attacks'
> ciphertext requirements when the plaintext being targeted is "natural
> language", and possibly even passwords. But this is less likely to be
> effective for session cookies. It would be a great student project to
> investigate this angle.

Quantify "multiple connections sharing similar data" /
the attacks' ciphertext requirements.

I'm doing like 300 web-based purchases with OTP-authentication tokens
(TAN) year and maybe 4 Credit Card purchases per year online from various
different shops and would repeat a single failing purchase at most 5 times
before I would give up.

The numbers I've seen so far do not scare me for a significant number
of usage scenarios.  That doesn't mean that there would be no usage
scenarios where the weaknesses could be sufficient to make an attack
practical.  But I'm not using any of those.


Problems like the recent shortcut in the certificate validation
for (EC)DHE cipher suites in Apple's TLS stack and GnuTLS, or the
recent Heartbleed (Heartbloat) attack is stuff that worries me much more.


-Martin

v2.23.0 | Report a Bug | By Email