[TLS] Prohibiting RC4 Cipher Suites

Andrei Popov <Andrei.Popov@microsoft.com> Sat, 05 October 2013 21:54 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E77821F9D89 for <tls@ietfa.amsl.com>; Sat, 5 Oct 2013 14:54:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dbNzwMoOSkKR for <tls@ietfa.amsl.com>; Sat, 5 Oct 2013 14:54:40 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1lp0149.outbound.protection.outlook.com [207.46.163.149]) by ietfa.amsl.com (Postfix) with ESMTP id 0B54621F9D0A for <tls@ietf.org>; Sat, 5 Oct 2013 14:54:39 -0700 (PDT)
Received: from BL2PR03MB194.namprd03.prod.outlook.com (10.255.230.142) by BL2PR03MB195.namprd03.prod.outlook.com (10.255.230.153) with Microsoft SMTP Server (TLS) id 15.0.785.10; Sat, 5 Oct 2013 21:54:38 +0000
Received: from BL2PR03MB194.namprd03.prod.outlook.com ([169.254.14.243]) by BL2PR03MB194.namprd03.prod.outlook.com ([169.254.14.243]) with mapi id 15.00.0785.001; Sat, 5 Oct 2013 21:54:38 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: Prohibiting RC4 Cipher Suites
Thread-Index: Ac7CFG9LxkQu9pDESLu3yn05kvlxTw==
Date: Sat, 5 Oct 2013 21:54:37 +0000
Message-ID: <4dd49b8fbd044133aa16f0200de88134@BL2PR03MB194.namprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:80e0:ee43::2]
x-forefront-prvs: 0990C54589
x-forefront-antispam-report: SFV:NSPM; SFS:(26614003)(189002)(53754006)(479174003)(377454003)(24454002)(199002)(13464003)(51704005)(80976001)(76482001)(50986001)(81686001)(4396001)(49866001)(76576001)(31966008)(54316002)(69226001)(74502001)(56776001)(47446002)(33646001)(19580405001)(83322001)(56816003)(76796001)(47976001)(76786001)(81816001)(47736001)(77096001)(19580395003)(81342001)(81542001)(76176001)(54356001)(15202345003)(74316001)(53806001)(77982001)(59766001)(65816001)(46102001)(79102001)(80022001)(74366001)(74876001)(63696002)(74706001)(15974865002)(83072001)(74662001)(51856001)(15975445006)(85306002)(557034004)(3826001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BL2PR03MB195; H:BL2PR03MB194.namprd03.prod.outlook.com; CLIP:2001:4898:80e0:ee43::2; FPR:; RD:InfoNoRecords; MX:1; A:1; LANG:en;
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: DuplicateDomain-a84fc36a-4ed7-4e57-ab1c-3e967bcbad48.microsoft.com
Subject: [TLS] Prohibiting RC4 Cipher Suites
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Oct 2013 21:54:44 -0000

I have submitted v01 of the "Prohibiting RC4 Cipher Suites" draft with the updated attack description: http://www.ietf.org/internet-drafts/draft-popov-tls-prohibiting-rc4-01.txt

Looking forward to further comments,

Andrei

-----Original Message-----
From: Paterson, Kenny [mailto:Kenny.Paterson@rhul.ac.uk]
Sent: Wednesday, August 21, 2013 2:13 PM
To: Andrei Popov; tls@ietf.org
Subject: Re: [TLS] Prohibiting RC4 Cipher Suites

Andrei,

Your intro says:

"Recent cryptanalysis results [ALF] exploit biases in the RC4 keystream to recover early portions of plaintexts."


The attacks can recover repeated plaintext from ANYWHERE in the plaintext stream, so they are more flexible in application than your text suggests.

Another (better?) link for the attacks by AlFardan et al. is www.isg.rhul.ac.uk/tls. The "official" USENIX link, which should be long-lasting, is:

https://www.usenix.org/conference/usenixsecurity13/security-rc4-tls


Best wishes

Kenny

On 21/08/2013 13:59, "Andrei Popov" <Andrei.Popov@microsoft.com> wrote:

>Hello All,
> 
>RC4 is a widely deployed cipher, which is commonly preferred by TLS
>servers: our tests show ~40% of the high-traffic HTTPS sites pick RC4 
>if IE offers this cipher. A significant percentage of web sites and 
>e-mail servers have only RC4 enabled,  so a client cannot altogether 
>disable RC4 without breaking interoperability. At the same time, 
>attacks on RC4 are improving (e.g.
>http://www.isg.rhul.ac.uk/tls/), to the point that practical exploits 
>are possible.
> 
>I have posted a new Internet-Draft ³Prohibiting RC4 Cipher Suites²
>(draft-popov-tls-prohibiting-rc4-00
><http://datatracker.ietf.org/doc/draft-popov-tls-prohibiting-rc4/>) to 
>deprecate the use of RC4 cipher suites in TLS.
> 
>Looking forward to comments and feedback on the draft,
> 
>Andrei Popov
>



_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls