IETF Logo Mail Archive

Re: [TLS] RC4 Considered Harmful (Was: RC4 deprecation path)

mrex@sap.com (Martin Rex) Wed, 23 April 2014 15:07 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58CA11A03E7 for <tls@ietfa.amsl.com>; Wed, 23 Apr 2014 08:07:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.952
X-Spam-Level:
X-Spam-Status: No, score=-5.952 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, J_CHICKENPOX_55=0.6, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6ku-qALRQDK0 for <tls@ietfa.amsl.com>; Wed, 23 Apr 2014 08:07:22 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id E78271A03EB for <tls@ietf.org>; Wed, 23 Apr 2014 08:07:15 -0700 (PDT)
Received: from mail05.wdf.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id s3NF78d7024250 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 23 Apr 2014 17:07:08 +0200 (MEST)
In-Reply-To: <CAFggDF0Kh+F3R+NtKZ-WhQWn3gO9quGhaFL8Qnx1a6TiVbAmGQ@mail.gmail.com>
To: Jacob Appelbaum <jacob@appelbaum.net>
Date: Wed, 23 Apr 2014 17:07:07 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20140423150707.F18C11ACDB@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/aFGhdgzHnYl4rK4eE3J-2lJAPXo
Cc: tls@ietf.org
Subject: Re: [TLS] RC4 Considered Harmful (Was: RC4 deprecation path)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Apr 2014 15:07:30 -0000

Jacob Appelbaum wrote:
> On 4/19/14, Alyssa Rowan <akr@akr.io> wrote:
>>
>> RC4 is either on the brink of being cracked, given the serious known
>> weaknesses pointed out in Section 1 of the draft, or it is already
>> over the brink (if that's the 'cryptanalytic breakthrough' GCHQ were
>> talking about that they got from NSA, and that seems plausible to me,
>> and to several others, including Schneier).
> 
> I think that RC4 is completely broken for certain adversaries. It
> should be totally abandoned.

While I have heard claims that RC4 would be "completely broken", I am
still not aware of the slightest indication why or how this break
would be performed.

RC4 is a stream cipher, and operates by xoring plaintext with
a pseudo-random keystream.  In order to "completely break" RC4,
it would be necessary to precompute future RC4 outputs from
some amount of *known* RC4 keystream, essentially re-creating
the internal state of the RC4 algorithm.

HTTP is a protocol with often quite a lot of known plaintext,
so recovering *some* amount of RC4 keystream will often be possible
with a low probability of error.  So that leaves us with the questions

  - are parts of the RC4 algorithm invertible?
  - is it possible to recreate the RC4 internal state from a certain
    amount of keystream octets.
  - how many keystream octets would be necessary
  - will those known keystream octets have to be from specific locations
    (or consecutive)
  - how big is the workfactor?


I'm _not_ saying that this hasn't happened.  But without the slightest
indication about a _real_ problem with the RC4 algorithm internals,
I refuse to be terrorized.


-Martin

PS: the most attractive target for breaking is the key exchange algorithm,
because that would make the traffic protection keys (MAC and encrypt)
available independent of the crypto an mac algorithms and their strength.
Considering that NSA has been pushing ECDSA+ECDHE for quite a while
(Suite B with NIST curves), I'm more worried about EC weaknesses than
RC4 bias or chained CBC-IVs.

ECDHE with Curve25519 and single-use(!!) DHE keypairs looks OK, but
that might not interoperable with a large fraction of the installed
base for another decade.

v2.23.0 | Report a Bug | By Email