Re: [TLS] RC4 Considered Harmful (Was: RC4 deprecation path)
mrex@sap.com (Martin Rex) Wed, 23 April 2014 15:07 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58CA11A03E7 for <tls@ietfa.amsl.com>; Wed, 23 Apr 2014 08:07:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.952
X-Spam-Level:
X-Spam-Status: No, score=-5.952 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, J_CHICKENPOX_55=0.6, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6ku-qALRQDK0 for <tls@ietfa.amsl.com>; Wed, 23 Apr 2014 08:07:22 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id E78271A03EB for <tls@ietf.org>; Wed, 23 Apr 2014 08:07:15 -0700 (PDT)
Received: from mail05.wdf.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id s3NF78d7024250 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 23 Apr 2014 17:07:08 +0200 (MEST)
In-Reply-To: <CAFggDF0Kh+F3R+NtKZ-WhQWn3gO9quGhaFL8Qnx1a6TiVbAmGQ@mail.gmail.com>
To: Jacob Appelbaum <jacob@appelbaum.net>
Date: Wed, 23 Apr 2014 17:07:07 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20140423150707.F18C11ACDB@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/aFGhdgzHnYl4rK4eE3J-2lJAPXo
Cc: tls@ietf.org
Subject: Re: [TLS] RC4 Considered Harmful (Was: RC4 deprecation path)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Apr 2014 15:07:30 -0000
Jacob Appelbaum wrote: > On 4/19/14, Alyssa Rowan <akr@akr.io> wrote: >> >> RC4 is either on the brink of being cracked, given the serious known >> weaknesses pointed out in Section 1 of the draft, or it is already >> over the brink (if that's the 'cryptanalytic breakthrough' GCHQ were >> talking about that they got from NSA, and that seems plausible to me, >> and to several others, including Schneier). > > I think that RC4 is completely broken for certain adversaries. It > should be totally abandoned. While I have heard claims that RC4 would be "completely broken", I am still not aware of the slightest indication why or how this break would be performed. RC4 is a stream cipher, and operates by xoring plaintext with a pseudo-random keystream. In order to "completely break" RC4, it would be necessary to precompute future RC4 outputs from some amount of *known* RC4 keystream, essentially re-creating the internal state of the RC4 algorithm. HTTP is a protocol with often quite a lot of known plaintext, so recovering *some* amount of RC4 keystream will often be possible with a low probability of error. So that leaves us with the questions - are parts of the RC4 algorithm invertible? - is it possible to recreate the RC4 internal state from a certain amount of keystream octets. - how many keystream octets would be necessary - will those known keystream octets have to be from specific locations (or consecutive) - how big is the workfactor? I'm _not_ saying that this hasn't happened. But without the slightest indication about a _real_ problem with the RC4 algorithm internals, I refuse to be terrorized. -Martin PS: the most attractive target for breaking is the key exchange algorithm, because that would make the traffic protection keys (MAC and encrypt) available independent of the crypto an mac algorithms and their strength. Considering that NSA has been pushing ECDSA+ECDHE for quite a while (Suite B with NIST curves), I'm more worried about EC weaknesses than RC4 bias or chained CBC-IVs. ECDHE with Curve25519 and single-use(!!) DHE keypairs looks OK, but that might not interoperable with a large fraction of the installed base for another decade.
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Bill Frantz
- [TLS] RC4 depreciation path (Re: Deprecating more… Watson Ladd
- Re: [TLS] RC4 depreciation path (Re: Deprecating … Kurt Roeckx
- Re: [TLS] RC4 depreciation path (Re: Deprecating … Ilari Liusvaara
- Re: [TLS] RC4 deprecation path (Re: Deprecating m… Michael D'Errico
- Re: [TLS] RC4 deprecation path (Re: Deprecating m… Kurt Roeckx
- Re: [TLS] RC4 deprecation path (Re: Deprecating m… Yoav Nir
- Re: [TLS] RC4 depreciation path (Re: Deprecating … Fabrice
- Re: [TLS] RC4 depreciation path (Re: Deprecating … Yoav Nir
- Re: [TLS] RC4 depreciation path (Re: Deprecating … Kurt Roeckx
- Re: [TLS] RC4 depreciation path (Re: Deprecating … Watson Ladd
- [TLS] RC4 Considered Harmful (Was: RC4 deprecatio… Alyssa Rowan
- Re: [TLS] RC4 depreciation path (Re: Deprecating … Yoav Nir
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Yoav Nir
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Watson Ladd
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Alyssa Rowan
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Jacob Appelbaum
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… David Holmes
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Martin Rex
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Watson Ladd
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Alyssa Rowan
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Martin Rex
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Martin Rex
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Watson Ladd
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Paterson, Kenny
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Paterson, Kenny
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Salz, Rich
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Paterson, Kenny
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Yoav Nir
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Geoffrey Keating
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Martin Rex
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Paterson, Kenny
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Marsh Ray
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Martin Rex
- Re: [TLS] RC4 depreciation path (Re: Deprecating … Kurt Roeckx