IETF Logo Mail Archive

Re: [TLS] RC4 Considered Harmful (Was: RC4 deprecation path)

Marsh Ray <maray@microsoft.com> Wed, 23 April 2014 23:14 UTC

Return-Path: <maray@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73AF81A072A for <tls@ietfa.amsl.com>; Wed, 23 Apr 2014 16:14:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0121UybUGkgm for <tls@ietfa.amsl.com>; Wed, 23 Apr 2014 16:14:50 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1lp0145.outbound.protection.outlook.com [207.46.163.145]) by ietfa.amsl.com (Postfix) with ESMTP id E3E7C1A0299 for <tls@ietf.org>; Wed, 23 Apr 2014 16:14:49 -0700 (PDT)
Received: from BY2PR03MB074.namprd03.prod.outlook.com (10.255.241.154) by BY2PR03MB073.namprd03.prod.outlook.com (10.255.241.153) with Microsoft SMTP Server (TLS) id 15.0.921.12; Wed, 23 Apr 2014 23:14:42 +0000
Received: from BY2PR03MB074.namprd03.prod.outlook.com ([169.254.12.33]) by BY2PR03MB074.namprd03.prod.outlook.com ([169.254.12.33]) with mapi id 15.00.0921.000; Wed, 23 Apr 2014 23:14:41 +0000
From: Marsh Ray <maray@microsoft.com>
To: "mrex@sap.com" <mrex@sap.com>, Jacob Appelbaum <jacob@appelbaum.net>
Thread-Topic: [TLS] RC4 Considered Harmful (Was: RC4 deprecation path)
Thread-Index: AQHPXCttVkycqBLyFEOgpA3HqhwABJsfUwuAgACDaqA=
Date: Wed, 23 Apr 2014 23:14:41 +0000
Message-ID: <ca586b58403a4958a4d12f9e8348d793@BY2PR03MB074.namprd03.prod.outlook.com>
References: <CAFggDF0Kh+F3R+NtKZ-WhQWn3gO9quGhaFL8Qnx1a6TiVbAmGQ@mail.gmail.com> <20140423150707.F18C11ACDB@ld9781.wdf.sap.corp>
In-Reply-To: <20140423150707.F18C11ACDB@ld9781.wdf.sap.corp>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [50.181.204.234]
x-forefront-prvs: 01901B3451
x-forefront-antispam-report: SFV:NSPM; SFS:(10009001)(6009001)(428001)(13464003)(199002)(189002)(377454003)(51704005)(74662001)(83072002)(33646001)(74316001)(4396001)(76576001)(54356999)(74502001)(2656002)(85852003)(92566001)(87936001)(80976001)(31966008)(50986999)(20776003)(99286001)(76482001)(80022001)(66066001)(86362001)(99396002)(83322001)(81542001)(81342001)(77982001)(551544002)(76176999)(79102001)(46102001)(86612001)(24736002); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR03MB073; H:BY2PR03MB074.namprd03.prod.outlook.com; FPR:965FF225.A7FA44FA.3CDD75A9.42E7D82D.202E0; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (: microsoft.com does not designate permitted sender hosts)
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/e1qKU3S3PBaHnw2w8507o2npMaI
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] RC4 Considered Harmful (Was: RC4 deprecation path)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Apr 2014 23:14:52 -0000

-----Original Message-----
From: Martin Rex
Sent: Wednesday, April 23, 2014 8:07 AM
>
>  - are parts of the RC4 algorithm invertible?

Yes, in the sense that knowledge of the ~1600 bit state allows one to determine forward *and backwards* in the stream.

> - is it possible to recreate the RC4 internal state from a certain
    amount of keystream octets.

This was done for WEP, which is particularly pathological in the way it uses the raw password as the key. 

TLS uses a unique 128 bit PRF-derived key on every handshake. I haven't heard of anyone being able to attack this method of keying.

> - how many keystream octets would be necessary

(Speculation) At least 1600/8 = 200 bytes or so.

> - will those known keystream octets have to be from specific locations
    (or consecutive)

Known attacks rely on specific locations.

(Speculation) Other attacks probably would benefit from specific locations, but would probably not require perfectly contiguous known plaintext.

>  - how big is the workfactor?

Who knows?

> I'm _not_ saying that this hasn't happened.  But without the slightest indication
> about a _real_ problem with the RC4 algorithm internals, I refuse to be terrorized.

There are real, known attacks on the RC4 algorithm internals, even with the solid keying as used by TLS.

> PS: the most attractive target for breaking is the key exchange algorithm, because
> that would make the traffic protection keys (MAC and encrypt) available
> independent of the crypto an mac algorithms and their strength.

That doesn't mean the cipher won't be attacked *too* :-)

- Marsh
-----------------------------------
Usual boilerplate disclaimers apply.

v2.23.0 | Report a Bug | By Email