Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-01.txt

Ryan Carboni <ryacko@gmail.com> Wed, 22 October 2014 18:37 UTC

Return-Path: <ryacko@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C4DF1ACF9B for <tls@ietfa.amsl.com>; Wed, 22 Oct 2014 11:37:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ppi0NhuaFqu7 for <tls@ietfa.amsl.com>; Wed, 22 Oct 2014 11:37:18 -0700 (PDT)
Received: from mail-wi0-x22f.google.com (mail-wi0-x22f.google.com [IPv6:2a00:1450:400c:c05::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B1081ACF94 for <tls@ietf.org>; Wed, 22 Oct 2014 11:37:18 -0700 (PDT)
Received: by mail-wi0-f175.google.com with SMTP id d1so2178054wiv.14 for <tls@ietf.org>; Wed, 22 Oct 2014 11:37:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:content-type; bh=4C8Y8XgZ7SQb6+kykeMv+orE17iiPLsfjMD1Y1fKzjc=; b=gm+pKNrN1UlRfwMjVF9D9DbIvdbWnCadzGfZYbi5AKF3+akl3oyGgMK+m4db1CUQ7+ IEtDaKuUivDA5BGGVS4NY2zTTTrf2UviCKOUCCyteY6uz4fXJixoddHCU0XYpEKHmH87 j7iv6W4iWWn68D7tfGfUuoDPwHvorSXEZ+YCN2NR+IWrzqa1IVB7ABSUi4vDvEtYD4mv G1yRLJvgXFaLWsfvEJbBjhz/oLialabrpuVmsL2gTHrIZdE2G5O8YXNlWbJVsjkP33nS 321cOeSBAyifyPtmDl6pUO/+GZEmcFt7rS9T1rHgD5VcPWH1QFLofFLOsb9Z1zm6QG91 UsVA==
X-Received: by 10.194.209.230 with SMTP id mp6mr631wjc.2.1414003036626; Wed, 22 Oct 2014 11:37:16 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.194.242.39 with HTTP; Wed, 22 Oct 2014 11:36:36 -0700 (PDT)
From: Ryan Carboni <ryacko@gmail.com>
Date: Wed, 22 Oct 2014 11:36:36 -0700
Message-ID: <CAO7N=i3qVJkHO5AUEffd1sgMinFUbiwGik+0wYQTcbi3_pQtAg@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary=047d7b3a8c08b5a5750506073c3c
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/t30Nq6nw3fc-qae3wCSdCWvNIpU
Subject: Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-01.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Oct 2014 18:37:22 -0000

>
> Well, never is a long time, and it is already somewhat broken, in that
> the bias in at least firt 256 bytes of output makes fixed plaintexts
> transmitted repeatedly under varying keys vulnerable to recovery.


Yes, there's obvious issues with RC4's key-schedule. I visit some websites
as much as 2^15 times a year, or 2^(6.5) times a day, mostly forums of
interest. The bias attack at best can break 2^30. Or to put it in better
perspective:

http://googleonlinesecurity.blogspot.com/2013/11/a-roster-of-tls-cipher-suites-weaknesses.html

"The best, known attack against using RC4 with HTTPS involves causing a
browser to transmit many HTTP requests -- each with the same cookie -- and
exploiting known biases in RC4 to build an increasingly precise probability
distribution for each byte in a cookie. However, the attack needs to see on
the order of 10 billion copies of the cookie in order to make a good guess.
This involves the browser sending ~7TB of data. In ideal situations, this
requires nearly three months to complete."

RC4 should be fully deprecated... in 2020.