IETF Logo Mail Archive

Re: [TLS] RC4 Considered Harmful (Was: RC4 deprecation path)

"Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> Wed, 23 April 2014 18:06 UTC

Return-Path: <Kenny.Paterson@rhul.ac.uk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6990A1A0429 for <tls@ietfa.amsl.com>; Wed, 23 Apr 2014 11:06:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QnC-uVMHuPgH for <tls@ietfa.amsl.com>; Wed, 23 Apr 2014 11:06:51 -0700 (PDT)
Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe005.messaging.microsoft.com [216.32.181.185]) by ietfa.amsl.com (Postfix) with ESMTP id 549B31A0430 for <tls@ietf.org>; Wed, 23 Apr 2014 11:06:50 -0700 (PDT)
Received: from mail213-ch1-R.bigfish.com (10.43.68.239) by CH1EHSOBE007.bigfish.com (10.43.70.57) with Microsoft SMTP Server id 14.1.225.22; Wed, 23 Apr 2014 18:05:43 +0000
Received: from mail213-ch1 (localhost [127.0.0.1]) by mail213-ch1-R.bigfish.com (Postfix) with ESMTP id 03A8B3A028D; Wed, 23 Apr 2014 18:05:43 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:157.56.248.5; KIP:(null); UIP:(null); IPV:NLI; H:AMSPRD0310HT004.eurprd03.prod.outlook.com; RD:none; EFVD:NLI
X-SpamScore: -5
X-BigFish: PS-5(zzbb2dI98dI9371Id772h1432I1418Izz1f42h1ee6h1de0h1d18h1fdah2073h2146h1202h1e76h2189h1d1ah1d2ah21bch1fc6h208chzz1de098h8275bh1de097hz2fh109h2a8h839h944he5bhf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah224fh1d0ch1d2eh1d3fh1dfeh1dffh1fe8h1ff5h209eh2216h22d0h2336h2438h2461h2487h24d7h2516h2545h255eh25cch25f6h2605h262fh268bh26d3h1155h)
Received-SPF: pass (mail213-ch1: domain of rhul.ac.uk designates 157.56.248.5 as permitted sender) client-ip=157.56.248.5; envelope-from=Kenny.Paterson@rhul.ac.uk; helo=AMSPRD0310HT004.eurprd03.prod.outlook.com ; .outlook.com ;
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10019001)(6009001)(428001)(24454002)(377454003)(479174003)(189002)(199002)(51704005)(99396002)(31966008)(74662001)(74482001)(92726001)(74502001)(76176999)(87936001)(54356999)(83072002)(77096999)(92566001)(81542001)(80022001)(50986999)(66066001)(85852003)(81342001)(79102001)(36756003)(77982001)(80976001)(83322001)(19580405001)(551544002)(2656002)(76482001)(86362001)(4396001)(20776003)(46102001)(19580395003); DIR:OUT; SFP:1102; SCL:1; SRVR:DBXPR03MB384; H:DBXPR03MB383.eurprd03.prod.outlook.com; FPR:E45FF2E5.97BA9311.7ED7F173.42256970.205A4; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
Received: from mail213-ch1 (localhost.localdomain [127.0.0.1]) by mail213-ch1 (MessageSwitch) id 1398276340668937_20011; Wed, 23 Apr 2014 18:05:40 +0000 (UTC)
Received: from CH1EHSMHS033.bigfish.com (snatpool1.int.messaging.microsoft.com [10.43.68.251]) by mail213-ch1.bigfish.com (Postfix) with ESMTP id 93C23180031; Wed, 23 Apr 2014 18:05:40 +0000 (UTC)
Received: from AMSPRD0310HT004.eurprd03.prod.outlook.com (157.56.248.5) by CH1EHSMHS033.bigfish.com (10.43.70.33) with Microsoft SMTP Server (TLS) id 14.16.227.3; Wed, 23 Apr 2014 18:05:39 +0000
Received: from DBXPR03MB384.eurprd03.prod.outlook.com (10.141.10.20) by AMSPRD0310HT004.eurprd03.prod.outlook.com (10.255.40.39) with Microsoft SMTP Server (TLS) id 14.16.435.0; Wed, 23 Apr 2014 18:06:39 +0000
Received: from DBXPR03MB383.eurprd03.prod.outlook.com (10.141.10.15) by DBXPR03MB384.eurprd03.prod.outlook.com (10.141.10.20) with Microsoft SMTP Server (TLS) id 15.0.921.12; Wed, 23 Apr 2014 18:06:38 +0000
Received: from DBXPR03MB383.eurprd03.prod.outlook.com ([10.141.10.15]) by DBXPR03MB383.eurprd03.prod.outlook.com ([10.141.10.15]) with mapi id 15.00.0921.000; Wed, 23 Apr 2014 18:06:38 +0000
From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
To: Watson Ladd <watsonbladd@gmail.com>, "mrex@sap.com" <mrex@sap.com>
Thread-Topic: [TLS] RC4 Considered Harmful (Was: RC4 deprecation path)
Thread-Index: AQHPXCtzaRoqs6xj002Wq6Mdi5x8AJsfUwuAgAANH4CAADXHgA==
Date: Wed, 23 Apr 2014 18:06:38 +0000
Message-ID: <CF7DBB70.1C4C6%kenny.paterson@rhul.ac.uk>
References: <CAFggDF0Kh+F3R+NtKZ-WhQWn3gO9quGhaFL8Qnx1a6TiVbAmGQ@mail.gmail.com> <20140423150707.F18C11ACDB@ld9781.wdf.sap.corp> <CACsn0cmP6pp_aMYrCb3-4QBae6v8uuNQYZZW8jxnMaSgPy8SXA@mail.gmail.com>
In-Reply-To: <CACsn0cmP6pp_aMYrCb3-4QBae6v8uuNQYZZW8jxnMaSgPy8SXA@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.1.140326
x-originating-ip: [134.219.227.30]
x-forefront-prvs: 01901B3451
Content-Type: text/plain; charset="us-ascii"
Content-ID: <E9A1B347FE2D6B4BAAB26C651B71F4D4@eurprd03.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: rhul.ac.uk
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/vPjL4tVYERy05SGohyttKorl2Qc
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] RC4 Considered Harmful (Was: RC4 deprecation path)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Apr 2014 18:06:54 -0000

On 23/04/2014 16:54, "Watson Ladd" <watsonbladd@gmail.com> wrote:

>On Wed, Apr 23, 2014 at 8:07 AM, Martin Rex <mrex@sap.com> wrote:
>> Jacob Appelbaum wrote:
>>> On 4/19/14, Alyssa Rowan <akr@akr.io> wrote:
>>>>
>>>> RC4 is either on the brink of being cracked, given the serious known
>>>> weaknesses pointed out in Section 1 of the draft, or it is already
>>>> over the brink (if that's the 'cryptanalytic breakthrough' GCHQ were
>>>> talking about that they got from NSA, and that seems plausible to me,
>>>> and to several others, including Schneier).
>>>
>>> I think that RC4 is completely broken for certain adversaries. It
>>> should be totally abandoned.
>>
>> While I have heard claims that RC4 would be "completely broken", I am
>> still not aware of the slightest indication why or how this break
>> would be performed.

Me neither. 

Jacob Applebaum has said this kind of thing in various fora. I think it's
time he put some detail behind the claim (or stopped making it).

However, whether this is correct or not does not diminish the other
well-justified arguments for deprecating RC4. It's looking distinctly
unwell to me.


>> RC4 is a stream cipher, and operates by xoring plaintext with
>> a pseudo-random keystream.  In order to "completely break" RC4,
>> it would be necessary to precompute future RC4 outputs from
>> some amount of *known* RC4 keystream, essentially re-creating
>> the internal state of the RC4 algorithm.
>
>Yes, that would be terribly bad of a break. We don't have one like
>that now. 5 years from now I would not be surprised. We need to start
>moving now to be ready for the inevitable. I would prefer not to have
>my banking secrets spread across the Internet before we decide we have
>a problem.
>
>However, even before you predict keystream from a handful of bytes you
>can do the following:
>-Use multiple connections sharing similar data together with hidden
>markov models to recover text


Indeed, the use of language models is mentioned as an enhancement in our
paper. Based on my experience of using such models in a different context,
I think they would make a big difference in reducing the attacks'
ciphertext requirements when the plaintext being targeted is "natural
language", and possibly even passwords. But this is less likely to be
effective for session cookies. It would be a great student project to
investigate this angle.


>-Use byte biases to determine what kind of information is flowing into
>and out of a server: yes we can tell if you have binaries or text and
>serve them up over RC4.


I don't immediately know how you'd do that, but I'm willing to be
educated! Maybe you're assuming ASCII or binary plaintext, and then
aggregating most significant bit estimates over many ciphertext positions?
Do you have an estimate for how much ciphertext would be needed to achieve
a certain confidence level here?


>-Remember wepcrack? RC4 leaks key information


Right now, we do not know how to exploit key leakage into the keystream
when RC4 is used in TLS. To understand why, you have to look at how the
RC4 key for each session/connection is computed in TLS compared to how it
is computed for each frame in WEP. If you can make progress here, then you
would have a very nice research paper (and probably an improved attack on
RC4 in TLS).



>The RC4 state update is weak: it always changes an even permutation to
>an odd one. There are probably other rep theoretic issues: I've not
>thought very hard about it.


But then it's unwise to speculate, Watson! By contrast, many people have
studied RC4 fairly intensively over the years, and the state of the art is
what it is (modulo claims by Jacob Applebaum). I'd recommend you either do
think about RC4 hard, or go read the literature, rather than just
speculating.


>All of this is possible today. It won't stop being possible, and our
>understanding of the weaknesses in RC4 will only grow. Already, users
>assumptions of the security they have is not met by RC4.


I can almost agree with this, except for your comments about key leakage
into the keystream.


Cheers,

Kenny

v2.23.0 | Report a Bug | By Email