Re: [TLS] RC4 Considered Harmful (Was: RC4 deprecation path)
Watson Ladd <watsonbladd@gmail.com> Wed, 23 April 2014 15:54 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 617281A02A2 for <tls@ietfa.amsl.com>; Wed, 23 Apr 2014 08:54:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_55=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DMralGHoy_EL for <tls@ietfa.amsl.com>; Wed, 23 Apr 2014 08:54:12 -0700 (PDT)
Received: from mail-yh0-x235.google.com (mail-yh0-x235.google.com [IPv6:2607:f8b0:4002:c01::235]) by ietfa.amsl.com (Postfix) with ESMTP id C787E1A00CB for <tls@ietf.org>; Wed, 23 Apr 2014 08:54:11 -0700 (PDT)
Received: by mail-yh0-f53.google.com with SMTP id i57so1039019yha.12 for <tls@ietf.org>; Wed, 23 Apr 2014 08:54:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=oidtIRk7Lv4ysqRyy3kDKAlOuacZHRvT831YgZKXFw8=; b=BxaMlYacoheiTDd/nC0CMl9G7dBzChX+d4SD7PbI/mQTuSus45Jbcc5FjSTEw6p3lN OgglBYhRmid84SaCqYDJ8MkHD/fs9zWVS9yl6SuzazwoMCORucpRjjr/Qi/a3Vk++A5V /vT82ImapQfVMojSyinpRZhULpLNXg7hzJOHB0lCWL5MhU9AeUPljZ8bNjebF5jFGETK p62w+YPLKbCsb5e51nksBU6d4A7XjWZRU91BbojgNi/3IaU09idSuG2kPAovv49txplj POZ4cKjSgBcmZp6neCB4jjyliLI1Dh2eR/aH8NKNjnET/P0XHoG/Qn7rAw5KBM5/uCjO BlYw==
MIME-Version: 1.0
X-Received: by 10.236.120.66 with SMTP id o42mr36541812yhh.66.1398268445850; Wed, 23 Apr 2014 08:54:05 -0700 (PDT)
Received: by 10.170.63.197 with HTTP; Wed, 23 Apr 2014 08:54:05 -0700 (PDT)
In-Reply-To: <20140423150707.F18C11ACDB@ld9781.wdf.sap.corp>
References: <CAFggDF0Kh+F3R+NtKZ-WhQWn3gO9quGhaFL8Qnx1a6TiVbAmGQ@mail.gmail.com> <20140423150707.F18C11ACDB@ld9781.wdf.sap.corp>
Date: Wed, 23 Apr 2014 08:54:05 -0700
Message-ID: <CACsn0cmP6pp_aMYrCb3-4QBae6v8uuNQYZZW8jxnMaSgPy8SXA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: mrex@sap.com
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/ymWZXexmKkRbCy7o1LEo5HhRLl8
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] RC4 Considered Harmful (Was: RC4 deprecation path)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Apr 2014 15:54:13 -0000
On Wed, Apr 23, 2014 at 8:07 AM, Martin Rex <mrex@sap.com> wrote: > Jacob Appelbaum wrote: >> On 4/19/14, Alyssa Rowan <akr@akr.io> wrote: >>> >>> RC4 is either on the brink of being cracked, given the serious known >>> weaknesses pointed out in Section 1 of the draft, or it is already >>> over the brink (if that's the 'cryptanalytic breakthrough' GCHQ were >>> talking about that they got from NSA, and that seems plausible to me, >>> and to several others, including Schneier). >> >> I think that RC4 is completely broken for certain adversaries. It >> should be totally abandoned. > > While I have heard claims that RC4 would be "completely broken", I am > still not aware of the slightest indication why or how this break > would be performed. > > RC4 is a stream cipher, and operates by xoring plaintext with > a pseudo-random keystream. In order to "completely break" RC4, > it would be necessary to precompute future RC4 outputs from > some amount of *known* RC4 keystream, essentially re-creating > the internal state of the RC4 algorithm. Yes, that would be terribly bad of a break. We don't have one like that now. 5 years from now I would not be surprised. We need to start moving now to be ready for the inevitable. I would prefer not to have my banking secrets spread across the Internet before we decide we have a problem. However, even before you predict keystream from a handful of bytes you can do the following: -Use multiple connections sharing similar data together with hidden markov models to recover text -Use byte biases to determine what kind of information is flowing into and out of a server: yes we can tell if you have binaries or text and serve them up over RC4. -Remember wepcrack? RC4 leaks key information The RC4 state update is weak: it always changes an even permutation to an odd one. There are probably other rep theoretic issues: I've not thought very hard about it. All of this is possible today. It won't stop being possible, and our understanding of the weaknesses in RC4 will only grow. Already, users assumptions of the security they have is not met by RC4. Given uptake times, we need to start pushing for a fix now if we want it ready in 5 years. Supposedly, algorithm agility was supposed to work for this eventuality: it should be relatively trivial to change configurations to use block ciphers if you don't care about BEAST and Lucky 13. If you do, upgrade to TLS 1.2. We have a fix: it needs to be deployed, and people need to know they have to. > > > -Martin > > PS: the most attractive target for breaking is the key exchange algorithm, > because that would make the traffic protection keys (MAC and encrypt) > available independent of the crypto an mac algorithms and their strength. > Considering that NSA has been pushing ECDSA+ECDHE for quite a while > (Suite B with NIST curves), I'm more worried about EC weaknesses than > RC4 bias or chained CBC-IVs. You shouldn't be. EC has been around since 1985 with no real scratches. Do you know something we don't? Show me a discrete log on P256 (with all the usual points about how to do it so I know you didn't cheat) and I'll get worried. Show me a new weak class of curves (prime fields only) and I'll be interested. > > ECDHE with Curve25519 and single-use(!!) DHE keypairs looks OK, but > that might not interoperable with a large fraction of the installed > base for another decade. Single-use only because implementors don't take elementary precautions against side channels. The Curve25519 impl. has no side-channels. The security difference between Curve25519 and P256 is entirely a result of poor implementations. The speed difference is a result of careful choices. There is no known attack against properly implemented Suite B protocols known in the open literature. Nor is there likely to be one anytime soon: extensive analysis over the past decades has found nothing. However, implementation quality can be low. Sincerely, Watson Ladd > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Bill Frantz
- [TLS] RC4 depreciation path (Re: Deprecating more… Watson Ladd
- Re: [TLS] RC4 depreciation path (Re: Deprecating … Kurt Roeckx
- Re: [TLS] RC4 depreciation path (Re: Deprecating … Ilari Liusvaara
- Re: [TLS] RC4 deprecation path (Re: Deprecating m… Michael D'Errico
- Re: [TLS] RC4 deprecation path (Re: Deprecating m… Kurt Roeckx
- Re: [TLS] RC4 deprecation path (Re: Deprecating m… Yoav Nir
- Re: [TLS] RC4 depreciation path (Re: Deprecating … Fabrice
- Re: [TLS] RC4 depreciation path (Re: Deprecating … Yoav Nir
- Re: [TLS] RC4 depreciation path (Re: Deprecating … Kurt Roeckx
- Re: [TLS] RC4 depreciation path (Re: Deprecating … Watson Ladd
- [TLS] RC4 Considered Harmful (Was: RC4 deprecatio… Alyssa Rowan
- Re: [TLS] RC4 depreciation path (Re: Deprecating … Yoav Nir
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Yoav Nir
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Watson Ladd
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Alyssa Rowan
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Jacob Appelbaum
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… David Holmes
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Martin Rex
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Watson Ladd
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Alyssa Rowan
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Martin Rex
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Martin Rex
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Watson Ladd
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Paterson, Kenny
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Paterson, Kenny
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Salz, Rich
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Paterson, Kenny
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Yoav Nir
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Geoffrey Keating
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Martin Rex
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Paterson, Kenny
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Marsh Ray
- Re: [TLS] RC4 Considered Harmful (Was: RC4 deprec… Martin Rex
- Re: [TLS] RC4 depreciation path (Re: Deprecating … Kurt Roeckx