IETF Logo Mail Archive

Re: [TLS] RC4 Considered Harmful (Was: RC4 deprecation path)

Watson Ladd <watsonbladd@gmail.com> Wed, 23 April 2014 15:54 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 617281A02A2 for <tls@ietfa.amsl.com>; Wed, 23 Apr 2014 08:54:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_55=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DMralGHoy_EL for <tls@ietfa.amsl.com>; Wed, 23 Apr 2014 08:54:12 -0700 (PDT)
Received: from mail-yh0-x235.google.com (mail-yh0-x235.google.com [IPv6:2607:f8b0:4002:c01::235]) by ietfa.amsl.com (Postfix) with ESMTP id C787E1A00CB for <tls@ietf.org>; Wed, 23 Apr 2014 08:54:11 -0700 (PDT)
Received: by mail-yh0-f53.google.com with SMTP id i57so1039019yha.12 for <tls@ietf.org>; Wed, 23 Apr 2014 08:54:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=oidtIRk7Lv4ysqRyy3kDKAlOuacZHRvT831YgZKXFw8=; b=BxaMlYacoheiTDd/nC0CMl9G7dBzChX+d4SD7PbI/mQTuSus45Jbcc5FjSTEw6p3lN OgglBYhRmid84SaCqYDJ8MkHD/fs9zWVS9yl6SuzazwoMCORucpRjjr/Qi/a3Vk++A5V /vT82ImapQfVMojSyinpRZhULpLNXg7hzJOHB0lCWL5MhU9AeUPljZ8bNjebF5jFGETK p62w+YPLKbCsb5e51nksBU6d4A7XjWZRU91BbojgNi/3IaU09idSuG2kPAovv49txplj POZ4cKjSgBcmZp6neCB4jjyliLI1Dh2eR/aH8NKNjnET/P0XHoG/Qn7rAw5KBM5/uCjO BlYw==
MIME-Version: 1.0
X-Received: by 10.236.120.66 with SMTP id o42mr36541812yhh.66.1398268445850; Wed, 23 Apr 2014 08:54:05 -0700 (PDT)
Received: by 10.170.63.197 with HTTP; Wed, 23 Apr 2014 08:54:05 -0700 (PDT)
In-Reply-To: <20140423150707.F18C11ACDB@ld9781.wdf.sap.corp>
References: <CAFggDF0Kh+F3R+NtKZ-WhQWn3gO9quGhaFL8Qnx1a6TiVbAmGQ@mail.gmail.com> <20140423150707.F18C11ACDB@ld9781.wdf.sap.corp>
Date: Wed, 23 Apr 2014 08:54:05 -0700
Message-ID: <CACsn0cmP6pp_aMYrCb3-4QBae6v8uuNQYZZW8jxnMaSgPy8SXA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: mrex@sap.com
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/ymWZXexmKkRbCy7o1LEo5HhRLl8
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] RC4 Considered Harmful (Was: RC4 deprecation path)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Apr 2014 15:54:13 -0000

On Wed, Apr 23, 2014 at 8:07 AM, Martin Rex <mrex@sap.com> wrote:
> Jacob Appelbaum wrote:
>> On 4/19/14, Alyssa Rowan <akr@akr.io> wrote:
>>>
>>> RC4 is either on the brink of being cracked, given the serious known
>>> weaknesses pointed out in Section 1 of the draft, or it is already
>>> over the brink (if that's the 'cryptanalytic breakthrough' GCHQ were
>>> talking about that they got from NSA, and that seems plausible to me,
>>> and to several others, including Schneier).
>>
>> I think that RC4 is completely broken for certain adversaries. It
>> should be totally abandoned.
>
> While I have heard claims that RC4 would be "completely broken", I am
> still not aware of the slightest indication why or how this break
> would be performed.
>
> RC4 is a stream cipher, and operates by xoring plaintext with
> a pseudo-random keystream.  In order to "completely break" RC4,
> it would be necessary to precompute future RC4 outputs from
> some amount of *known* RC4 keystream, essentially re-creating
> the internal state of the RC4 algorithm.

Yes, that would be terribly bad of a break. We don't have one like
that now. 5 years from now I would not be surprised. We need to start
moving now to be ready for the inevitable. I would prefer not to have
my banking secrets spread across the Internet before we decide we have
a problem.

However, even before you predict keystream from a handful of bytes you
can do the following:
-Use multiple connections sharing similar data together with hidden
markov models to recover text
-Use byte biases to determine what kind of information is flowing into
and out of a server: yes we can tell if you have binaries or text and
serve them up over RC4.
-Remember wepcrack? RC4 leaks key information

The RC4 state update is weak: it always changes an even permutation to
an odd one. There are probably other rep theoretic issues: I've not
thought very hard about it.

All of this is possible today. It won't stop being possible, and our
understanding of the weaknesses in RC4 will only grow. Already, users
assumptions of the security they have is not met by RC4.

Given uptake times, we need to start pushing for a fix now if we want
it ready in 5 years. Supposedly, algorithm agility was supposed to
work for this eventuality: it should be relatively trivial to change
configurations to use block ciphers if you don't care about BEAST and
Lucky 13. If you do, upgrade to TLS 1.2. We have a fix: it needs to be
deployed, and people need to know they have to.

>
>
> -Martin
>
> PS: the most attractive target for breaking is the key exchange algorithm,
> because that would make the traffic protection keys (MAC and encrypt)
> available independent of the crypto an mac algorithms and their strength.
> Considering that NSA has been pushing ECDSA+ECDHE for quite a while
> (Suite B with NIST curves), I'm more worried about EC weaknesses than
> RC4 bias or chained CBC-IVs.

You shouldn't be. EC has been around since 1985 with no real
scratches. Do you know something we don't? Show me a discrete log on
P256 (with all the usual points about how to do it so I know you
didn't cheat) and I'll get worried. Show me a new weak class of curves
(prime fields only) and I'll be interested.

>
> ECDHE with Curve25519 and single-use(!!) DHE keypairs looks OK, but
> that might not interoperable with a large fraction of the installed
> base for another decade.

Single-use only because implementors don't take elementary precautions
against side channels. The Curve25519 impl. has no side-channels.
The security difference between Curve25519 and P256 is entirely a
result of poor implementations. The speed difference is a result of
careful choices.

There is no known attack against properly implemented Suite B
protocols known in the open literature. Nor is there likely to be one
anytime soon: extensive analysis over the past decades has found
nothing. However, implementation quality can be low.

Sincerely,
Watson Ladd

>
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

v2.23.0 | Report a Bug | By Email