[144641] in cryptography@c2.net mail archive
Re: Fast MAC algorithms?
daemon@ATHENA.MIT.EDU (james hughes)
Sun Jul 26 20:53:32 2009
Cc: james hughes <hughejp@mac.com>, Joseph Ashwood <ashwood@msn.com>,
cryptography@metzdowd.com
From: james hughes <hughejp@mac.com>
To: jamesd@echeque.com
In-reply-to: <4A6CC192.3020008@echeque.com>
Date: Mon, 27 Jul 2009 08:47:53 +0800
On Jul 27, 2009, at 4:50 AM, James A. Donald wrote:
> From: "Nicolas Williams" <Nicolas.Williams@sun.com>
>>> For example, many people use arcfour in SSHv2 over AES because
>>> arcfour
>>> is faster than AES.
>
> Joseph Ashwood wrote:
>> I would argue that they use it because they are stupid. ARCFOUR
>> should have been retired well over a decade ago, it is weak, it
>> meets no reasonable security requirements,
>
> No one can break arcfour used correctly - unfortunately, it is
> tricky to use it correctly.
RC-4 is broken when used as intended. The output has a statistical
bias and can be distinguished.
http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/FluhrerMcgrew.pdf
and there is exceptional bias in the second byte
http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/bc_rc4.ps
The latter is the basis for breaking WEP
http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/wep_attack.ps
These are not attacks on a reduced algorithm, it is on the full
algorithm.
If you take these into consideration, can it be used "correctly"? I
guess tossing the first few words gets rid of the exceptional bias,
and maybe change the key often to get rid of the statistical bias? Is
this what you mean by used "correctly"?
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
