[3643] in Kerberos-V5-bugs
[krbdev.mit.edu #1254]Re: SAM uses RC4 insecurely
daemon@ATHENA.MIT.EDU (Sam Hartman via RT)
Tue Nov 12 16:12:16 2002
Mail-Followup-To: rt@krbdev.mit.edu
Message-Id: <rt-1254-3686.2.3362551953592@krbdev.mit.edu>
In-Reply-To: <rt-1254@krbdev.mit.edu>
From: "Sam Hartman via RT" <rt-comment@krbdev.mit.edu>
Reply-To: rt-comment@krbdev.mit.edu
Mail-Copies-To: never
To: kenh@cmf.nrl.navy.mil
Cc: krb5-prs@mit.edu
Errors-To: krb5-bugs-admin@mit.edu
Date: Tue, 12 Nov 2002 16:06:23 -0500 (EST)
>>>>> "Ken" == Ken Hornstein <kenh@cmf.nrl.navy.mil> writes:
Let's see if we can open a few less bugs on this thread.
Copying krb5-bugs and not including a bug number in the subject opens a new bug.
>> Well, there is a derive-key for rc4, but it only takes keyusage
>> as input, not a string.
Ken> Hm, I think I'm confused. I see where the keyusage gets fed
Ken> into the algorithm in the Brezak draft, but what I don't see
Ken> is anything that looks like derive-key for rc4. Maybe we're
Ken> not talking about the same thing.
I'm pointing out that there is algorithm that uses the long-term key
and key usage to come up with an encryption key. It actually uses
long-term key, keyusage and data; this is against the intent of the
kcrypto draft but is allowed by the text.
>> Defining dk interms of dr would work for rc4 if you had a
>> reasonable definition of dr, but you currently do not.
Ken> Maybe I'm being dense again (and not knowing much about rc4,
Ken> other than glancing over the routines that implement it) but
Ken> would it be reasonable to pretend for the purposes of rc4 and
Ken> dr that the blocksize was equal to the keysize? I think that
Ken> would prevent the attack you described. Or just keep state
Ken> between calls to the encryption routine.
No, because since rc4 is a stream cipher you'll end up using the same
pseudo-random stream if I call dr with different constants. I.E. rc4
is a function that takes a key, some initial state, and a length and
returns that many bits of pseudorandom stream. I then xor that
against the data. The way the dr in the simplified profile is
definied, if I treat rc4 as a block cipher then I'll be xoring the
same output of rc4 against whatever constant I feed into dr. So the
output of two calls to dr with the same key is related in a rather
easy to detect manner.
Ideally you want dr to be a pseudo-random function.
As I mentioned, there is both md4 and the data-based-keying of rc4
without confounder as a potential candidate for dr. You could also
use the key that would be produced by the data-based keying as a
potential candidate for dr.
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
http://mailman.mit.edu/mailman/listinfo/krb5-bugs
