×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Cryptographers Break Commonly Used RC4 Cipher

timothy posted about a year ago | from the do-it-one-nanotimes dept.

Privacy 90

Sparrowvsrevolution writes "At the Fast Software Encryption conference in Singapore earlier this week, University of Illinois at Chicago Professor Dan Bernstein presented a method for breaking TLS and SSL web encryption when it's combined with the popular stream cipher RC4 invented by Ron Rivest in 1987. Bernstein demonstrated that when the same message is encrypted enough times--about a billion--comparing the ciphertext can allow the message to be deciphered. While that sounds impractical, Bernstein argued it can be achieved with a compromised website, a malicious ad or a hijacked router." RC4 may be long in the tooth, but it remains very widely used.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

90 comments

Arcfour (5, Informative)

Hatta (162192) | about a year ago | (#43174593)

This is the cipher known as 'arcfour' in SSH. I use it regularly when speed is more important than security, which is frequently. I'm not sending a billion of the same files anywhere, so I will continue to use it.

Re:Arcfour (1)

i kan reed (749298) | about a year ago | (#43174659)

Ah, but what about when you're sending highly repetitive data, like a data table?

Re:Arcfour (2)

Hatta (162192) | about a year ago | (#43174699)

Then I'd enable compression.

Re:Arcfour (1)

X0563511 (793323) | about a year ago | (#43174899)

Compression is deterministic. Compress the same data, you get the same output.

Re:Arcfour (0)

Anonymous Coward | about a year ago | (#43174937)

But the method depends on sending billions of identical packets. If you encrypt your billions of identical data, you should be left with only hundreds of millions of identical packets, and you'd be safe. If you're sending tens of billions of identical data over the internet, you should look for a better compression algorithm.

Re:Arcfour (1)

i kan reed (749298) | about a year ago | (#43174983)

You compress, encrypt, send, decrypt, decompress obviously.

Re:Arcfour (1)

X0563511 (793323) | about a year ago | (#43177281)

Yes, but if you send the same file over and over, the compression isn't going to stop this attack from working.

Re:Arcfour (0)

Anonymous Coward | about a year ago | (#43177495)

Why do you want to send the same data over and over again ?

Why do you want to send the same data over and over again ?

Why do you want to send the same data over and over again ?

Re:Arcfour (3, Insightful)

Hatta (162192) | about a year ago | (#43175079)

Irrelevant. As long as I only send one copy of the compressed data, it should be safe. A better objection is that it probably would take more CPU to compress the data before sending it over RC4 than it would to just switch to AES with no compression.

Re:Arcfour (0)

Anonymous Coward | about a year ago | (#43175905)

Compress with some algorithms and the first few bytes are known - allowing for a known plaintext attack vector. Just zip something and see if it starts with PK - I bet it does.

Re:Arcfour (2)

pthisis (27352) | about a year ago | (#43176175)

ssh's authors are smarter than that, they don't prepend a fixed header when enabling compression.

Re:Arcfour (1)

WaywardGeek (1480513) | about a year ago | (#43178599)

I tried to beat ARC4 a decade ago, and had to admit defeat. It's a fine stream crypto system, so long as you have a solid nounce and drop the first few hundred bytes of output. I use ARC4-DROP(1024) in tinycrypt, a simple encryption tool I published on sourceforge because I couldn't find one that was simple. Back then, crypto gurus had found that with 1G of data they could determine that an encrypted stream of 0's was ARC4. I think that's been reduced to around 10Mb. So the question is "how do I make use of 1 part in 100 million non-randomness". Well, I guess such a plan involves sending the same data a billion times.

This attack requires that the encrypting server be compromised to allow a known plain text to be encrypted millions of times and the results published. If you're there already, you're in trouble. However, ARC4 remains useful in most streaming situations. Would you rather stick it out with an algorithm as well known and attacked as ARC4, or take a risk with the new kid on the block?

Re:Arcfour (0)

Anonymous Coward | about a year ago | (#43183785)

Can't use compression, then the CRIME attack can be used.

Re:Arcfour (-1)

Anonymous Coward | about a year ago | (#43174979)

Ah, but what about when you're sending highly repetitive data, like a data table?

You're such a fucking nigger for asking that kind of stupidass question. What do you suppose compression is for, jackass?

Yeah that's right I said nigger. Time for the libtards to wet their beds again. If you mod me down that will definitely make all the ghetto fucking niggers stop worshipping street thugs, parent their kids, and for just once put more blacks in college than in prison. Yeah, sure. Liberalism says "lets just cover up any FACTS that contradict what we want to believe, wow we are so very smart!".

Get the fucking niggers to stop committing so many goddamned violent crimes, stop having bastard kids they knew they couldn't afford, stop worshipping gutter trash street thugs, parent their kids, learn to speak fucking intelligent english and not that low-bred gutter trash that the libtards named "ebonics" to make it sound like it's legitimate because when it comes to feel-good change-nothing bullshit they eat that shit up, and you will END ALL RACISM within ten years. Until then, fuck those niggers and fuck the brainwashed white assholes who keep making excuses for why they can't get their shit together. Hey assholes, the Jews have faced horrible persecution too, and a hell of a lot more recently than 1865, and most of them aren't gutter trash parasites on the ass of society. I know libtards are emotional bedwetting dipshits with the wishful thinking inability to cope with reality of the average two-year-old, but why don't you apply some logic to that one eh?

Re:Arcfour (1)

Joce640k (829181) | about a year ago | (#43174759)

FTA: "Specifically, Bernstein showed serious cracks in TLS and SSL"

Seems it's not arcfour that's broken, its the specific combination of arcfour and TLS/SSL.

Re:Arcfour (5, Interesting)

Joce640k (829181) | about a year ago | (#43174807)

Oh, wait, it's the arcfour key scheduling thing again.

This is an old arcfour weakness, not news. Everybody knows about it (and how to avoid it). The SSL people just never bothered to do it.

Re:Arcfour (1)

WhiteDragon (4556) | about a year ago | (#43175481)

Oh, wait, it's the arcfour key scheduling thing again.

This is an old arcfour weakness, not news. Everybody knows about it (and how to avoid it). The SSL people just never bothered to do it.

According to the slides [cr.yp.to] , this attack works by exploiting a bias in the output of RC4, not the key schedule at all...

Re:Arcfour (1)

Anonymous Coward | about a year ago | (#43175547)

The SSL people never bothered to do it because SSL was defined before the weaknesses were published. The method to mitigate the problem makes it an entirely new algorithm. And there are much better algorithms to standardize than RC4+half-measures. The real problem is that vendors won't upgrade to these newer algorithms, such as AES-GCM.

Also, the well known measures didn't avoid the problem, they just kicked the bucket down the road. Once upon a time you only had to discard 256 bytes, then 768 bytes, then 1024 bytes.... The root of the issue is that RC4 is now a very weak cipher, and continues to get weaker. The actual permutations it generates are too biased. There may be ways to fix it, but nobody is seriously bothering to try because we already have much strong algorithms with security proofs.

Re:Arcfour (1)

bill_mcgonigle (4333) | about a year ago | (#43174817)

I doubt you can peg your CPU with '-c blowfish'.

Re:Arcfour (2)

TheCarp (96830) | about a year ago | (#43175069)

Thats what I have been using for years. In fact, in my last job when one of the DBAs was complaining about how long it took to transfer really large files with winscp, I showed her how to set blowfish as the cipher and she about started glowing she was so happy at the speed.

Re:Arcfour (1)

Hatta (162192) | about a year ago | (#43175157)

I think you'd be surprised at what CPUs I run SSH on.

Re:Arcfour (1)

bill_mcgonigle (4333) | about a year ago | (#43175485)

I think you'd be surprised at what CPUs I run SSH on.

I recall benchmarking an old Pentium-75 at 17Mbps with rsync over ssh, and that was, I think, 2001 (for an embedded x86 appliance I was working on). That was a 150MIPS machine. But, yes, the NetBSD folk do some amazing things, and anybody running a 16MHz Atmel is going to have a hard time pushing serious crypto. The new embedded chips with AES on-die are also lovely.

Re:Arcfour (0)

Anonymous Coward | about a year ago | (#43175183)

Unless your CPU is made by Sun. Seriously slow CPUs for crypto.

Re:Arcfour (1)

overmoderated (2703703) | about a year ago | (#43174823)

This is also what is used by Google mail relays: version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);

Re:Arcfour (0)

Anonymous Coward | about a year ago | (#43176263)

ECDHE-RSA-RC4-SHA is not plain RC4 go read :http://www.imperialviolet.org/2011/11/22/forwardsecret.html

Re:Arcfour (3, Informative)

slew (2918) | about a year ago | (#43176605)

As I understand it, ARC4 originally stood for 'Alleged' RC-4 since it was reverse engineered from RSA's proprietary RC4 implementation. The name RC4 is trademarked by RSA and they refuse to confirm that ARC4 was 100% compatible with their trademarked RC4, so for these two reason, the name ARC4 stuck.

Of course nobody today disputes that there is any actual difference between the public ARC4 and RSA's RC4...

Re:Arcfour (-1, Offtopic)

sutabipo (2865937) | about a year ago | (#43177391)

http://www.cloud65.com/ [cloud65.com] Mackenzie. even though Lisa`s st0ry is amazing... on monday I got a new Infiniti from bringing in $9667 thiss month an would you believe 10/k last month. it's by-far the best-work Ive had. I actually started 4 months ago and pretty much straight away began to bring home at least $82, per-hr. I follow the details here,

Oh, come on ... heh. (1)

B3ryllium (571199) | about a year ago | (#43174597)

Many of the available PCI-type scanning tools seem to recommend it, so this is wonderful. Certainly sounds riskier than the recent BEAST vulnerability.

I'm sure this will lead to a few new entries on my gibsonindex.org cyber attack severity ranking [gibsonindex.org] project, as people find ways to apply this attack vector. :(

Anyone know what Cipher Suite configuration is the "safest" now? :)

Re:Oh, come on ... heh. (5, Informative)

bill_mcgonigle (4333) | about a year ago | (#43174793)

Anyone know what Cipher Suite configuration is the "safest" now? :)

You're screwed. You have the PCI people who are freaked out over CBC ciphers because of BEAST, you have lots of LTS distros not offering TLS 1.2, and you have people under FIPS who are your customers, so you wind up having to offer RC4 as a cipher to meet all of the above requirements. And even if you assume FIPS-managed clients will be controlling their ciphers to meet their internal requirements, you have to explain this to the PCI scanner vendor every. single. time.

If the LTS vendors could backport TLS 1.2, that would solve many headaches.

Re:Oh, come on ... heh. (1)

B3ryllium (571199) | about a year ago | (#43174833)

Yep, that's what I thought. Epic no-win scenario. :(

Maybe there's a way to Kobayashi Maru it.

Re:Oh, come on ... heh. (0)

Anonymous Coward | about a year ago | (#43175559)

No one has managed to defeat Kobayashi Maru in over 80 years.

Re:Oh, come on ... heh. (1)

Kaenneth (82978) | about a year ago | (#43175687)

Use good encryption inside, and RC4 on the outside? (layered) Just like my Truecrypt volume on a Bitlocker'd drive.

Re:Oh, come on ... heh. (2)

viperidaenz (2515578) | about a year ago | (#43177503)

Just like my double-ROT13 encryption on this message!

Re:Oh, come on ... heh. (1)

martijn hoekstra (1046898) | about a year ago | (#43201405)

Just like my double-ROT13 encryption on this message!

Typing in all caps is considered shouting, please refrain from it. Also, ROT13 is traditionally capitalised.

Re:Oh, come on ... heh. (0)

Anonymous Coward | about a year ago | (#43183907)

That means changing the protocol and why do that when TLS1.2 already fixes these issues?

Android 2.3 (1)

tepples (727027) | about a year ago | (#43174931)

If the LTS vendors could backport TLS 1.2, that would solve many headaches.

You can't even be sure to have Server Name Indication on a smartphone. Entry-level smartphones still come with Android 2.3, whose TLS stack lacks SNI support, and without SNI, they can't see the certificate for more than one site on port 443 of a given IPv4 address.

Re:Oh, come on ... heh. (0)

Anonymous Coward | about a year ago | (#43179693)

While RC4 is 128-bit, it's not FIPS 140-2 approved. You are limited to 3DES or AES in FIPS environments.

Re:Oh, come on ... heh. (1)

bill_mcgonigle (4333) | about a year ago | (#43184127)

You are limited to 3DES or AES in FIPS environments.

Yes, and in CBC mode if you want browser and openssl support, which leads back to the BEAST attack without TLS 1.2. Which is fine if the client is properly configured to avoid the attack - the server side can only help, not prevent. But the PCI Scanner vendors will redflag you for running any CBC ciphers.

Re:Oh, come on ... heh. (2)

broken_chaos (1188549) | about a year ago | (#43179803)

Many browsers still don't support TLS 1.2 (which I feel should be treated as a serious bug, not a feature enhancement that some of those browsers treat it as). And those that do almost universally don't enable it by default.

So you'd still have to support RC4, for the moment.

Re:Oh, come on ... heh. (0)

Anonymous Coward | about a year ago | (#43175037)

I'm sure this will lead to a few new entries on my gibsonindex.org cyber attack severity ranking [gibsonindex.org] project

Yes we appreciate the shameless plug. But the joke's on you! Just about everybody here runs ad-blockers. So to quote Nelson: HAH-HAH!

Re:Oh, come on ... heh. (1)

B3ryllium (571199) | about a year ago | (#43175125)

The site doesn't have ads. It's got two amazon affiliate links on the About page (for the movie Hackers and a search of William Gibson's books), but that's it.

I'm just trying to do something good.

Re:Oh, come on ... fail. (0)

Anonymous Coward | about a year ago | (#43175195)

I'm just trying to do something good.

Feeding the trolls doesn't count.

Like the troll said: HAH-HAH!!

Re:Oh, come on ... heh. (0)

Anonymous Coward | about a year ago | (#43201691)

Anyone know what Cipher Suite configuration is the "safest" now? :)

What you want is AES-GCM. GCM is only supported by TLS 1.2

Failing that, AES-CBC is safe assuming you are patched for BEAST and Lucky 13.

Gmail uses RC4 (1)

Iarwain Ben-adar (2393286) | about a year ago | (#43174615)

Last time I checked, Gmail was negotiating RC4. For scale reasons?

Re:Gmail uses RC4 (3, Insightful)

heypete (60671) | about a year ago | (#43174753)

Yup. RC4 is really fast in software and so can scale really easily without needing any real change in server capacity.

Also, most browsers support Elliptic-Curve Diffie-Hellman key exchange with RC4 which provides perfect forward secrecy with substantially less computing overhead as using the standard DH key exchange protocols.

Hmm. Now to change some settings. Whee.

Re:Gmail uses RC4 (1)

neokushan (932374) | about a year ago | (#43174883)

I'm still not sure how gmail is in any way vulnerable here? From the summary alone, it implies that you need to compromise something else to be able to inject data that's repeated a billion times. Given that gmail doesn't use a 3rd party ad service, it suggests that you'd need to compromise Google one way or another. Either that or the machine itself, in which case a keylogger would be much more effective, or the person's router, in which case there are still other easier attacks.

Doctypes, images, etc. (1)

tepples (727027) | about a year ago | (#43174955)

it implies that you need to compromise something else to be able to inject data that's repeated a billion times.

If a known plaintext is good enough, you could use an image or just the <!DOCTYPE HTML><html><head> at the beginning of every HTML5 document. Or by "inject" did you specifically refer to chosen plaintext?

Re:Doctypes, images, etc. (1)

neokushan (932374) | about a year ago | (#43176455)

I'm referring to the summary itself:

Bernstein demonstrated that when the same message is encrypted enough times--about a billion--comparing the ciphertext can allow the message to be deciphered. While that sounds impractical, Bernstein argued it can be achieved with a compromised website, a malicious ad or a hijacked router.

The researcher himself has stated that you need to compromise the website. I suppose you're correct in that if you select a well known piece of data, you could be in there, but it must be more complicated than that. I would guess that you can't compare fragments of a message but rather the entire message is required, so you need to capture it all.

Re:Doctypes, images, etc. (1)

Anonymous Coward | about a year ago | (#43177367)

You don't need to see the entire message, only the same same encrypted portion that you're trying to decipher. And you need to see it over and over again, each time encrypted with a different key.

You then look at all the biases, which the RC4 stream generator is rife with (and not just the key schedule). And eventually you'll be able to deduce the plaintext. So, you don't need to know any plaintext, but you need the same unknown plaintext to be at the same position in the stream every cycle.

Obviously it's preferable if the plaintext you're trying to decipher comes earlier in the exchange, because then you can iterate the attack faster. If there's 4MB of stuff you don't care about beforehand, it'll be slow going.

Re:Doctypes, images, etc. (1)

viperidaenz (2515578) | about a year ago | (#43177525)

You might have a hard time getting the !DOCTYPE... to be repeated a billion times on a single SSL session... I assume you have to start again when the SSL connection is renegotiated.

Re:Doctypes, images, etc. (2)

Carnildo (712617) | about a year ago | (#43178961)

Actually, a HTML document starts with something like

HTTP/1.1 200 OK
Date: Fri, 15 Mar 2013 02:18:32 GMT

followed by a bunch of other headers, before you get to the DOCTYPE and such.

Knowing that the document begins with "HTTP/1.1 200 OK" isn't very helpful, because as I understand it, this isn't a known-plaintext attack, but rather a constant-plaintext attack: RC4 as used by SSL/TLS doesn't produce the same cyphertext from a given plaintext every time. Ideally, there wouldn't be any correlation between cyphertexts of the given plaintext, but flaws in the cypher mean there are, and the attack uses these flaws to figure out what the plaintext is, given a sufficient number of encrypted versions of the same plaintext.

Not just scale reasons (0)

Anonymous Coward | about a year ago | (#43177409)

Almost all parts of SSL in common use are compromised to some degree.

The BEAST attack [qualys.com] (theoretically) compromises every common and strong SSL cypher other than RC4 and the march to newer TLS versions that offer protection for them is slow [wikipedia.org] , not least in the webserver packages common Linux distros come with.

Jokes on him! (5, Funny)

Kenja (541830) | about a year ago | (#43174617)

I always change my message after the 999,999,999th time I send it with the same encryption key.

Re:Jokes on him! (1)

Anonymous Coward | about a year ago | (#43175399)

I know your comment is in jest, but it's worth noting the attack already assumes you use a different key for each transmission (just the same plaintext), also it's statistical so it already has a good chance of recovering some data after just a million transmissions, and even more so if the data is constrained (e.g., HTTP headers are always ASCII, but the "billion" number given in the summary is assuming near 100% recovery of the first 256 bytes of an *arbitrary* plaintext).

rfc4345 (4, Informative)

cachimaster (127194) | about a year ago | (#43174631)

If I understood the article, the reported RC4 weakness is known since so long ago there is a RFC about it (rfc4345 [ietf.org] ) that TLS implementation just ignores. SSH also uses RC4 in a non-vulnerable way, and that's why it's not broken, and it's perfectly possible to have a secure RC4 algorithm by simply discarding the first N bytes, where N>1000.

Re:rfc4345 (0)

Anonymous Coward | about a year ago | (#43175603)

Take note of that date on RFC4345--2006. TLS was standardized long before that. And SSL was standardized even before RC4 weaknesses were known.

TLS 1.x could standardize RC4-dropN, but why bother? It's already standardized provably strong algorithms, but browsers don't bother to implement them. Why do you think they're bother to implement yet another new algorithm?

And N == 1000 is conjecture. Once upon a time 256 was enough. Then 512. Then 1024.

Re:rfc4345 (1)

pthisis (27352) | about a year ago | (#43176359)

TLS 1.x could standardize RC4-dropN, but why bother? It's already standardized provably strong algorithms, but browsers don't bother to implement them. Why do you think they're bother to implement yet another new algorithm?

What "provably strong" bulk cipher algorithm is in TLS 1.x? AFAIK as of the latest version--TLS 1.2 (the latest)--only 3DES and AES are allowed as alternatives to RC4. A prove that either of those is strong would be a major result in the crypto world.

Re:rfc4345 (1)

Anonymous Coward | about a year ago | (#43176989)

TLS 1.2 made it easier for clients and servers to negotiate new cipher suites. AES-GCM, which all experts agree is the best option today, is defined by http://tools.ietf.org/html/rfc5288

Several of Berstein's slides make fun of people who say, "oh, we'll just return to RC4". People keep bouncing around between the RC4 stream cipher and CBC block modes, when every expert has been saying for years we should ditch these and move to AES-GCM. But the browsers refuse to upgrade their TLS stacks.

Re:rfc4345 (1)

pthisis (27352) | about a year ago | (#43179321)

That's all true, but has nothing to do with what I was discussing.

The post I was replying to implies that there's a new result proving that AES or 3DES is secure (which would have profound implications not only on cryptography but on greater questions of computability) or that there's a version of TLS that uses one time pads or something. I was attempting to get at exactly what was being claimed.

Find each permutation (0)

Anonymous Coward | about a year ago | (#43174645)

3
ab
abc
bca

Re:Find each permutation (0)

Anonymous Coward | about a year ago | (#43175129)

3 ab abc bca

Yes I am certain the hackers would NEVER think of that on their own!

Figures... (0)

Anonymous Coward | about a year ago | (#43174715)

I just went through my exchange server today disabling weak ciphers. Now this one will be on the list.

PCI scans and BEAST attack... (1)

rhavenn (97211) | about a year ago | (#43174825)

So, all the various PCI scanners tell you to use RC4-based crypto due to BEAST, which is pretty hard to pull off, now suddently we won't be able to able to use RC4 anymore, but TLS v1.2 and up aren't available in IE8 (XP) or older version of Firefox and I believe. So, now what?

Chrome or Firefox (1)

tepples (727027) | about a year ago | (#43175067)

now suddently we won't be able to able to use RC4 anymore, but TLS v1.2 and up aren't available in IE8 (XP)

Show users of IE on Windows XP a countdown timer in days, hours, minutes, and seconds until the planned end of support for Windows XP [microsoft.com] . "Microsoft has announced that on April 8, 2004, it will stop providing security updates for your PC's operating system. In the meantime, we recommend accessing our web site using Google Chrome or Mozilla Firefox web browser. [ Get Chrome ] [ Get Firefox ]"

CORRECTION (1)

tepples (727027) | about a year ago | (#43175089)

I don't always catch all mistakes in preview. The correct date is just over a year from today, or April 8, 2014.

Re:PCI scans and BEAST attack... (1)

dragmar (808158) | about a year ago | (#43177215)

Use CBC with the TLS fix and if your PCI scanning vendor fails you for using CBC when its secure, tell them to go fuck themselves and use a real scanning vendor

WEP? (0)

Anonymous Coward | about a year ago | (#43174865)

isn't this similar to how WEP was broken?

Re:WEP? Yes, similar idea (1)

billstewart (78916) | about a year ago | (#43177549)

RC4 provides reasonably good security as long as you don't use it for things it wasn't meant for. (Rule#1 of RC4 club is "Never encrypt the same stuff twice".) Bernstein's attack is interesting, because he's using TLS/SSL to push RC4 to do things it wasn't meant to do.

Shit, I actually use that one (0)

Anonymous Coward | about a year ago | (#43175323)

I've even been telling people to use it, in a local wiki. Oops. I docced how to make bru use a different machine's tape drive in broken-tape-drive emergencies, and suggested throwing in a "-c arcfour256" or "-c blowfish-cbc" for speed, but hadn't benchmarked which was faster so I didn't know which was best.

Now I know which one is best, I guess. (?) Not that it matters what cipher (I'd be happy to use none or rot13 in this use case) I use for an emergency backup or restore on a LAN, but ...

*sigh* Bring on the AES hardware. Not that it'll do much good with our machines from the year 2004...

Re:Shit, I actually use that one (1)

pthisis (27352) | about a year ago | (#43176543)

arcfour256 drops the first 256 bytes, which is done expressly to prevent a known attack against RC4. In addition, unlike a public https server an attacker can't force you to transfer a same-plaintext file a billion times via ssh. ssh with arcfour256 should still be fairly safe, though I'd certainly transition to AES in a timely fashion.

compromised website? (0)

Anonymous Coward | about a year ago | (#43175351)

If the website is compromised does the SSL connection matter anymore?

RC4 has been broken for years (2)

DNX Blandy (666359) | about a year ago | (#43175705)

I run tests on RC4 years ago, run it thru a plain text file full of the same char repeated and then run through RC4, guess what? Oh the password is showing every 256 chars, hence the "weak" key. I developed a newer version of RC4 called RC64, uses a 64K (65536 or 256 ^ 2) key. The randomisation process is very complex and the algo was only just slightly slower than RC4, which is very fast anyway. A graphical representation of the 64K key visualized pure white-noise when the key was viewed in grey-scale. They need to start using mine me thinks :) Oh, and in a 50MB file full of the same repeated char, the password was not even hinted at and no 4 bytes were the same.

Re:RC4 has been broken for years (2)

PvtVoid (1252388) | about a year ago | (#43176507)

I developed a newer version of RC4 called RC64, uses a 64K (65536 or 256 ^ 2) key. The randomisation process is very complex and the algo was only just slightly slower than RC4, which is very fast anyway. A graphical representation of the 64K key visualized pure white-noise when the key was viewed in grey-scale. They need to start using mine me thinks :) Oh, and in a 50MB file full of the same repeated char, the password was not even hinted at and no 4 bytes were the same.

Well, I'm convinced! Where can I invest in your company?

Re:RC4 has been broken for years (0)

Anonymous Coward | about a year ago | (#43176715)

How's your compressor that can compress everything really well coming along?

Re:RC4 has been broken for years (1)

DerekLyons (302214) | about a year ago | (#43177227)

A graphical representation of the 64K key visualized pure white-noise when the key was viewed in grey-scale.

What statistical analysis did you use to ensure your key was cryptographically strong?

Re:RC4 has been broken for years (0)

Anonymous Coward | about a year ago | (#43177893)

I did numerous analysis on the 50MB file and looked for: Any hint of the password truncated at numerous lengths from both ends and in the middle. Numerous lengths of byte data to check for repetitions in the file as this hints at a "weak" key. For the 64K key itself, I made sure the random rotation was working correctly and not pinning to certain parts of the key which can happen. I effectively wanted a "white-noise" effect on the key rotation which I obtained :)

Re:RC4 has been broken for years (1)

cryptizard (2629853) | about a year ago | (#43178315)

I don't mean to discourage you from trying cool things, but this is exactly what NOT to do when considering cryptography. Creating a secure cipher is HIGHLY non-trivial and should not be attempted (or rather, your attempt should not be used to secure things) unless you understand the processes involved very well and are an expert. Just because the output "looks" random, does not mean it is secure. There are many random number generator algorithms that pass all statistical tests, but are trivial to predict because they are not built to be secure. The fact that you used such a large key is not a good sign because you are either (1) wasting space/computation or (2) relying on the entropy in your ridiculously large key to mask relations between your plaintext and cipher text, meaning you are not secure for larger files. A secure cipher, against which brute force is the best attack, requires a key of only 256 bits for the foreseeable future.

Re:RC4 has been broken for years (1)

DNX Blandy (666359) | about a year ago | (#43180583)

I'm no expert with regards to symmetric encryption granted, but I do know a lot about it. It makes RC4 look like plain-text in comparison. I disagree with regards to using a larger key as it means there is a lot more overlap when rotating the key, why have key(x) when you can have key(x, y)? It's technically as easy hence the speed is only just slightly slower, a fraction. The problem with keys that are 256 is the rotation. I came to the conclusion that there wasn't enough scope to randomize it enough hence the 64K key. I did numerous custom tests with a 256 key and I wasn't satisfied. It doesn't waste any computation and also I found it very good at securing large files. I still can't believe that RC4 is still used with the likes of WEP, SSL. In the end, it'll never get used and just be my own personal symmetric encryption algo :)

NoScript (1)

godel_56 (1287256) | about a year ago | (#43176755)

From TFA: "The gigantic number of identical messages that must be sent to break the scheme might seem reassuring. The attack in its current form takes close to 32 hours to perform. But Paterson points out that an attacker could use a malicious ad, a hijacked portion of a website, or a compromised router to feed the identical message to a user again and again unbeknownst to the victim.

NoScript is your friend, again.

Re:NoScript (0)

Anonymous Coward | about a year ago | (#43179051)

Or, ScriptSafe on Chrome.

Help Get TLS Support in More Browsers (2)

utkonos (2104836) | about a year ago | (#43178795)

TLS 1.1 support is enabled by default in Chrome. Read about that here [blogspot.nl] .

If you want TLS 1.2 in chrome, please star this bug [google.com] .

As for Firefox, TLS 1.1 and 1.2 support are still not ready. If you want to help, vote for this bug [mozilla.org] , this bug [mozilla.org] , this bug [mozilla.org] , and this bug [mozilla.org] .

The bugs to get TLS 1.2 support into Firefox are this one [mozilla.org] and this one [mozilla.org] .

Both Opera and IE support TLS 1.1 and 1.2. If you want to see this in Firefox and Chrome, vote for the bugs above. But, please don't comment on the bugs. That won't help.

Random cookies? (2)

manu0601 (2221348) | about a year ago | (#43180561)

RC4 was useful as a workaround for BEAST. Now we need to throw out RC4, we need another workaround for BEAST

The Right Way would be to use TLS 1.1 or TLS 1.2, but they re not supported by some browsers (e.g.: Mozilla).

What about working around the problem in the web server? BEAST relies on session cookies being at a fixed offset. If I add a random length cookie that is changed on each server reply, I understand I break BEAST assumption. Am I right? Writing an Apache module to do that would be quite straightforward. Perhaps it already exists?

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...