Cracking RC4/40 for massive wiretapps
Bill Stewart
stewarts at ix.netcom.com
Thu Aug 1 01:32:51 PDT 1996
At 11:13 AM 7/30/96 -0700, frantz at netcom.com (Bill Frantz) mused paranoidly:
>I combine the above with Whit Diffie's observation that, while crypto users
>are interested in the security of *each* message, organizations which
>monitor communications want to read *every* message. A TLA interested in
>monitoring communications would need to crack RC4-40 much faster than
>1/week.
When we discussed using FPGA machines to crack RC4/40 last year,
someone calculated the cost of cracking a message at 8 cents
if you're doing enough to amortize your machine, and Eric had designed
a system that should be able to crack it in about 15 minutes for $25-50K.
The two basic search approaches are to take a cyphertext and decrypt it
trying many keys to see if you get a likely plaintext, or to take known
plaintext and encrypt with many keys to see if you match the cyphertext.
But those designs are for one-at-a-time cracks. An interesting question
is whether you can speed up performance substantially by cracking
multiple messages at once. For instance, if you've got known plaintext,
such as a standard header format saying "FooVoice" or "BEGIN DSA-SIGNED..",
you can try many keys and compare them with _many_ cyphertexts,
which may not slow down the FPGA very much. Also, even for
unknown-plaintext, since key scheduling is a relatively slow part of RC4/40,
you can split the key-schedule and the block-encryption phases, feeding
one keyschedule output to multiple decrypt-and-compare sessions in parallel.
So the cost per victim of cracking many sessions may be much lower.
>Now expensive specialized cracking equipment can certainly speed up the
>process, but there may be a better way. If cryptanalysis of RC4 yields
>techniques which make the process much easier, then it is the ideal cypher
>to certify for export.
>The paranoid conclusion is that there is a significant weakness in RC4.
Just keeping the key length down to 40 bits on a fast cypher is a good start.
# Thanks; Bill
# Bill Stewart, +1-415-442-2215 stewarts at ix.netcom.com
# <A HREF="http://idiom.com/~wcs">
# Dispel Authority!
More information about the cypherpunks-legacy
mailing list