Attention CipherSaber Users!!
Arnold G. Reinhold
reinhold at world.std.com
Fri Jul 27 08:33:08 PDT 2001
A draft paper by Scott Fluhrer, Itsik Mantin and Adi Shamir was
released on July 25, 2001 and announces new attacks on the RC4 cipher
that is the basis for CipherSaber-1. Some of these attacks
specifically involve the use of an IV with a secret key, the very
scheme used in CipherSaber. Prof. Shamir states in an e-mail
accompanying the release:
"Attached you will find a new paper which describes a truly practical
direct attack on WEP's cryptography. It is an
extremely powerful attack which can be applied even when WEP's RC4
stream cipher uses a 2048 bit secret key (its maximal size) and 128
bit IV modifiers (as proposed in WEP2). The attacker can be a
completely passive eavesdropper (i.e., he does not have to inject
packets, monitor responses, or use accomplices) and thus his
existence is essentially undetectable. It is a pure known-ciphertext
attack (i.e., the attacker need not know or choose their
corresponding plaintexts). After scanning several hundred thousand
packets, the attacker can completely recover the secret key and thus
decrypt all the ciphertexts. The running time of the attack grows
linearly instead of exponentially with the key size, and thus it is
negligible even for 2048 bit keys."
The paper itself, titled "Weaknesses in the Key Scheduling Algorithm
of RC4," has been posted at
http://www.eyetap.org/~rguerra/toronto2001/rc4_ksaproc.pdf (in PDF
format) and at http://www.crypto.com/papers/others/rc4_ksaproc.ps
(in Postscript).
WEP is an encryption system used with 802.11 wireless Ethernet that
employs RC4, but the attack affects CipherSaber as well. Note that
"several hundred thousand" separate CipherSaber messages encrypted
with the same key would have to be collected for this attack to
succeed. None the less, from a cryptographic standpoint, this is too
close for comfort.
Accordingly I recommend that CipherSaber users switch to
CipherSaber-2 with a parameter N=20 or larger. The RC4 state vector
will thus be mixed 20 times instead of once. This large a value for N
is probably overkill, but until there is time to fully digest the
implications of this paper, it is better to err on the safe side. If
this is impractical for any reason, I recommend changing keys on a
regular basis to limit the amount of traffic encrypted with any one
CipherSaber key (even though the IVs differ).
If and when a consensus develops on the best way to fix RC4, I will
announce a corresponding version of CipherSaber. Visit the
CipherSaber page http://ciphersaber.gurus.com periodically for
updated information.
Arnold Reinhold
More information about the cypherpunks-legacy
mailing list