Fix for RC4 (was: Re: Attention CipherSaber Users!!)

Greg Rose ggr at qualcomm.com
Sat Jul 28 15:09:32 PDT 2001


The fix that's been suggested for some time in the common wisdom about RC4, 
namely discarding the first 256 bytes of output, would seem to be entirely 
adequate to address the problems discovered. If this is considered to be 
part of the key setup, it slightly less than doubles the time, and it's 
extremely simple.

I have always felt that folding in the key with only a single pass was a 
bit "close to the edge". Note that the RC5 *key schedule* does at least 
three passes! (Not strictly comparable, of course.)

Another alternative suggests itself, which would be to continue the 
key-based randomisation for a second pass over the state array. I'd worry 
about weak keys that somehow undid their own actions, though, so I think I 
still prefer just letting the randomisation-through-generation continue.

Greg.

At 01:20 PM 7/28/2001 -0700, jamesd at echeque.com wrote:
>     --
>On 27 Jul 2001, at 11:33, Arnold G. Reinhold wrote:
> > A draft paper by Scott Fluhrer, Itsik Mantin and Adi Shamir was
> > released on July 25, 2001 and announces new attacks on the RC4 cipher
> > that is the basis for CipherSaber-1. Some of these attacks
> > specifically involve the use of an IV with a secret key, the very
> > scheme used in CipherSaber.  Prof. Shamir states in an e-mail
> > accompanying the release:
>
>If I understand the paper 
>http://www.eyetap.org/~rguerra/toronto2001/rc4_ksaproc.pdf correctly, 
>Cybersabre and WEP would be fixed if instead of making the RC4 
>initialization by concatenating a permanent and unchanging secret key, and 
>an ever changing visible random value, they instead constructed
>the RC4 key by doing several different SHA hashes of the unchanging secret 
>key, and the ever changing visible random value, and concatenated those 
>hashes, and also discarded some substantial number of initial bytes from 
>the RC4 output.
>
>     --digsig
>          James A. Donald
>      6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
>      xXgj5w0VTwI81xCh6amG5KOaB6nNDXD/mS2s7VXR
>      4vvEsQrjo5uE2RHZQa/1atZPduIFyneZNWgzOS40c
>
>
>
>
>---------------------------------------------------------------------
>The Cryptography Mailing List
>Unsubscribe by sending "unsubscribe cryptography" to 
>majordomo at wasabisystems.com


Greg Rose                                       INTERNET: ggr at qualcomm.com
Qualcomm Australia          VOICE:  +61-2-9817 4188   FAX: +61-2-9817 5199
Level 3, 230 Victoria Road,                http://people.qualcomm.com/ggr/
Gladesville NSW 2111    232B EC8F 44C6 C853 D68F  E107 E6BF CD2F 1081 A37C




---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com





More information about the cypherpunks-legacy mailing list