In article
<1117723009(_dot_)44321(_dot_)3229(_dot_)camel(_at_)unknown(_dot_)hamachi(_dot_)org>
you write:
On Wed, 2005-06-01 at 15:48, Sam Hartman wrote:
That's what I thought too. However that seems to be false. The one
reference currently in the security considerations section is for an
attack to distinguish an RC4 stream from a random stream.
A critical parameter to such attacks is the amount of keystream required
under a single key before the attack becomes feasible.
Assuming I've read it correctly, the most recent paper I've found on the
topic mentions a threshold of 2^24 bytes if you don't discard the start
of the keystream, and 2^32 if you discard the first 256 bytes.
As the sshv2 protocol allows for either party to trigger a rekey of both
directions of the communication, it certainly seems like a cautionary
note to set rekey thresholds appropriately would be in order.
I don't believe that rekeying is sufficient, which is why the draft doesn't
recommend it. The distinguisher relies on the non-uniform distribution of
digraphs in all RC4 keystreams, so if it needs to it can work on two bytes
from each of 2^32 separate keystreams. I think (and I'd be happy for a
crytographer to contradict me here) this means that if you encrypt the same
thing (e.g. an SSH password packet) 2^32 times under different RC4 keys, an
attacker can deduce one bit of information about it, or more accurately one
bit of information per digraph.
--
Ben Harris
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf