In article
<Pine(_dot_)LNX(_dot_)4(_dot_)62(_dot_)0506020227100(_dot_)27968(_at_)sokol(_dot_)elan(_dot_)net>
you write:
On Wed, 1 Jun 2005, Keith Moore wrote:
The argument in favor of publishing this document at proposed is that
the existing arcfour cipher is part of a standard and that many other
IETF protocols use rc4 in standards track documents.
previous mistakes are not valid justifications for new mistakes.
previous accidents are not valid justifications for deliberately weakening
new products.
Keith,
I think you're right in general. But in this specific case its not a
"new product". SSH already uses RC4, the change is increasing size
of key that maybe used.
That's not the only change. The important aspect of my draft is that it
requires discarding the first 1536 bytes of RC4 keystream. Apparently RSA
Security have always recommended discarding the start of the keystream, but
SSH (and TLS, for that matter) has ignored this recommendation. The
addition of support for 256-bit keys was just my taking an opportunity to
bring RC4 into line with the rest of SSH, and to give us a little more
security headroom against any remaining attacks on the key schedule.
--
Ben Harris
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf