Re: RC4 broken?

From: Gregory G Rose (ggr@qualcomm.com)
Date: 02/02/03

• Next message: TC: "Re: RC4 broken?"
• Previous message: CoMa: "Re: Help - freeware CD encryption tool ?"
• In reply to: cafe: "RC4 broken?"
• Next in thread: TC: "Re: RC4 broken?"
• Reply: TC: "Re: RC4 broken?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: ggr@qualcomm.com (Gregory G Rose)
Date: 2 Feb 2003 00:29:37 -0800

In article <1044159654.56462@teuthos>, cafe <a@b.c.d> wrote:
>every known attack. On July 25, 2001 a method was found to crack RC4, but
>only if about a million separate plaintext messages are encrypted with the
>same secret key, and the method fails if two iterations of RC4 are used.
>(Twenty iterations is probably overkill, but considering the speed at which
>RC4 runs, it doesn't hurt.) Few encryption algorithms have had the intense
>scrutiny that RC4 has, and until July of 2001 was considered to by a very
>strong cipher."
>
>Can someone explain to me, what he is referring to? I know that with RC4,
>only *two* messages encrypted with the same secret key, are sufficient to
>break all other messages encrypted with that key. As I understand it, that
>it a protocol error - not a break in the cipher. What's with the "million"?
>What am I missing?

The result they're referring to was the paper by
Fluhrer, Mantin and Shamir in Selected Areas in
Cryptography, 2001. It had been known for a long
time that the first few bytes output by RC4 were
biased in a key-dependent fashion. This result
showed that if you keyed RC4 with the
concatenation of an "initialisation vector" and
the secret key (in either order) the secret key
could be recovered with ~1M known plaintexts. This
completely breaks 802.11 WEP because the first
bytes of encrypted packets are pretty much known.

In that quote, I don't understand what they're
talking about "two iterations"... I think that
depended on the context of the quote.

You should be able to turn up the FMS paper on the
web.

Greg.

-- 
Greg Rose                                       INTERNET: ggr@qualcomm.com
Qualcomm Australia          VOICE:  +61-2-9817 4188   FAX: +61-2-9817 5199
Level 3, 230 Victoria Road,                http://people.qualcomm.com/ggr/ 
Gladesville NSW 2111    232B EC8F 44C6 C853 D68F  E107 E6BF CD2F 1081 A37C

---

• Next message: TC: "Re: RC4 broken?"
• Previous message: CoMa: "Re: Help - freeware CD encryption tool ?"
• In reply to: cafe: "RC4 broken?"
• Next in thread: TC: "Re: RC4 broken?"
• Reply: TC: "Re: RC4 broken?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: RC4 broken? ... >>same secret key, and the method fails if two iterations of RC4 are used. ... Few encryption algorithms have had the ... (sci.crypt) Re: RC4 broken? ... Few encryption algorithms have had the ... >> time that the first few bytes output by RC4 were ... >> the secret key the secret key ... (sci.crypt) Re: TrueCrypt 4.0 Out ... >> secret key, then he doesn't have to use disk encryption at all. ... I suspect there are all sorts of ways that chosen-plaintext ... patents, licenses or royalties of any kind. ... (sci.crypt) Re: Native RC4 code ... i'd rather advise you to avoid using RC4 encryption, ... drop them before using RC4 stream, you can never reuse key stream +++. ... I'm new in encryption and I have a question. ... I have a public key, a .p7b file, how can I load the public key and use ... (microsoft.public.dotnet.security) Re: how these 2 functions may differ? ... you not using the encryption functions built in to Windows? ... as far as I know there isn't any .net builtin RC4 ... Windows has RC4 builtin. ... it should have been as simple as calling new CryptoAPITransform ... (microsoft.public.dotnet.languages.csharp)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > sci.crypt  > 2003-02