Re: Conficker C and Ron Rivest



On 2009-03-25, Paul Rubin wrote:

Would it help to drop 256+k bytes from the beginning of the keystream
instead of 256, where k is a secret number derived from the key? That
would conceal the value of "i" from the attacker, but of course there's
just 256 possibilities, so the attacker could try them all...

As you note, trying out 2^8 possible values is not much of a
hindrance. In any case, simply counting general digraph frequencies
does not require knowledge of i. Indeed, Fluhrer & McGrew (2001) note
that:

"The irregularities in the digraph distribution that we observed
allow the recovery of n and i parameters [...] if the attacker
happens not to know them."

Personally, I don't find it surprising at all that RC4's output is
biased -- at its core, it's little more than a badly written Knuth
shuffle. What's surprising is that, despite its biases, it has
withstood as much cryptanalysis as it has while still retaining any
semblance of security at all.

--
Ilmari Karonen
To reply by e-mail, please replace ".invalid" with ".net" in address.
.



Relevant Pages

  • Best Way To Randomize/Salt A Text String Before SHA256?
    ... I only know a little about practical cryptography work... ... The idea is that a user has some secret text. ... The publication is a declaration of their ... This is because if an attacker knows that it could be ...
    (sci.crypt)
  • Re: Fw: Remote logging
    ... The attacker would have to cooperate by sending ... All I would want would be for syslogd on the client and server ... The secret is forgotten at the slightest ... tampering. ...
    (FreeBSD-Security)
  • Re: Somebody is keep trying to ssh into my systems, how can I stop that?
    ... how long it takes to do that for an attacker (who doesn't ... know the secret), is another matter. ... system so don't install security. ... What Unruh said is not wrong. ...
    (comp.os.linux.security)
  • Re: (Partially) security client-server communications
    ... >app to the server. ... attacker has some sort of debugger or dissembler app and uses it to watch ... is secret, the attacker is hosed. ... If it is just a matter of a secret algorithm, you can use a secret encryption ...
    (sci.crypt)
  • Re: "incrementing" ecb mode
    ... But an attacker might still be able to gain some information ... Is the starting key secret or not? ... > in the middle of a file, and this would be easier than a proper MAC, no need ... that are stored in the SFS before encrypting them. ...
    (sci.crypt)