Re: Conficker C and Ron Rivest
- From: Ilmari Karonen <usenet2@xxxxxxxxxxxxxx>
- Date: 25 Mar 2009 17:32:05 GMT
On 2009-03-25, Paul Rubin wrote:
Would it help to drop 256+k bytes from the beginning of the keystream
instead of 256, where k is a secret number derived from the key? That
would conceal the value of "i" from the attacker, but of course there's
just 256 possibilities, so the attacker could try them all...
As you note, trying out 2^8 possible values is not much of a
hindrance. In any case, simply counting general digraph frequencies
does not require knowledge of i. Indeed, Fluhrer & McGrew (2001) note
that:
"The irregularities in the digraph distribution that we observed
allow the recovery of n and i parameters [...] if the attacker
happens not to know them."
Personally, I don't find it surprising at all that RC4's output is
biased -- at its core, it's little more than a badly written Knuth
shuffle. What's surprising is that, despite its biases, it has
withstood as much cryptanalysis as it has while still retaining any
semblance of security at all.
--
Ilmari Karonen
To reply by e-mail, please replace ".invalid" with ".net" in address.
.
- References:
- Conficker C and Ron Rivest
- From: Timoleon
- Re: Conficker C and Ron Rivest
- From: Guy Macon
- Re: Conficker C and Ron Rivest
- From: Paul Rubin
- Re: Conficker C and Ron Rivest
- From: Maaartin
- Re: Conficker C and Ron Rivest
- From: Scott Fluhrer
- Re: Conficker C and Ron Rivest
- From: Unruh
- Re: Conficker C and Ron Rivest
- From: Scott Fluhrer
- Re: Conficker C and Ron Rivest
- From: rossum
- Re: Conficker C and Ron Rivest
- From: Paul Rubin
- Conficker C and Ron Rivest
- Prev by Date: Re: Best Way To Randomize/Salt A Text String Before SHA256?
- Next by Date: Re: Conficker C and Ron Rivest
- Previous by thread: Re: Conficker C and Ron Rivest
- Next by thread: Re: Conficker C and Ron Rivest
- Index(es):
Relevant Pages
|
