Re: Conficker C and Ron Rivest

On 2009-03-25, Paul Rubin wrote:

Would it help to drop 256+k bytes from the beginning of the keystream
instead of 256, where k is a secret number derived from the key? That
would conceal the value of "i" from the attacker, but of course there's
just 256 possibilities, so the attacker could try them all...

As you note, trying out 2^8 possible values is not much of a
hindrance. In any case, simply counting general digraph frequencies
does not require knowledge of i. Indeed, Fluhrer & McGrew (2001) note

"The irregularities in the digraph distribution that we observed
allow the recovery of n and i parameters [...] if the attacker
happens not to know them."

Personally, I don't find it surprising at all that RC4's output is
biased -- at its core, it's little more than a badly written Knuth
shuffle. What's surprising is that, despite its biases, it has
withstood as much cryptanalysis as it has while still retaining any
semblance of security at all.

Ilmari Karonen
To reply by e-mail, please replace ".invalid" with ".net" in address.