RE: Editorial: Use of MAY in draft-ietf-ipsec-ikev2-algorithms

["Russ Housley" <housley@vigilsec.com>]

WEP causes a problem from RC4 because it "publishes" the first 24 bits
of the key.  The RC4 key schedule is not robust enough to deal with part
of its input being disclosed.  If RC4 is used in a system where none of
the keying material is disclosed, as is the case with TLS, then it holds
up just fine.

In ESP, the use of RC4 would require special handling to avoid WEP-like
issues.  I do not believe that anyone has written a specification for
RC4 and ESP.

Russ


> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com
[mailto:owner-ipsec@lists.tislabs.com]
> On Behalf Of Bill Sommerfeld
> Sent: Monday, June 16, 2003 11:57 AM
> To: Henry Spencer
> Cc: IP Security List
> Subject: Re: Editorial: Use of MAY in
draft-ietf-ipsec-ikev2-algorithms
> 
> > Correct.  The cipher is RC4, which is (last I heard) still thought
to be
> > okay.
> 
> Okay, but not great.
> 
> RC4 is a stream cipher which comes with additional special handling
> recommendations ("For best results, discard first N bytes of output
> after keying").
> 
> > The problem is that WEP generates keys by a distinctly non-random
> > process which produces many closely-related keys, and nobody thought
to
> > ask whether this was a weakness.  It is.
> 
> The WEP related-key attacks exploit the first-byte weaknesses of RC4.
> 
> 					- Bill