[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Editorial: Use of MAY in draft-ietf-ipsec-ikev2-algorithms
I thought also that RC4 was not a restartable(seekable?) stream cipher and
thus cannot tolerate lost or out of order packets unless special steps were
taken (re-gen the key schedule for each packet?).
> -----Original Message-----
> From: firstname.lastname@example.org
> [mailto:email@example.com]On Behalf Of Russ Housley
> Sent: Monday, June 16, 2003 1:46 PM
> To: firstname.lastname@example.org; 'Henry Spencer'
> Cc: 'IP Security List'
> Subject: RE: Editorial: Use of MAY in
> WEP causes a problem from RC4 because it "publishes" the first 24 bits
> of the key. The RC4 key schedule is not robust enough to
> deal with part
> of its input being disclosed. If RC4 is used in a system
> where none of
> the keying material is disclosed, as is the case with TLS,
> then it holds
> up just fine.
> In ESP, the use of RC4 would require special handling to
> avoid WEP-like
> issues. I do not believe that anyone has written a specification for
> RC4 and ESP.
> > -----Original Message-----
> > From: email@example.com
> > On Behalf Of Bill Sommerfeld
> > Sent: Monday, June 16, 2003 11:57 AM
> > To: Henry Spencer
> > Cc: IP Security List
> > Subject: Re: Editorial: Use of MAY in
> > > Correct. The cipher is RC4, which is (last I heard) still thought
> to be
> > > okay.
> > Okay, but not great.
> > RC4 is a stream cipher which comes with additional special handling
> > recommendations ("For best results, discard first N bytes of output
> > after keying").
> > > The problem is that WEP generates keys by a distinctly non-random
> > > process which produces many closely-related keys, and
> nobody thought
> > > ask whether this was a weakness. It is.
> > The WEP related-key attacks exploit the first-byte
> weaknesses of RC4.
> > - Bill