From: JMKELSEY@delphi.com
Date: Fri, 18 Aug 95 19:42:20 PDT
To: cypherpunks@toad.com
Subject: Time-memory tradeoff in SSL's RC4 code?
Message-ID: <01HU8H23AHQQ8ZJ4DW@delphi.com>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

>Date: Thu, 17 Aug 1995 08:32:56 -0400
>From: "Perry E. Metzger" <perry@piermont.com>
>Subject: Re: SSL challenge -- broken !

>It has occured to me that, because the RC4 key crackers spend most of
>their time in key setup, you can crack N SSL sessions that you
>captured in not substantially more time than it took to crack 1. This
>is analagous to the way brute force Unix password file hacking operates.

This would work with straight 40-bit keys, but I believe SSL uses
128-bit keys, and then intentionally leaks 88 bits to comply with
export requirements, to prevent this kind of attack from working.

>Perry

   --John Kelsey, jmkelsey@delphi.com
 PGP 2.6 fingerprint = 4FE2 F421 100F BB0A 03D1 FE06 A435 7E36


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMDVGXUHx57Ag8goBAQFyUQP7B7fhKc8AqpcHnQ09ip5gOfy5QMCtGImB
f1Y9lZtAmLFwOIkrfdaL2vCWJKIKc7yg8+FwtmX6Q8yYWH4TdE5eWOGIKSfl5Q8f
etVgF2B49T5Lxxb02ah5cHfO8baOqQOTMkvzQ9bj0XVqAItPoPjDTCOAAegwKZ3V
6L+kZQn89lY=
=KkAX
-----END PGP SIGNATURE-----