From: fc@all.net (Dr. Frederick B. Cohen)
To: stewarts@ix.netcom.com (Bill Stewart)
Message Hash: 1759525e50741f0b3c20609d527f8f6497495a07ef89dfa1cb1a7b8f1ddcb397
Message ID: <9509301040.AA02608@all.net>
Reply To: <199509291716.KAA06460@ix8.ix.netcom.com>
UTC Datetime: 1995-09-30 10:42:15 UTC
Raw Date: Sat, 30 Sep 95 03:42:15 PDT
From: fc@all.net (Dr. Frederick B. Cohen)
Date: Sat, 30 Sep 95 03:42:15 PDT
To: stewarts@ix.netcom.com (Bill Stewart)
Subject: Re: Cryptanalysis of RC4 - Preliminary Results (Repeat)
In-Reply-To: <199509291716.KAA06460@ix8.ix.netcom.com>
Message-ID: <9509301040.AA02608@all.net>
MIME-Version: 1.0
Content-Type: text
...
> >The attack is based on two particularly interesting three-byte key
> >prefixes which have a high probability of producing PRNG sequences
> >which start with a known two-byte sequence. The prefixes are:
> >1. Keys starting with "00 00 FD" which have a 14% probability of
> > generating sequences which start "00 00".
> >2. Keys starting with "03 FD FC" which have a 5% probability of
> > generating sequences which start "FF 03".
> [much interesting work deleted]
>
> It sounds like any application using RC4 with random session keys
> should start by testing session keys and rejecting any that
> start with 00 00 or 03 FD; it means doing 2**-15 more random key
> generations, and reducing the brute-force space by 2**-15,
> but it's a pretty small reduction.
The problem is that if these keys are weak, there may be many others
that are also weak. In fact, by the time we explore all of the
weaknesses, we may find the system is no longer very strong at all.
--
-> See: Info-Sec Heaven at URL http://all.net
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236
Return to September 1995
Return to “fc@all.net (Dr. Frederick B. Cohen)”