1996-08-01 - Re: Cracking RC4/40 for massive wiretapps

Header Data

From: daw@cs.berkeley.edu (David Wagner)
To: cypherpunks@toad.com
Message Hash: 098b053de97202e93a1ec7257c50ae80263c251b1436897da3485180c5d8ba49
Message ID: <4tq268$nsk@joseph.cs.berkeley.edu>
Reply To: <199608010603.XAA19276@toad.com>
UTC Datetime: 1996-08-01 13:51:02 UTC
Raw Date: Thu, 1 Aug 1996 21:51:02 +0800

Raw message

From: daw@cs.berkeley.edu (David Wagner)
Date: Thu, 1 Aug 1996 21:51:02 +0800
To: cypherpunks@toad.com
Subject: Re: Cracking RC4/40 for massive wiretapps
In-Reply-To: <199608010603.XAA19276@toad.com>
Message-ID: <4tq268$nsk@joseph.cs.berkeley.edu>
MIME-Version: 1.0
Content-Type: text/plain


In article <199608010603.XAA19276@toad.com>,
Bill Stewart  <stewarts@ix.netcom.com> wrote:
> When we discussed using FPGA machines to crack RC4/40 last year,
> someone calculated the cost of cracking a message at 8 cents

That was the keylength paper.  I think their estimate is way off.

But that's ok-- I do so like the ring of ``8-cent encryption'', even
if I think the derivation is technically dubious :-)

> is whether you can speed up performance substantially by cracking
> multiple messages at once.  For instance, if you've got known plaintext,
> such as a standard header format saying "FooVoice" or "BEGIN DSA-SIGNED..",
> you can try many keys and compare them with _many_ cyphertexts,

Not with SSL.

SSL uses a random 88-bit salt which is different for every session.
This attack doesn't work.  Fun to think about, though, eh? :-)

[ Unsalted 40-bit RC4 is super-dangerous, and there are all sorts of
nasty games one can play with it.  That's why you should avoid it. ]

>                                              Also, even for
> unknown-plaintext, since key scheduling is a relatively slow part of RC4/40,
> you can split the key-schedule and the block-encryption phases, feeding
> one keyschedule output to multiple decrypt-and-compare sessions in parallel.
> So the cost per victim of cracking many sessions may be much lower.

Same deal.


Keep those ideas flowing-- one of 'em is bound to work.
-- Dave Wagner





Thread