From: Bill Stewart <stewarts@ix.netcom.com>
To: cypherpunks@toad.com
Message Hash: 7eaea521ca3d98582b6cc35cea9ea66e35e608c22d2183186236c362fe0add12
Message ID: <199608010603.XAA19276@toad.com>
Reply To: N/A
UTC Datetime: 1996-08-01 08:32:51 UTC
Raw Date: Thu, 1 Aug 1996 16:32:51 +0800
From: Bill Stewart <stewarts@ix.netcom.com>
Date: Thu, 1 Aug 1996 16:32:51 +0800
To: cypherpunks@toad.com
Subject: Cracking RC4/40 for massive wiretapps
Message-ID: <199608010603.XAA19276@toad.com>
MIME-Version: 1.0
Content-Type: text/plain
At 11:13 AM 7/30/96 -0700, frantz@netcom.com (Bill Frantz) mused paranoidly:
>I combine the above with Whit Diffie's observation that, while crypto users
>are interested in the security of *each* message, organizations which
>monitor communications want to read *every* message. A TLA interested in
>monitoring communications would need to crack RC4-40 much faster than
>1/week.
When we discussed using FPGA machines to crack RC4/40 last year,
someone calculated the cost of cracking a message at 8 cents
if you're doing enough to amortize your machine, and Eric had designed
a system that should be able to crack it in about 15 minutes for $25-50K.
The two basic search approaches are to take a cyphertext and decrypt it
trying many keys to see if you get a likely plaintext, or to take known
plaintext and encrypt with many keys to see if you match the cyphertext.
But those designs are for one-at-a-time cracks. An interesting question
is whether you can speed up performance substantially by cracking
multiple messages at once. For instance, if you've got known plaintext,
such as a standard header format saying "FooVoice" or "BEGIN DSA-SIGNED..",
you can try many keys and compare them with _many_ cyphertexts,
which may not slow down the FPGA very much. Also, even for
unknown-plaintext, since key scheduling is a relatively slow part of RC4/40,
you can split the key-schedule and the block-encryption phases, feeding
one keyschedule output to multiple decrypt-and-compare sessions in parallel.
So the cost per victim of cracking many sessions may be much lower.
>Now expensive specialized cracking equipment can certainly speed up the
>process, but there may be a better way. If cryptanalysis of RC4 yields
>techniques which make the process much easier, then it is the ideal cypher
>to certify for export.
>The paranoid conclusion is that there is a significant weakness in RC4.
Just keeping the key length down to 40 bits on a fast cypher is a good start.
# Thanks; Bill
# Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com
# <A HREF="http://idiom.com/~wcs">
# Dispel Authority!
Return to August 1996
Return to “daw@cs.berkeley.edu (David Wagner)”