| |
 |
|
|
Science Forum Index » Cryptography Forum » One time pad...
Page 2 of 2 Goto page Previous 1, 2
|
| Author |
Message |
| Simon Johnson... |
 Posted: Wed Jul 23, 2008 7:02 am |
|
|
|
Guest
|
Quote: I have to agree with Ertugrul (not that anyone is swayed by my
assessment) that Simon Johnson's response to Unruh seems harsh and add
that his example of "Over tens of gigabytes, the bias in RC4 is
probably sufficient to tell the difference between English and say
Chinese if the plain-text was encoded in Unicode." needs to be
explained with more than jingoistic sloganeering, if Simon would be so
kind.
You may find this thread interesting:
http://groups.google.com/group/sci.crypt/browse_frm/thread/e3b7a5207a393c14/ebb1d2e542600d76
Quote: We're all aware of the bias that occurs around one gigabyte that will
identify the underlying algorithm as RC4.
This is old research, you can actually do in around 30MB.
Quote: Simon's example is quoting single data sets of at least 20 gigabytes
without re-keying and is suggesting that it is possible to distinguish
(at least) the following difference in plaintext of Unicode:
00h xxh 00h xxh 00h xxh 00h xxh... 00h xxh
xxh xxh xxh xxh xxh xxh xxh xxh... xxh xxh
were xx is a value between 00h and FFh, and further with enough
resolution to distinguish Chinese (or Japanese or Korean?) text which
seems like someone needs to hear the phrase "Slow down speed racer..."
I've not run the attack but I have no doubt that it'll work. This
isn't mere speculation, you can demonstrably show it to be the case.
Simon. |
|
|
| Back to top |
|
| Greg Rose... |
| Posted: Wed Jul 23, 2008 7:18 am |
|
|
|
Guest
|
In article <6a80fdf8-6556-4219-afda-c6b8478fc124 at (no spam) k13g2000hse.googlegroups.com>,
<fortune.bruce at (no spam) gmail.com> wrote:
Quote: We're all aware of the bias that occurs around one gigabyte that will
identify the underlying algorithm as RC4.
Simon's example is quoting single data sets of at least 20 gigabytes
without re-keying and is suggesting that it is possible to distinguish
(at least) the following difference in plaintext of Unicode:
Minor correction: the bias exists with or without
rekeying.
I agree with Simon. We shouldn't continue to use
RC4 in new designs. No hurry to take it out of
existing things, though. That's the justification
for keeping it in WPA, compatibility.
Greg.
--
Greg Rose
232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C
Qualcomm Australia: http://www.qualcomm.com.au |
|
|
| Back to top |
|
| Simon Johnson... |
| Posted: Wed Jul 23, 2008 9:02 am |
|
|
|
Guest
|
On Jul 23, 7:40 pm, "Scott Fluhrer" <sfluh... at (no spam) ix.netcom.com> wrote:
Quote: "Simon Johnson" <simon.john... at (no spam) gmail.com> wrote in message
news:5c9a77a6-ff41-4491-acfc-20893dadeac4 at (no spam) 34g2000hsh.googlegroups.com...
I have to agree with Ertugrul (not that anyone is swayed by my
assessment) that Simon Johnson's response to Unruh seems harsh and add
that his example of "Over tens of gigabytes, the bias in RC4 is
probably sufficient to tell the difference between English and say
Chinese if the plain-text was encoded in Unicode." needs to be
explained with more than jingoistic sloganeering, if Simon would be so
kind.
You may find this thread interesting:
http://groups.google.com/group/sci.crypt/browse_frm/thread/e3b7a5207a...
We're all aware of the bias that occurs around one gigabyte that will
identify the underlying algorithm as RC4.
This is old research, you can actually do in around 30MB.
It's news to me, glad to hear it. Do you have a reference?
--
poncho
http://www.cosic.esat.kuleuven.be/publications/article-40.pdf
Simon |
|
|
| Back to top |
|
| ... |
| Posted: Wed Jul 23, 2008 12:51 pm |
|
|
|
Guest
|
On Jul 23, 9:50 am, Simon Johnson <simon.john... at (no spam) gmail.com> wrote:
Quote: I really don't think that ciphers have feelings. They have a purpose
and the purpose of RC4 is quite limited, but for its purpose it performs
very well. It is harsh to call RC4 in the context of WPA broken,
because it isn't. It's extremely fast and secure for usage in home
WLANs, even at a massive scale.
It's all a question of personal opinion really. There are use-cases
where using RC4 could leak information that would not be leaked as a
result of using AES.
I do feel as if RC4 gets a free pass sometimes. I'm not sure why,
although I have a suspicion that it's because Rivest invented it.
I feel that if I invented a cipher with such a bad bias it would
(rightly) be dismissed as useless.
Why products continue to use RC4 when so many AES implementations
exist is baffling. RC4 was invented in 1987. The world has moved on
from then. Attacks have moved on from then.
There is no good reason to use this cipher in 2008.
Simon.
Everyone is weighing in and I believe the point is being made
satisfactorily regarding RC4. The scarecrow language is taking a back
seat to a more pragmatic approach.
SJ: "There is no good reason to use this cipher in 2008."
No... there are indeed still some good reasons to use RC4 based on
compatibility and continued security and I think Greg and others have
capsulized those reasons clearly along with more prudent caveats
given.
But it isn't something one should plan in a new design if it can be
avoided, and I think we all can agree on that.
We'll have to agree to differ on the claims made, because frankly, at
this point, you have not given any convincing arguments... rather you
keep pointing to articles that only reaffirm the distinguishing issue
(and also tell how to eliminate the distinguishing characteristics
and make RC4 stronger and faster).
I'm still waiting for a concrete example of being able to tell English
from Chinese in Unicode, and your hunch that you can do it is at this
point, just a hunch unless you can back it up with something like...
well... facts, OK?
RC4 is special, and to me ranks as one of the most elegant algorithms
ever, putting Rivest for that alone in the brilliant category.
But RC4 has lived a productive life and the time for retirement is at
hand. |
|
|
| Back to top |
|
| Thomas Pornin... |
| Posted: Wed Jul 23, 2008 1:13 pm |
|
|
|
Guest
|
According to Greg Rose <ggr at (no spam) nope.ucsd.edu>:
Quote: I agree with Simon. We shouldn't continue to use
RC4 in new designs. No hurry to take it out of
existing things, though. That's the justification
for keeping it in WPA, compatibility.
There are broken cryptosystems. Effective attacks in practical usage
situations can be implemented.
There are robust cryptosystems. No known attack method fares better than
the generic attacks (exhaustive key search, namely).
In between lies the "grey zone" where cryptosystems are not efficiently
broken, but there are known attack methods which, at least from a
theoretical point of view, are more efficient than generic attacks.
These methods are not practical, but are "less impractical" than
exhaustive key search. RC4 is right there.
It is common practice to avoid the grey zone. Academic people use the
term "broken" to designate algorithms in the grey zone. Requiring
algorithms to be part of the "robust" zone can be viewed as keeping a
security margin. It can also be understood as a proof of smartness of
the designer: the algorithm inventor is smart since he could create an
algorithm which avoids even "academic" attacks. Most users of computer
systems are _not_ cryptographers and must have faith in the quality of
the system they use; having an indirect proof that the designer was
smart goes a long way into building that level of trust.
In other words, the natural, responsible and cautious method is to avoid
grey zone algorithms. Deliberately using RC4 would require some
justification (e.g. compatibility with deployed systems), whereas
shunning RC4 does not.
A few remarks:
-- The known biases in RC4 are not its biggest problem. RC4, being a
PRNG, is tricky to use as an encryption system; you have to get right a
huge number of details. If you can get to the point where the biases in
RC4 are a problem, then this means that you got the everything else
right, which is good news.
-- If you intend to keep the PRNG model, there are other stream ciphers
which should be considered. They can be observed there:
http://www.ecrypt.eu.org/stream/
They do not suffer from known biases, most of them have no intellectual
property issues (the RC4 algorithm is not encumbered but the name "RC4"
is a trademark), and they yield better performance than RC4. My
favourite would be Sosemanuk, but that's just because I am one of the
designers of that algorithm and I feel very smart indeed.
-- I do not want to suggest that Ron Rivest is not smart, or that I am
smarter then him. Rather, let's say that the 2008 version of Ron Rivest
benefits from 21 years of experience and public research, which the 1987
Ron Rivest did not know of, because of quite understandable reasons of
time flow, physical causality and the very fabric of space-time.
--Thomas Pornin |
|
|
| Back to top |
|
| Ertugrul Söylemez... |
| Posted: Wed Jul 23, 2008 1:40 pm |
|
|
|
Guest
|
Simon Johnson <simon.johnson at (no spam) gmail.com> wrote:
Quote: I really don't think that ciphers have feelings. They have a
purpose and the purpose of RC4 is quite limited, but for its purpose
it performs very well. It is harsh to call RC4 in the context of
WPA broken, because it isn't. It's extremely fast and secure for
usage in home WLANs, even at a massive scale.
It's all a question of personal opinion really. There are use-cases
where using RC4 could leak information that would not be leaked as a
result of using AES.
I do feel as if RC4 gets a free pass sometimes. I'm not sure why,
although I have a suspicion that it's because Rivest invented it.
I feel that if I invented a cipher with such a bad bias it would
(rightly) be dismissed as useless.
Why products continue to use RC4 when so many AES implementations
exist is baffling. RC4 was invented in 1987. The world has moved on
from then. Attacks have moved on from then.
One important strength of RC4 is that it's the simplest and fastest
general purpose stream cipher around. The fact that it exists since
1987 shows that it wasn't completely broken for more than 20 years.
There is a bias and the key schedule is weak. We can work around that.
If you rate a cipher by its age and known attacks only, then you should
be much more worried about RSA, DSA and ElGamal. Lots of attacks are
known, subexponential run-time algorithms are known for breaking them,
quantum computers will defeat them completely, etc, and yet we're still
expanding our PKIs using those.
Quote: There is no good reason to use this cipher in 2008.
It still withstands all attacks, if implemented correctly. And again,
it's blazingly fast, especially compared to AES. But don't worry, we're
already moving towards other ciphers. WEP and WPA are both obsolete and
WPA2 uses AES instead of RC4. Most SSL-capable web browsers prefer AES
over RC4 now, and so on. It takes time to move away from something that
the whole world uses.
Greets,
Ertugrul.
--
nightmare = unsafePerformIO (getWrongWife >>= sex) |
|
|
| Back to top |
|
| Scott Fluhrer... |
| Posted: Wed Jul 23, 2008 1:40 pm |
|
|
|
Guest
|
"Simon Johnson" <simon.johnson at (no spam) gmail.com> wrote in message
news:5c9a77a6-ff41-4491-acfc-20893dadeac4 at (no spam) 34g2000hsh.googlegroups.com...
Quote: I have to agree with Ertugrul (not that anyone is swayed by my
assessment) that Simon Johnson's response to Unruh seems harsh and add
that his example of "Over tens of gigabytes, the bias in RC4 is
probably sufficient to tell the difference between English and say
Chinese if the plain-text was encoded in Unicode." needs to be
explained with more than jingoistic sloganeering, if Simon would be so
kind.
You may find this thread interesting:
http://groups.google.com/group/sci.crypt/browse_frm/thread/e3b7a5207a393c14/ebb1d2e542600d76
We're all aware of the bias that occurs around one gigabyte that will
identify the underlying algorithm as RC4.
This is old research, you can actually do in around 30MB.
It's news to me, glad to hear it. Do you have a reference?
--
poncho |
|
|
| Back to top |
|
| ... |
| Posted: Thu Jul 24, 2008 9:17 am |
|
|
|
Guest
|
Simon Johnson wrote:
Quote: It's all a question of personal opinion really. There are use-cases
where using RC4 could leak information that would not be leaked as a
result of using AES.
I do feel as if RC4 gets a free pass sometimes. I'm not sure why,
although I have a suspicion that it's because Rivest invented it.
I feel that if I invented a cipher with such a bad bias it would
(rightly) be dismissed as useless.
Why products continue to use RC4 when so many AES implementations
exist is baffling. RC4 was invented in 1987. The world has moved on
from then. Attacks have moved on from then.
There is no good reason to use this cipher in 2008.
Sure there are. It runs like a bat out of hell. AES is a slug
compared to RC4. There are applications where the data comes
so fast and the processor is so limited that the choice is RC4
or nothing. |
|
|
| Back to top |
|
| Thomas Pornin... |
| Posted: Thu Jul 24, 2008 9:37 am |
|
|
|
Guest
|
According to <me at (no spam) privacy.net>:
Quote: Sure there are. It runs like a bat out of hell. AES is a slug
compared to RC4.
Is it ? Have you tried ?
Right now, on a basic PC, with OpenSSL (which features carefully optimized
implementations for both RC4 and AES), I gent 117 MB/s with RC4 and 93 MB/s
with AES. It takes some creativity to use the term "slug" here...
If you are so much after speed that you cannot tolerate a 20% slower
AES, then you should definitely consider some more recent stream
ciphers, such as those listed by eSTREAM : some of them are more than
twice faster than RC4. And they seem more robust since no weakness
was found in them so far, contrary to RC4 which has known biases.
--Thomas Pornin |
|
|
| Back to top |
|
| Greg Rose... |
| Posted: Thu Jul 24, 2008 9:45 am |
|
|
|
Guest
|
In article <cJudnQlyid2YEhXV4p2dnAA at (no spam) giganews.com>, <me at (no spam) privacy.net> wrote:
Quote: Sure there are. It runs like a bat out of hell. AES is a slug
compared to RC4. There are applications where the data comes
so fast and the processor is so limited that the choice is RC4
or nothing.
RC4 is not nearly as fast as some of the current
crop of stream ciphers, as others have mentioned.
It also has the twin problems of lots of state
(258 bytes needed, whereas some of the much more
secure eStream candidates use about 256-512
*bits*, about 20%), and the time taken to rekey
for each packet is relatively long partly because
of that state.
SSL is an example where RC4 makes sense.
People are fond of using WEP/WPA as an example of
a good application for RC4 (ignoring for a moment
the problems with WEP). But that's not right, if
you look closely. The packets used are generally
small, so almost all of the effort encrypting the
packets goes into the key setup. WPA2, using AES,
is actually faster and more efficient!
Greg.
--
Greg Rose
232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C
Qualcomm Australia: http://www.qualcomm.com.au |
|
|
| Back to top |
|
| Unruh... |
| Posted: Fri Jul 25, 2008 1:05 am |
|
|
|
Guest
|
fortune.bruce at (no spam) gmail.com writes:
Quote: On Jul 23, 9:50=A0am, Simon Johnson <simon.john... at (no spam) gmail.com> wrote:
I really don't think that ciphers have feelings. =A0They have a purpose
and the purpose of RC4 is quite limited, but for its purpose it perform=
s
very well. =A0It is harsh to call RC4 in the context of WPA broken,
because it isn't. =A0It's extremely fast and secure for usage in home
WLANs, even at a massive scale.
It's all a question of personal opinion really. There are use-cases
where using RC4 could leak information that would not be leaked as a
result of using AES.
Yes, how much information?
Quote:
I do feel as if RC4 gets a free pass sometimes. I'm not sure why,
although I have a suspicion that it's because Rivest invented it.
It is a very fast and amazingly secure algorithm for that speed.
Quote:
I feel that if I invented a cipher with such a bad bias it would
(rightly) be dismissed as useless.
"Such bad bias" Perhaps you could actually give the figures so people could
figure out how bad they are.
Quote:
Why products continue to use RC4 when so many AES implementations
exist is baffling. RC4 was invented in 1987. The world has moved on
from then. Attacks have moved on from then.
And give examples where the cleartext has been discovered from someone
using RC4.
Quote:
There is no good reason to use this cipher in 2008.
Speed, universality.
Quote:
Simon.
Everyone is weighing in and I believe the point is being made
satisfactorily regarding RC4. The scarecrow language is taking a back
seat to a more pragmatic approach.
SJ: "There is no good reason to use this cipher in 2008."
No... there are indeed still some good reasons to use RC4 based on
compatibility and continued security and I think Greg and others have
capsulized those reasons clearly along with more prudent caveats
given.
But it isn't something one should plan in a new design if it can be
avoided, and I think we all can agree on that.
We'll have to agree to differ on the claims made, because frankly, at
this point, you have not given any convincing arguments... rather you
keep pointing to articles that only reaffirm the distinguishing issue
(and also tell how to eliminate the distinguishing characteristics
and make RC4 stronger and faster).
I'm still waiting for a concrete example of being able to tell English
from Chinese in Unicode, and your hunch that you can do it is at this
point, just a hunch unless you can back it up with something like...
well... facts, OK?
RC4 is special, and to me ranks as one of the most elegant algorithms
ever, putting Rivest for that alone in the brilliant category.
But RC4 has lived a productive life and the time for retirement is at
hand. |
|
|
| Back to top |
|
| |
Page 2 of 2 Goto page Previous 1, 2
All times are GMT - 5 Hours
The time now is Sat Oct 11, 2008 7:41 am
|
|