IP: RE: Wired: Wireless Networks in Big Trouble

[David Farber <dave () farber net>]

> Sender: perry () snark piermont com
> From: "Perry E. Metzger" <perry () wasabisystems com>
> To: farber () cis upenn edu
> Subject: Re: IP: RE: Wired: Wireless Networks in Big Trouble
> Date: 25 Aug 2001 11:47:37 -0400
> Lines: 53
> X-Mailer: Gnus v5.7/Emacs 20.7
>
>
> [FYI, Dave, in addition to running the cryptography mailing list, I
> teach cryptography at Stevens every spring, not that that makes me a
> cryptographer -- just well informed...]
>
> > > From: "Young, Mike" <myoung () rsasecurity com>
> > >
> > > Some people have been spreading the rumour that since WEP is not 
> secure, RC4
> > > ( the underlying symmetric encryption algorithm, is not secure 
> either). WEP
> > > is a poorly implemented solution using RSA patented and trade secret
> > > algorithms, key material is sent lightly encryption and re-used, which is
>
> 1) RC4 is not patented. It never was patented by RSA. If Mr. Young
>    wishes to demonstrate where I am wrong here, he should state the
>    patent number (which does not exist.)
> 2) RC4 cannot possibly be thought of as a trade secret any longer by
>    any stretch of the imagination. It was leaked to the public many
>    years ago and is published at this point in text books.
>
> By the way, that which is patented cannot be a trade secret, and vice
> versa, for obvious reasons. RC4 was originally a trade secret, but
> that secret is now long gone. At best, the name RC4 itself might be a
> trademark of RSA, but I suspect at this point lack of rigorous
> enforcement would make even that unlikely.
>
> 3) RC4 itself has very serious security issues explained in the
>    paper on WEP security. In particular, bits of keying material are
>    leaked out in the first 256 bytes of stream output with high
>    probability. RC4 is also subject to related key attacks as a result
>    of this and other properties. RC4 itself is not blameless in this
>    instance. If RC4 had been a bit less brittle, fairly innocent
>    misuse of it such as was done in WEP would not have been nearly as
>    catastrophic. Had other stream ciphers been used in RC4s place, the
>    attack may not have been present.
>
> I would avoid using RC4 in new designs -- it is too easy to make
> mistakes with and it certainly leaks keying material as numerous
> papers have explained. At the very least, users of RC4 have to throw
> away a bunch of the initial key stream to gain some safety.
>
> I have no doubt that Ron Rivest is a brilliant cryptographer and I
> always enjoy reading information on his latest neat designs. He's
> certainly a much smarter man than I am. RC6 is, for instance, a really
> cool looking block cipher and astonishingly simple. RC4 is also a
> really cool looking stream cipher. However, that doesn't mean that RC4
> is safe to use in new designs. It likely is not. The academic papers
> are simple enough to understand that even I can understand them and
> see the problems.
>
> --
> Perry E. Metzger                perry () wasabisystems com
> --
> NetBSD Development, Support & CDs. http://www.wasabisystems.com/



For archives see: http://www.interesting-people.org/