[191] in cryptography@c2.net mail archive
Re: 40-bit rc2/4
daemon@ATHENA.MIT.EDU (Ian Goldberg)
Fri Feb 7 15:24:34 1997
To: cryptography@c2.net
From: ian@cypherpunks.ca (Ian Goldberg)
Date: 7 Feb 1997 19:12:32 GMT
-----BEGIN PGP SIGNED MESSAGE-----
In article <v03007804af1fbcb63ed9@[10.0.2.15]>,
Arnold G. Reinhold <reinhold@world.std.com> wrote:
>>At 01:32 PM 2/5/97 -0800, Steve Reid wrote:
>>>I don't know about RC2, but implementing an RC4 cracker in hardware is
>>>said to not work very well (compared to DES, for example) because the
>>>algorithm was designed to be efficient in software.
>>
>>It is my understanding that the authors of the RC4-in-hardware paper didn't
>>have enough chip real estate to effectively work on RC4. I doubt the NSA
>>has a similar problem.
>>
>>
>
>A while ago, I did a back-of-the envelope design of a hardware N/128-bit
>RC4 cracker using the same ASIC cells that Michael Wiener employed in his
>paper, "Efficient DES Key Search." N/128-bit RC4 means RC4 with a 128 bit
>random key, all but N bits of which are revealed. 40/128-bit RC4 is used in
>SSL, for example. True 40 bit RC4 is MUCH weaker since you can test many
>cipher text/plain text pairs for each key setup. True 40 bit RC4 is also
>subject to code-book attack -- in milliseconds -- with a large, dedicated
>disk farm (10,000 Gigabytes).
But reality is even a little bit harsher. The most popular implementation
of RC4 (SSL) doesn't even use a plain 40/128 method. The key is obtained
by constructing a 128-bit string, of which 88 bits are sent in the clear
(salt) and 40 bits are secret, and _then doing an MD5 on that string_.
The resulting 128-bit MD5 output is used as the key for RC4.
- Ian
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMvt+mUZRiTErSPb1AQFaBgP/X6PpiFM3q4ynDwzK2POCKR3pcLifCr5+
QSKETLrF+j9+Q+Qwd3c6wYVKOWanyQUUC/FjmZIKrQlEeMc7PSpV5tRB37QH9Kv0
arKdKg+Hx48K518dGYaQn2jsTNemkASIzK2ik127IlGBAr2foX0Umif7yvspCCgS
ak49WDZvnN0=
=GvMi
-----END PGP SIGNATURE-----
