On Wed, 1 Jun 2005, Steven M. Bellovin wrote:
In message <tsloeaqgc2s.fsf@xxxxxxxxxx>, Sam Hartman writes:
Hi, folks. The IESG has received a last call comment recommending
that the new rc4 cipher for ssh be published as informational rather
than as a proposed standard because of weaknesses in rc4. It would be
inappropriate to make a decision based on one comment so I am
soliciting comments on this point.
The argument in favor of publishing this document at proposed is that
the existing arcfour cipher is part of a standard and that many other
IETF protocols use rc4 in standards track documents.
SSH needs stronger stream cipher, but all implementations use RC4 and quick
way out is to increase key size (to 128 or 256 bit as in the draft),
I think its better then no increase in ssh security at all, so I don't see
why you want to continue to have less secure protocol solution as proposed
standard and block its update to something better.
For the long term, IESG really needs to make it clear to SSH that they
MUST develop/introduce completely different stream cipher, perhaps SEAL,
maybe something else. It might even be good to mention in current draft
that this is considered a temporary solution and that SSH will be moving
to different cipher in the future to replace RC4.
Correct me if I'm wrong, but the serious problems with RC4 that I know
of are related-key attacks. Those don't occur in, say, secsh or TLS.
This draft improves the situation somewhat, and is thus good.
Yes, but large stream of RC4 data makes statistical attack possible.
And there are people who use SSH for more then just telnet session,
biggest of SSH use by amount of data is probably X11 forwarding and
tunnels and that is where RC4 is a weak link. At least the draft
mentions it which is good!
--
William Leibzon
Elan Networks
william@xxxxxxxx
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf