In article <1117723009.44321.3229.camel@xxxxxxxxxxxxxxxxxxx> you write: >On Wed, 2005-06-01 at 15:48, Sam Hartman wrote: > >> That's what I thought too. However that seems to be false. The one >> reference currently in the security considerations section is for an >> attack to distinguish an RC4 stream from a random stream. > >A critical parameter to such attacks is the amount of keystream required >under a single key before the attack becomes feasible. > >Assuming I've read it correctly, the most recent paper I've found on the >topic mentions a threshold of 2^24 bytes if you don't discard the start >of the keystream, and 2^32 if you discard the first 256 bytes. > >As the sshv2 protocol allows for either party to trigger a rekey of both >directions of the communication, it certainly seems like a cautionary >note to set rekey thresholds appropriately would be in order. I don't believe that rekeying is sufficient, which is why the draft doesn't recommend it. The distinguisher relies on the non-uniform distribution of digraphs in all RC4 keystreams, so if it needs to it can work on two bytes from each of 2^32 separate keystreams. I think (and I'd be happy for a crytographer to contradict me here) this means that if you encrypt the same thing (e.g. an SSH password packet) 2^32 times under different RC4 keys, an attacker can deduce one bit of information about it, or more accurately one bit of information per digraph. -- Ben Harris _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf