Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

As mentioned in section 6 of RFC4345, there are weak distinguishers for RC4 keys

ID: 650464 • Letter: A

Question

As mentioned in section 6 of RFC4345, there are weak distinguishers for RC4 keystreams available that even work for keystreams that originate from different keys, and regardless of the distance from the start of the keystream. Doesn't that make an attack on schemes that send user passwords in RC4 protected connections?

I'm thinking about protocols that always send the password at a well known offset, e.g. TLS protected IMAP and SMTP.

Theoretically, it should even be possible with an HTML authentication form, but the position of the password in the response might not be as obvious in that case.

Has anybody ever tried to recover a password from a number of RC4 protected IMAP or (authenticated) SMTP connections? Because of the BEAST attack, many mail services now default to RC4 for encrypting user connections (which always include the credentials at a fixed offset), and depending on the mail client used, authentication might happen frequently (especially IMAP clients often keep a number of IMAP connections open, which might be forced to reconnect even more frequently by an active attacker).

Explanation / Answer

By George, you're on to something.

To answer the question you asked, I don't know of anyone actually attempting to recover a password this way, or it even being discussed. However, it does appear to be feasible, given enough encrypted streams.

How many are enough? Well, I've started running a few simulations; preliminary results indicate that with perhaps 2 billion encrypted streams that encode the same password, the attacker may be able to deduce enough information to narrow possible passwords to a reasonably small set.

I'll update this answer as I get more precise information on the number of streams needed; however, I've seen enough to be fairly confident that this attack can work.

Related Questions

As loan analyst for Pearl Bank, you have been presented the following informatio
Question #2535838
As loan analyst for Utrillo Bank, you have been presented the following informat
Question #2466916
As loan analyst for Utrillo Bank, you have been presented the following informat
Question #2589055
As long as a consumer remains on the same indifference curve?? she is indifferen
Question #1091015
As long as an organism is alive, it has one carbon-14 (14C) atom for every 7.2 x
Question #992462
As long as firms currently in a monopolistically competitive market are earning
Question #1151664
As long as it works. Java Add copies of the files from the project that you comp
Question #3804317
As long as the cell body survives, neurons can grow new axons by following the S
Question #174989

Navigate

Previous
As mentioned in lecture, the equivalence point is the point whenthe number of eq
Next
As mentioned in the illustrative example of the vendor allowances agreement, ass

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.