New RC4 Encryption Attacks Reduces Plaintext Recovery Time

msm1267 writes: Two Belgian security researchers from the University of Leuven have driven new nails into the coffin of the RC4 encryption algorithm. A published paper, expected to be delivered at the upcoming USENIX Security Symposium next month in Washington, D.C., describes new attacks against RC4 that allow an attacker to capture a victim's cookie and decrypt it in a much shorter amount of time than was previously possible. The paper "All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS," written by Mathy Vanhoef and Frank Piessens, explains the discovery of new biases in the algorithm that led to attacks breaking encryption on websites running TLS with RC4, as well as the WPA-TKIP, the Wi-Fi Protected Access Temporal Key Integrity Protocol.

Re:Answer me this... apk

It don't work that well ?.

The problem is that if you have a heavilly threaded process wanting to do encryption, say a web server, all the threads are in a different state.

So the data is different, different sizes, but also the connection state, some threads are waiting for input, some halfway through sending. To use a video card (which can run the same algorithm over different data efficiently) you'd have to synchronize the threads - costing you more performance than you'd gain.

Attacking doesn't have that issue, same data, 6000 different keys, just do it.

yesterday's news?

did everyone got used to it so no one wants to comment? :)

Re:Answer me this... apk

[marcansoft]

The answer is that it varies - GPUs are anywhere from mediocre to useless at "normal" crypto.

It depends on whether the particular encryption algorithm/mode in use is parallelizable or not. For example, CBC is not parallelizable - you have to encrypt each block of data serially. GPUs are useless at CBC mode encryption. More modern modes like GCM and XTS are parallelizable to an extent, as you can encrypt multiple blocks at once, but there is still a serial dependency in the process (there is no real way of completely getting rid of all dependencies while keeping the algorithm usefully secure), so you still need to do some pre or post-processing of the data in a serial fashion. And even then, you're limited by bandwidth in/out of the GPU.

Public-key crypto (RSA, DSA, and ECDSA) isn't really parallelizable either as it only deals with small data sizes. And typical hash algorithms like SHA-1 and SHA-256 are also not parallelizable in their construction.

Thing is, CPUs these days have hardware AES encryption acceleration, making this mostly a moot point. GPUs are good at doing the same thing many times in parallel, which is what breaking encryption requires, but not regular usage.

I'll have CmdrTaco's WiFi password within the hour

Bwuhahahahahahaha

ALL My encryptions are rc4

what better encryption is the available???

Re:ALL My encryptions are rc4

I'm not an expert... AES?

Re:ALL My encryptions are rc4

The Caesar cipher. Although don't use the ROT13 variant - that's been broken.

Re: ALL My encryptions are rc4

[gmiller123456]

I swichted to double rot13 years ago. I've heard of some people using tripple rot13, but that just seems like overkill.

Is there any value in studying this?

[thegarbz]

Is there any further value in studying an encryption scheme that is widely considered completely and irreparably broken? At this point isn't it like discovering a house with a completely open front door can be broken into by smashing a window?

RC4 is already not recommended as a cypher for many applications.

Re:Is there any value in studying this?

[suutar]

The techniques used for this attack may be useful attacking other things, so it's good to make it known so new algorithms can be tested for susceptibility to this.

Re:Is there any value in studying this?

[hankwang]

studying an encryption scheme that is widely considered completely and irreparably broken?

All known issues with RC4 have to do with statistical biases in the first bytes of the key stream, in particular the first 256 bytes (this paper also mentions a significant bias at byte 258). As far as we know, all issues with RC4 are avoided in protocols that simply discard the first kilobyte of key stream before starting to apply the key stream on the plaintext. SSH does this (discarding the first 1.5 kiB IIRC). For WPA I can imagine that this workaround would have an unacceptable performance penalty on small data packets. For some reason, this approach was never implemented for TLS/HTTPS or WPA.

So why would one be interested in RC4? It's significantly faster than AES when run on processors that do not have hardware AES support. If I use scp and rsync-over-ssh to copy files to devices like a Raspberry Pi or my home server which runs on a low-power VIA processor, it's a big difference (aes versus arcfour), something like 4 MB/s versus 8 MB/s. Here are some benchmarks: openSSH cipher benchmarks.

I keep my eyes open for papers like this, in particular I check whether they make statements on weaknesses after the first kilobyte of key stream.

Re:Is there any value in studying this?

If you want a fast stream cipher, you can use a modern one like Cha-Cha by DJB. There only reason to stick around with RC4 is backwards compatibility, and even that is dubious nowadays when IE6 is finally in the long process of being phased out. Please don't use RC4.

Re:Is there any value in studying this?

[DarkOx]

Yes because there are many many situations where the only mutually supported cipher between two end points is RC4 be it used for SSL/TLS or any other protocol. RC4 is also much faster when you are working with something that does not have hardware accelerated crypto. It does not matter much if we are talking some big SSL offload device but can matter a great deal when its some tiny MIPS or ARM chip in your industrial controller.

Studying the possible attacks on RC4 make sense because there are lots of people who may be faced with a decision requiring large investments of time and money replacing hardware or software that is otherwise still meeting their needs. You need to have some understanding of just how risky RC4 might be to make that decision. Its easy in a security role to just say "RC4 == bad must fix", but that isn't providing great service. Understanding the value of what you are protecting and the potential consequences if the encryption is broken are critical the next part is understanding how easy it is to break.

If a successful attack requires 10's of thousands of known plain texts that you can't imagine the likely attackers have any way of getting, and will take months of key space searching with 100's of GPUs and special purpose build software, vs some guy with a couple Radeons and a stock copy of Kali can do it in hour with handfull of plain texts it might change the decision.

Re:Is there any value in studying this?

IE6 still has its uses.

Re:Is there any value in studying this?

Yes. As do antelope. That use has a name: "prey".

Why still bothering with RC4?

[wvmarle]

It's old, it's pretty much done for, and preceded by many better protocols (some of which have also been seriously damaged since, like RC5). It starts to sound a bit like kicking a dead horse.

Why are we still using RC4?

[jonwil]

Why would any sane admin use RC4 for SSL/TLS instead of using a more secure algorithm like AES?

Re:Why are we still using RC4?

[nullchar]

Because it's in firmware that can't be [easily] upgraded?

Hooray the Internet of Things! Billions of devices that will never be upgraded.

Re:Why are we still using RC4?

[OrangeTide]

RC4 and TEA are the only algorithms I have memorized, everything else I have to look up because they are so complicated. For being trivial to implement (at least in software), RC4 lasted quite a while.

Re:Why are we still using RC4?

You shouldn't be implementing crypto algorithms, even well-known ones, you should be using a vetted library instead.

Re:Why are we still using RC4?

[OrangeTide]

I shouldn't be writing compilers either, but I do that too.

Re:Why are we still using RC4?

[dave420]

We already have billions of devices which will never be updated, so I fail to see why an attack on the Internet of Things is at all pertinent.

Re:Why are we still using RC4?

[jp10558]

I'd say it's somewhat relevant - it's saying that 'we have a problem now - here's how the "internet of things" will make that problem worse. Maybe figure out mitigations before you buy into the "internet of things"' . . .

However, here it's likely preaching to the choir. But for general consumption / random google search results, it seems like it's a good idea to point out that this could be an issue.

Re:Why are we still using RC4?

Because it's in firmware that can't be [easily] upgraded?

Hooray the Internet of Things! Billions of devices that will never be upgraded.

Those devices are, by definition, upgradable; the question is wherever the corporation behind them wants to maintain them in favor of peddling a newer device all for the sake of more sales.

This is already the case with consumer routers.

Re:Why are we still using RC4?

And smart phones.

Re:Answer me this... apk

GPUs can do a subset of the formulas for encryption, as well as do some operations that aren't related to the normal encryption process but are related to attacking weaknesses in the encryption algorithm or even factoring for primes.

There is a bit of bit shuffling and different rounds that are required for more encryption algorithms. A GPU can do these, but not really any faster than a CPU. As the order of operations matters a great deal and it is not easily parallelized. If it were, then it would be even easier to break.

You should check out OpenCL or CUDA programming for a bit, now that relatively inexpensive graphics cards are capable of using it, of course the more money you spend the faster it goes, but for learning you can go cheap on this. The only cost is your own time.

Re:Answer me this... apk

And even then, you're limited by bandwidth in/out of the GPU.

Heh, if that's the thing limiting your ability to handle encrypted data, I envy your internet connection. I've been fortunate enough to get to play with direct-to-Internet 10Gbps before but DAMN, son. 10Gbps is an ant fart compared to PCIe gen 3 x16...

I still can't quite believe that today, with four K80s per U, you could get 100TFs of double precision and half a petaflop of float (~25u), AND a 100Gbps network (4u?), AND 200TB of raid-1'ed backing store (8u) into a single cabinet. The power cable would be the size of a bodybuider's forearm and you'd have to install it in a wind tunnel, but even so...

Meme fail

[srussia]

"All Your Biases Are Belong To Us"

FTFY

Re:Meme fail

Blame the researchers -- their title misses the "Are"

Re:Meme fail

Aye matey. All your bases arrr belong to Davey Jones' locker.

Will it help cracking WiFi?

[rduke15]

That's all I'm really interested in. Will it make cracking the neighbor's WiFi practical again? Nobody uses WEP anymore, and almost all the routers with WPS seem to have been upgraded to prevent the very nice Reaver attack which was so cool a few years ago.

I used to get Internet access anywhere by simply cracking some nearby WiFi. Nowadays, I usually need to use my phone's data connection, which is painfully slow and not usable in other countries because of roaming charges. I keep an open WiFi at home for passersby, but nobody else seems to be doing that for me.

Re:Will it help cracking WiFi?

I keep an open WiFi at home for passersby, but nobody else seems to be doing that for me.

Probably because of the state of fear over someone like a pedophile using their internet and it being traced back to them and not the pedophile?

Re:Will it help cracking WiFi?

[phoenix_V]

It's not good for random areas you are passing through, but AT&T DLS routers with WiFi use a 10 digit passcode which is a nice short key space to search if your using pyrit (https://code.google.com/p/pyrit/)

Comcast defaults to I think a 12 character passcode, but even though it's alpha-numeric they inexplicably used all uppercase, way to screw up the better security decision and needlessly limit your key space as well...

The short of the above is most people seem to leave the default settings, so grab a few modern GPU's and have a party, backup wifi will be yours in no time. Just be sure to have a good disk on the server storing all the results, they can get large.

Impersonating me?... apk

See subject: Grow up idiot, stop impersonating me.

APK

P.S.=> Get a life & get over your obsession with me too please... apk

Parallelization's key then (thanks)... apk

"GPUs are good at doing the same thing many times in parallel, which is what breaking encryption requires, but not regular usage." - by marcansoft (727665) on Thursday July 16, 2015 @11:11PM (#50125895) Homepage

See subject & that quote from you (says it all) - it's key & perfect for my understanding of this & WHY vidcards aren't used over CPUs (others noted how that's built into CPUs now too which also helps explain the 'why' of them NOT being used for actual valid encryption processing speedups).

* This I understand from normal programming using threads, & it makes sense, ala

This not gaining (due to C having to wait out the results of A first - thus, no point in using diff. threads of execution on A, B, & C):

A = B+C
B = 1
C = A + B

Perhaps not the best example here, but it helps make my points with an illustration... this sounds ALMOST that way regarding encryption and the rest of WHAT A GPU DOES (doing same thing many times in parallel) does the rest...

APK

P.S.=> Thanks - as I said, I learned something here today & "it's not a wasted day when you learn a new thing"... apk

Re:Parallelization's key then (thanks)... apk

A GPU array gives you a lot of cpu's that don't talk to each other much.
It seems like if you are searching a large key-space (or bias-space?), then you could divide up the space across the GPU's and see which one gets lucky.
(This assumes that the array can search faster than the CPU with any special hardware like an AES functional unit.)

Is there something about this particular RC4 weakness which prevents this?

Assuming this is a real deal:
A really interesting question here is how long has this been known, and by who, and was that a good idea.
One would like to think the NSA has known about this for years, but has had the restraint not to use it for more than a handful of domestic issues.
Hopefully a Congress-critter will quietly verify this as a reality check to see if they are worth their salt.

That's a good idea but... apk

See subject: For me to invest time in a new tech (for me), I have to have an idea to apply it to 1st - to keep me interested basically by having an "end goal" in place that's practical for solving a problem for myself, FIRST, & then possibly, others also.

* I had no idea HOW fpga's or vidcards work really, but NOW I do (doing the same thing many times in parallel from what others stated)... that alone, helps me loads.

(Understanding of the mechanics of their processing is key of course, first - this turned out worth asking to me, since I learned some new principles at least...)

APK

P.S.=> Still, see subject - nothing like "hands on" for that as you said... apk

Re:Answer me this... apk

PCIe 3.0 has 126.032 Gbps of bandwidth available on an x16 bus. (Source: Wikipedia)

It only takes 13 of those 10 Gbps connections to fully saturate PCIe 3.0 x16. That's what, $50? Psssh.

Google setup

[manu0601]

Oddly, Google still uses RC4, according to Qualys test. They also still allow SSLv3 and have not yet moved to SHA2 signed certificates.