Bugtraq mailing list archives

Re: Non-PK encryption not vulnerable via low key length?!

From: smb () research att com (smb () research att com)
Date: Fri, 17 Mar 95 10:11:41 EST


         RC2 and RC4 are both public key systems -- then why wouldn't
         factoring the key prove equally as (greatly more) effective as with
         attacks on RSA/PGP.
                 __pardon_my_misunderstanding__but__?

We're getting far off-topic here, but it's still security-related, so
I'll answer.

RC2 and RC4 are *not* public key systems.  They are symmetric
cryptosystems invented by Ron Rivest.  RC2 is a block cipher, much like
DES.  That is, it takes fixed-length input blocks and transforms them
into fixed-length output blocks.  (I think, but I'm not certain, that
the block size is 8 bytes.)  Using a block cipher properly is *not*
simply a matter of encrypting each 8 bytes of the file in turn.  You
have to use one of several ``modes of operation''; these are covered in
any elementary cryptography text, and are (I think) discussed in the
sci.crypt FAQ.

RC4 is a stream cipher.  That is, encrypts one byte at a time, and as
such is well-suited for things like encrypted terminal sessions.  Block
ciphers, with suitable modes of operation, can be used as stream
ciphers, but with a moderate loss of efficiency.

Both RC2 and RC4 take variable-length keys.  With a 5-byte key, they're
approved for export from the U.S.  With a longer key, they're much more
secure.

Note that 40 bits is well within the brute force range, though I
suspect that you'd need special-purpose hardware to do it
economically.  If my math is right, at .1 ms per trial, it would take
about 3.5 years to exhaust the key space, so you'd have to do it in
parallel.  It's also somewhere between possible and likely that NSA
knows of some shortcuts for 40 bit RC2 or RC4 that would reduce the
search space considerably.  But they don't need to; they can easily
afford the hardware.

RC2 and RC4 are both trade secrets of RSA Data Security, Inc.  A
bootleg version of RC4 was posted to the net last year; from everything
I've heard, including some comments from Jim Bidzos, the president of
RSADSI, it was the real thing.

Current thread:

Re: Non-PK encryption not vulnerable via low key length?! der Mouse (Mar 16)
- <Possible follow-ups>
- Re: Non-PK encryption not vulnerable via low key length?! Software Test Account (Mar 16)
  - Re: Non-PK encryption not vulnerable via low key length?! Perry E. Metzger (Mar 16)
- Re: Non-PK encryption not vulnerable via low key length?! Stan Barber (Mar 16)
- Re: Non-PK encryption not vulnerable via low key length?! smb () research att com (Mar 17)
  - Re: Non-PK encryption not vulnerable via low key length?! John F. Haugh II (Mar 25)
    - Re: Non-PK encryption not vulnerable via low key length?! sameer (Mar 25)
    - Re: Non-PK encryption not vulnerable via low key length?! Software Test Account (Mar 25)
- Re: Non-PK encryption not vulnerable via low key length?! Jake Hill (Mar 17)
- Re: Non-PK encryption not vulnerable via low key length?! John B. Brown (Mar 17)
  - GNU finger 1.37 executes ~/.fingerrc with gid root Thomas Roessler (Mar 17)
    - Re: GNU finger 1.37 executes ~/.fingerrc with gid root Christian Wettergren (Mar 20)
    - cancel subscription Saeid Sadeghi (Mar 20)
  - Re: Non-PK encryption not vulnerable via low key length?! Julian Assange (Mar 17)
  - nfsbug leaving file systems mounted Dr. Frederick B. Cohen (Mar 18)

(Thread continues...)