Penetration Testing mailing list archives
Re: [PEN-TEST] RC4
From: Ryan Russell <ryan () SECURITYFOCUS COM>
Date: Tue, 28 Nov 2000 21:01:41 -0800
On Tue, 28 Nov 2000, Jay Mobley wrote:
So , I am not pen-testing anything, but rather looking at some of my own venurabilities... and in doing so I learn that my Win2k Terminal server sends data to and from its client in a data stream encrypted with RC4. And in researching what I could about RC4 , I have seen time and time again that RC4 source was posted to a public usenet forum..... So my question is this... If one has the source code to an encryption standard... how secure is that standard???
RC4 isn't too bad. RC5 should be used in most cases instead, according to crypto people who know lots more than I. As for the algorithm being public.. there is ample evidence to support the idea that publically scrutinized crypto algorithms (that survive the scrutiny) are more secure than those that are secret (and therefore haven't been scrutinized.) The security is supposed to be in the key. Back to your original question, even though RC4 is probably secure enough on it's own, there is still plenty of opportunity to screw it up in the implementation. This would include things like trying to take a user-selected password that's good for about 20 bits of entropy, and trying to make a 128 bit key out of it, using the same key in both directions, things like that. Probably a good place to look for analogies is the various PPTP weakness writeups that have been done. If I recall, the Citrix protocols that this is all based on do not require any domain memberships on the parts of the participating Windows machines. Therefore, there is nothing else to base the encryption on other than the password of the user. Usually quite atackable in those types of circumstances. Ryan
Current thread:
- [PEN-TEST] RC4 Jay Mobley (Nov 29)
- Re: [PEN-TEST] RC4 Erick fabrizio (Nov 29)
- Re: [PEN-TEST] RC4 Ryan Russell (Nov 29)
- Re: [PEN-TEST] RC4 Chris Deibler (Nov 29)
- Re: [PEN-TEST] RC4 Alan Olsen (Nov 29)
- Re: [PEN-TEST] RC4 Robert van der Meulen (Nov 30)
- [PEN-TEST] RC4 Raju Mathur (Nov 29)