----- Original Message ----- > From: "Kurt Roeckx" <k...@roeckx.be> > To: mozilla-dev-tech-cry...@lists.mozilla.org > Sent: Monday, 30 June, 2014 10:56:13 AM > Subject: Re: Road to RC4-free web (the case for YouTube without RC4) > > On 2014-06-30 02:35, Hubert Kario wrote: > >> The benefits of ECDHE outweigh the risks of using RC4, > > > > I have to disagree here. Even 1024 bit DHE requires a targeted attack at > > ~80 bit > > complexity. Currently we see RC4 at around 56 bit, with a completely > > unoptimized > > attack... > > Do you have a reference for those 56 bit?
My estimation. http://www.isg.rhul.ac.uk/tls/ requires 2^30 sessions with 2^8 computations to recover full text. And it requires 2^24 sessions and 2^8 computations to recover some bytes. I assumed two to one data-to-computation equivalence and added 8 bits from the original attack. Even if the equivalence is higher, capturing 2^10 of sessions won't require extended monitoring. If we then say that this then requires 2^67 computations (over 3 to 1 equivalence) the cost of that is around $250000 using EC2. That's mafia kind of money, not NSA. I trust RC4 as much as single DES - good against script kiddies. > I think we should do all that's possible to avoid RC4. I think that for > now we should follow Microsoft in not having RC4 in the initial > handshake and if fails retry with RC4 enabled. yes, that would certainly help > It's my understanding > that that should reduce RC4 usage from 20% of the sites to 1%. that's correct -- Regards, Hubert Kario -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
