----- Original Message ----- > From: "Kurt Roeckx" <k...@roeckx.be> > To: mozilla-dev-tech-cry...@lists.mozilla.org > Sent: Monday, 30 June, 2014 1:57:33 PM > Subject: Re: Road to RC4-free web (the case for YouTube without RC4) > > On 2014-06-30 12:20, Hubert Kario wrote: > >> From: "Kurt Roeckx" <k...@roeckx.be> > >> On 2014-06-30 02:35, Hubert Kario wrote: > >>> > >>> I have to disagree here. Even 1024 bit DHE requires a targeted attack at > >>> ~80 bit > >>> complexity. Currently we see RC4 at around 56 bit, with a completely > >>> unoptimized > >>> attack... > >> > >> Do you have a reference for those 56 bit? > > > > My estimation. > > > > http://www.isg.rhul.ac.uk/tls/ > > requires 2^30 sessions with 2^8 computations to recover full text. > > And it requires 2^24 sessions and 2^8 computations to recover some bytes. > > Please note that those are 2^30 sessions with the same plain text. That > is hopefully not done by just monitoring.
It requires static/same plain text only at certain positions. This is the case for at least some HTTP headers. The attack also doesn't exploit the fact that some parts of message are known or are easy to guess for the attacker. "However, it is a truism that attacks only get better with time, and we anticipate significant further improvements to our attacks." > > Even if the equivalence is higher, capturing 2^10 of sessions won't > > require extended monitoring. If we then say that this then requires 2^67 > > computations (over 3 to 1 equivalence) the cost of that is around $250000 > > using EC2. That's mafia kind of money, not NSA. > > As far as I know the attack is purely based on statistics. Throwing > more CPU time at it won't suddenly change the statistics. For the > attack to work you need more data not more CPU time. Not entirely, the statistics provide the likely values for bytes. Then the attack uses those 2^8 operations to guess the values. With 2^30 sessions you get 100% recovery rate for first few hundred bytes, with 2^24 sessions you get above 90% for few selected bytes. In essence, the attack is an oracle aiding brute force search. -- Regards, Hubert Kario -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
