In MS-CHAPv.1 data encryption technique named MPPE (MS Point-to-Point
Encryption), which exploit RC-40 OFB encryption mode (with constant salt!) ,
is vulnerable resynchronization attack (http:/www.counterpane.com) from two
sessions encrypted with same key, because initial session key are obtained
from 64-bit LM hash determining first tree bytes with 0X1226DE
http://www.ietf.org/internet-drafts/draft-ietf-pppext-mschapv1-keys-00.txt .
If we replace RC-40 OFB with DES-40 CBC with same provision, new DES-40 CBC
wil not to be vulnerable to same attack.
Ivars
< -----Original Message-----
< From: Arnold G. Reinhold [mailto:[EMAIL PROTECTED]]
< Sent: Monday, July 12, 1999 4:26 PM
< To: Adam Back; [EMAIL PROTECTED]
< Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED];
< [EMAIL PROTECTED]
< Subject: DES vs RC4 -- A correction (Re: so why is IETF
< stilling adding
< DES to protocols?)
<
<
< At 1:29 PM -0400 7/1/99, I wrote:
< >
< >How much of an improvement 56 bit DES actually give over the
< customary
< >implementation of "40-bit" RC4 is open to question. Naively
< the difference
< >is 16 bits or a factor of 64K. However, as I understand it,
< the "40-bit"
< >RC4 is actually 128 bit RC4 with 88 bits of key revealed, effectively
< >serving as 88 bits of salt. But there is no way to use salt
< with DES, so a
< >search engine can easily test for many keys at the same time. For a
< >survelance operation one could imagine searching against
< hundreds of keys
< >at once.
< >
< >Also I did a back-of-the-envelope estimate that suggests RC4
< takes about
< >the same amount of silicon as DES for a custom logic search
< engine, but
< >runs about 200 times slower due to the key setup. Together
< these effects
< >could eliminate most of that 64K improvement factor.
< >
< >It might be better to use "56-bit" RC4 (i.e. 128 bit with 72
< bits revealed)
< >if this would still be exportable.
< >
<
< I must retract part of what I wrote above. Using DES in
< feedback mode (e.g.
< CBC) along with a random or unique IV prevents the attack I
< described, with
< the IV providing essentially the same benefits as salt. Thus
< 56-bit DES-CBC
< should be a major improvement over "40-bit" RC4. On the other
< hand, I still
< contend DES-ECB would be a step backward. Does the IETF's DES proposal
< include feedback and a suitable IV?
<
< I think there is some relevance here to the more political question of
< whether IETF should bless any DES implimentation. Details matter. Well
< thought out and publicly reviewed standards are vital, even for weak
< encryption.
<
< Arnold Reinhold
<
<
