On Wed, 2005-08-24 at 22:32 -0400, Mrs. Brisby wrote:
> > There are several attacks that can be used to derive the original key 
> > state, but they all require huge samples of data to analyze.
> 
> No they don't. That's the problem. They only need a large number of
> _uses_ of the key, not large amounts of data. Adding some random junk to
> the beginning of the plaintext would help some, but I don't think SQLite
> does this.
> 

RC4 is a pseudorandom number generator (PRNG) against which the
plaintext
is XORed to yield cyphertext.  Weaknesses in RC4 have been found where
the first few numbers coming out of the PRNG leak information about the
key.  If an attacker can guess the first few bytes of plaintext, and
hence guess the first few numbers from the PRNG, and can do this many
many times (millions of times) then the attacker can eventually
reconstruct
the key.

The usual defense against this attack (and the one used by SQLite)
is to discard the first 1000 bytes or so of information coming out
of the PRNG.  No key information leaks into later bytes of the
PRNG stream (at least as far as we know) so this secures the cypher
from attack.

-- 
D. Richard Hipp <[EMAIL PROTECTED]>

Reply via email to