On Wed, 2005-08-24 at 22:55 -0400, D. Richard Hipp wrote: > Weaknesses in RC4 have been found where > the first few numbers coming out of the PRNG leak information about the > key. If an attacker can guess the first few bytes of plaintext, and > hence guess the first few numbers from the PRNG, and can do this many > many times (millions of times) then the attacker can eventually > reconstruct > the key.
I noticed this. You understate how much it helps. The first few cycles of RC4 are so bad that key recovery is easy for modern general purpose computers. > The usual defense against this attack (and the one used by SQLite) > is to discard the first 1000 bytes or so of information coming out > of the PRNG. No key information leaks into later bytes of the > PRNG stream (at least as far as we know) so this secures the cypher > from attack. It doesn't need to leak information about the key. A combination known-plaintext and known-ciphertext attack works very well against RC4. http://groups.google.com/group/sci.crypt/browse_frm/thread/2716ac20a3fc9971/64eba041932a98ae?lnk=st&rnum=1&hl=en Since the header is well known, convincing the program to encrypt the database (by say, making a change to it) several times allows the user to collect some known-plaintext and lots of ciphertext very quickly. The usual defense against this attack is to mix some random information into the beginning of the plaintext. A better defense: use a different key each time. Encrypt the session key separately.