Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by krbdev.mit.edu (8.9.3) with ESMTP id AAA20374; Fri, 8 Nov 2002 00:31:03 -0500 (EST) Received: from konishi-polis.mit.edu (EASTCAMPUS-EIGHT-FORTY-FOUR.MIT.EDU [18.238.6.77]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id AAA14346; Fri, 8 Nov 2002 00:31:01 -0500 (EST) Received: by konishi-polis.mit.edu (Postfix, from userid 8042) id BEA3A152120; Fri, 8 Nov 2002 00:31:00 -0500 (EST) To: krb5-bugs@mit.edu Cc: kenh@mit.edu Subject: SAM uses RC4 insecurely Message-Id: <20021108053100.BEA3A152120@konishi-polis.mit.edu> Date: Fri, 8 Nov 2002 00:31:00 -0500 (EST) From: hartmans@MIT.EDU (Sam Hartman) X-RT-Original-Encoding: iso-8859-1 Content-Length: 910 Hi. The definition of dr in src/lib/crypto/combine_keys.c mishandles the rc4 enctype. In particular, It will encrypt the constant using rc4 directly in the long-term key. No cipher state is used for rc4, so the rc4 PRNG is always positioned at the same point in the cipher stream. effectively for rc4 dr(k, c) is c^rc4(k). That's problematic because: dr(k,c1)^dr(k, c2) = c1^rc4(k)^rc4(k)^c2 = c1^c2 So if you know c1, c2 and dr(k,c1) you can find out the first few bits of rc4(k). I have not yet worked through the implications of this for combine-keys, but it becomes clear to me that: * dr must be defined per crypto-system * The current dr for rc4 is unacceptable even if combine-keys end up being secure * If SAM is going to use dr, it must be required to be defined for each crypto system. If these problems are not fixed by the 1.3 release, the SAM changes must be backed out.