RC4; no thanks

From this site, we have occasionally mentioned how unreliable the algorithm used by RC4 (Rivest Cipher 4) for encryption. Apparently, researchers they completely agree.

Belgian researchers preparing for the Usenix Security Symposium to be held in Washington in August estimate that they can decipher encrypted cookies with RC4 within 75 hoursPDF).security phishing RC4

Mathy Vanhoef and Frank Piessens of the University of Leuven investigated websites using TLS with RC4, as well as Wi-Fi with WPA-TKIP encryption.

As they explain, the weakness of RC4 is based on the bias of the RC4 keystream. The bias was already known, and that's why major companies like Microsoft criticize encryption with Rivest Cipher 4. But what else did researchers Vanhoef and Piessens do?

For HTTPS sessions secured by TLS using encryption Rivest Cipher 4, researchers estimate that they can "decrypt a secure cookie with a 94% success rate using 9 × 227 cyphertexts".

To break TLS/HTTPS security, Belgian researchers introduced known around the cookie, “we broke it using ABSAB bias of Mantin, and by brute-forcing the cookie from a plain-text… we were able to execute an attack within 75 hours “.

“If we were to add a JavaScript code to the program of the victim, "we would be able to carry out the attack ... in just 52 hours."

With WPA-TKIP things get worse. The investigators' attack can be "executed within an hour":

"To break WPA-TKIP we will present a method that produces a large number of identical packages. This package is decrypted by creating plaintext, and using the unnecessary package structure you can remove bad candidates. From the decrypted package we derive the TKIP MIC key, which can be used to inject and decrypt packets ”.

 

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by Dimitris

Dimitris hates on Mondays .....

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).