Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer Protocol
RFC 4345
Document | Type |
RFC - Proposed Standard
(January 2006; Errata)
Status changed by status-change-ssh-arcfour-to-historic
Was draft-harris-ssh-arcfour-fixes (individual in sec area)
|
|
---|---|---|---|
Author | Ben Harris | ||
Last updated | 2015-10-14 | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized bibtex | ||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 4345 (Proposed Standard) | |
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Sam Hartman | ||
Send notices to | (None) |
Network Working Group B. Harris Request for Comments: 4345 January 2006 Category: Standards Track Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer Protocol Status of This Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2006). Abstract This document specifies methods of using the Arcfour cipher in the Secure Shell (SSH) protocol that mitigate the weakness of the cipher's key-scheduling algorithm. 1. Introduction Secure Shell (SSH) [RFC4251] is a secure remote-login protocol. It allows for the use of an extensible variety of symmetric cipher algorithms to provide confidentiality for data in transit. One of the algorithms specified in the base protocol is "arcfour", which specifies the use of Arcfour (also known as RC4), a fast stream cipher. As [RFC4253] says, though, "Arcfour (and RC4) has problems with weak keys, and should be used with caution." These problems are described in more detail in [MANTIN01], along with a recommendation to discard the first 1536 bytes of keystream so as to ensure that the cipher's internal state is thoroughly mixed. This document specifies new cipher algorithms for SSH that follow this recommendation. 2. Conventions Used in this Document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. Harris Standards Track [Page 1] RFC 4345 Improved Arcfour Modes for SSH January 2006 3. Applicability Statement Implementations of Arcfour are typically slightly faster and much smaller than those of any other encryption algorithm currently defined for SSH. This must be balanced, though, against the known security problems with Arcfour described in Section 5. In most cases, where speed and code size are not critical issues, the algorithms specified by [RFC4344] should be used instead. 4. Algorithm Definitions The "arcfour128" algorithm is the RC4 cipher, as described in [SCHNEIER], using a 128-bit key. The first 1536 bytes of keystream generated by the cipher MUST be discarded, and the first byte of the first encrypted packet MUST be encrypted using the 1537th byte of keystream. The "arcfour256" algorithm is the same, but uses a 256-bit key. 5. Security Considerations The security considerations in [RFC4251] apply. The discarded bytes of keystream MUST be kept secret and MUST NOT be transmitted over the network. The contents of these bytes could reveal information about the key. There are two classes of attack on Arcfour described in [MIRONOV]. Strong distinguishers distinguish an Arcfour keystream from randomness at the start of the stream and are defended against by the algorithm defined in this document. Weak distinguishers can operate on any part of the keystream, and the best ones, described in [FMcG] and [MANTIN05], can use data from multiple, different keystreams. A consequence of this is that encrypting the same data (for instance, a password) sufficiently many times in separate Arcfour keystreams can be sufficient to leak information about it to an adversary. It is thus RECOMMENDED that Arcfour (either in the form described here or that described in [RFC4251]) not be used for high-volume password- authenticated connections. 6. IANA Considerations The IANA has assigned the Encryption Algorithm Names "arcfour128" and "arcfour256" in accordance with [RFC4250]. Harris Standards Track [Page 2] RFC 4345 Improved Arcfour Modes for SSH January 2006 7. References 7.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC4250] Lehtinen, S. and C. Lonvick, Ed., "The Secure Shell (SSH) Protocol Assigned Numbers", RFC 4250, January 2006. [RFC4251] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) Protocol Architecture", RFC 4251, January 2006. [RFC4253] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) Transport Layer Protocol", RFC 4253, January 2006 [RFC4344] Bellare, M., Kohno, T., and C. Namprempre, "The Secure Shell (SSH) Transport Layer Encryption Modes", RFC 4344,Show full document text