

Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS - ctz
http://www.isg.rhul.ac.uk/tls/RC4mustdie.html

======
mmebane
Is this the Bar-Mitzva attack [1]? Or something else entirely?

EDIT: After a quick skim of this paper, I didn't see anything about passive
eavesdropping, so I'm assuming this is another new attack.

[1]: [https://www.blackhat.com/asia-15/briefings.html#bar-
mitzva-a...](https://www.blackhat.com/asia-15/briefings.html#bar-mitzva-
attack-breaking-ssl-with-13-year-old-rc4-weakness)

~~~
bradleyjg
I'm not sure what the bar mitvah attack is exactly, that link is kind of
vague.

This paper is based on the statistical biases of pairs of bytes in the output
stream of RC4, which they credit originally to Fluhrer and McGrew in this
paper from 2000:
[http://www.mindspring.com/~dmcgrew/rc4-03.pdf](http://www.mindspring.com/~dmcgrew/rc4-03.pdf)

Their main contribution is to combine reasonable guesses about the nature of
the plaintext with the biases in the cyphertext to improve the time to
recover. They also extend the state of knowledge about the byte pair biases in
the early keystream.

~~~
mmebane
My first thought was that the authors may have independently discovered the
same flaw that is going to be presented at Black Hat Asia, but the paper does
seem to be "getting more out of existing weaknesses" and not "publishing new
attacks", which is what the Black Hat abstract promises.

------
acveilleux
The attack requires too many sessions to use against a user's IMAP mailbox (or
similar) but is entirely possible in automated APIs.

