Closed Bug 32456 Opened 25 years ago Closed 24 years ago

Disable SSL RC2 ciphers

Categories

(Core :: Security: PSM, defect, P3)

Product:
Core
Component:
Security: PSM
Version:
1.0 Branch
Type:
defect

Tracking

()

Status:
VERIFIED WONTFIX

People

(Reporter: jgmyers, Assigned: jgmyers)

Details

(Whiteboard: [nsbeta3-])

Attachments

(1 file)

Proposed fix
6.51 KB, patch
Details | Diff | Splinter Review
The RC2 ciphers should be disabled by default. They are fairly suspect these days and are not needed for interoperability--anything that can do RC2 these days can also do RC4.
The more cryptanalysis a cipher algorithm has had, the safer it can be considered. Since RC2 was proprietary for much of its life, it was not subject to serious public review and cryptanalysis. By the time it was released to the public, the inventor had moved on to a new block cipher (RC5 and later RC6). At least one signficiant attack against the cipher has been documented in: J. Kelsey, B. Schneier, and D. Wagner, Related-Key Cryptanalysis of 3-WAY, Biham- DES, CAST, DES-X, NewDES, RC2, and TEA, ICICS '97 Proceedings, Springer-Verlag, November 1997, pp. 233-246. <http://www.counterpane.com/related-key_cryptanalysis.html> Backround on the cipher can be found in: L. Knudsen, V. Rijmen, R. Rivest, and M. Robshaw, On the Design and Security of RC2, FSE5, to appear. <http://www.ii.uib.no/~larsr/papers/rc2fseproc.ps.gz> This document indicates that at the time it was written (presumably recently), linear cryptanalysis of RC2 was not complete. Note that RC4 is necessary for pre-standard SSL (v3) interoperability. Unfortunately, RC2/40 is necessary for pre-standard S/MIME (v2) interoperability, but hopefully with the S/MIME (v3) standards, this can be phased out as well.
So I suggest we disable the SSL RC2 ciphers and leave the S/MIME RC2/40.
Summary: Disable RC2 ciphers → Disable SSL RC2 ciphers
Working on a patch.
Assignee: lord → jgmyers
Status: NEW → ASSIGNED
Attached patch Proposed fixSplinter Review
Keywords: nsbeta3
Adding the usual suspects for comments.
Should I also disable SMIME_RC2_CBC_128 ?
Until such time as someone published an actual finding that these ciphers are shown to be weak, I see no reason to disable them in NSS. Each product that uses NSS is, of course, free to enable or disable what ever cipher suites it wants.
This is not disabling them in NSS, this is disabling them by default in PSM. Users are able to reenable them by editing prefs.js.
...and the finding that these ciphers are weak against related key attacks is mentioned previously in this bug.
I oppose disabling them by default in PSM.
What are the reasons behind your opposition?
For the same reason Lord chose to disable TLS in this release of PSM. Do not deliberately reduce interoperability.
Interoperability with what? Do you know of any servers which support RC2 but not RC4?
We didn't know of any servers that implemented SSL3 roll-back detection incorrectly, and hence were incompatible with TLS/SSL3 clients, until we implemented TLS and it started getting used. I think we need a stronger reason to remove functionality from PSM than a few people don't like it. When there's a call in the ietf-TLS mailing list to deprecate it, and it's widely agreed, then... If I had prioritize things to be discontinued, I'd put SSL2 at the head of the list.
So after looking at Schneier's paper, I don't think we should disable Rc2 by default until we have UI to turn it back on. Related key attacks require that the attack can either predict the key or choose the key. and force the related keys to encrypt the same cipher text. SSL keys are generated using basically a prng. The RC2 attack requires choosing related keys of the form k=(x0, x1 ...,x63) and K'= (x0', x1, ..., x63'), that is the first and last bytes different. That can't easily be forced in the prng. In addition SSL does not encrypt the same cipher text. Even if you request the same page over and over, SSL adds salt to the encrypted text. S/MIME can encrypt the same text over and over again (by sending the same message), but to attack it you would have to convince the sender to generate the key by some trivial algorithm. The related key attack is serious enough I'd never add RC2 as a new cipher, but it's use in S/MIME or SSL is not necessarily insecure. bob
After reading through the bug, your comments lead me to the conclusion that this is not essential for shipping? Is this so? Marking nsbeta3- on the assumption it is. Feel free to clear for reconsideration.
Whiteboard: [nsbeta3-]
Changing QA contact to nitinp
QA Contact: lord → nitinp
Mass reassigning nitinp's bugs to me.
QA Contact: nitinp → junruh
Setting to Wontfix. Users can now turn off SSL2 in the Security Manager UI if they wish. Also, I see no need to deliberately reduce interoperability, and to quote nelsonb on 8/9/00, "Until such time as someone publishes an actual finding that these ciphers are shown to be weak, I see no reason to disable them..."
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → WONTFIX
Verified wontfix.
Status: RESOLVED → VERIFIED
Product: PSM → Core
Is there a GUI to disable SMIME RC2?
Version: psm1.1 → 1.0 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: