From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Thu, 21 Feb 2013 15:49:53 +0000 (+0000)
Subject: Use RC4-drop, not RC4
X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=commitdiff_plain;h=f5cf02c54821c02adcdaa5c88a33050fab5fea01;p=vbig.git

Use RC4-drop, not RC4

RC4 is broken and is vulnerable to key recovery attacks.
See http://en.wikipedia.org/wiki/RC4#Security

Dropping the first 3072 bytes of the stream makes one of these attacks
harder.  This doesn't fix the problems with using RC4 but it is an
improvement.

These problems are probably theoretical right now because plausible
contemporary threat models don't seem to involve the fake flash drive
trying serious cryptanalysis on our datastream.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
---

diff --git a/vbig.cc b/vbig.cc
index 53ef6a5..1823dd3 100644
--- a/vbig.cc
+++ b/vbig.cc
@@ -192,6 +192,9 @@ static long long execute(mode_type mode, bool entire, const char *show) {
     setvbuf(fp, 0, _IONBF, 0);
   char generated[4096], input[4096];
   long long remain = size;
+  static const size_t rc4drop = 3072; // en.wikipedia.org/wiki/RC4#Security
+  assert(rc4drop <= sizeof(generated));
+  rng.stream(generated, rc4drop);
   while(remain > 0) {
     size_t bytesGenerated = (remain > (ssize_t)sizeof generated
                              ? sizeof generated