At 6:12 PM -0500 2/10/03, Steven M. Bellovin wrote:
...In message <b295ds$l66$[EMAIL PROTECTED]>, David Wagner writes:Trei, Peter wrote:The weird thing about WEP was its choice of cipher. It used RC4, a stream cipher, and re-keyed for every block. . RC4 is not really intended for this application. Today we'd have used a block cipher with varying IVs if neccessaryI suspect that RC4 was chosen for other reasons - ease of export, smallness of code, or something like that. It runs fast, but rekeying every block loses most of that advantage.It's hard to believe that RC4 was chosen for technical reasons. The huge cost of key setup per packet (equivalent to generating 256 bytes of keystream and then throwing it away) should dominate the other potential advantages of RC4.I'm not sure you're right. While 40-50% of packets are about 40 bytes long -- see http://www.nlanr.net/NA/Learn/packetsizes.html for some older statistics -- most *bytes* are carried by larger packets. From that same site, about 75% of the bytes are carried by packets over 500 bytes long. A quick awk script suggests that given that packet size distribution, the total workload to use WEP-style encryption is about double the number of bytes. The overhead is thus substantial -- but RC4's cost per byte is quite low, so it was probably a net win. Other studies suggest that LAN packet size distribution is somewhat different, with more large packets; that would lower the overhead.
It's worth remembering that the original WEP used 40 bit keys. For some time, RC4 with 40 bit keys was the only crypto system that could be exported without a license. It's hard for me to believe that export concerns were not the primary factor in the initial choice of RC4.
Arnold Reinhold
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
