<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Sat, Mar 8, 2014 at 7:30 PM, Bill Cox <span dir="ltr"><<a href="mailto:waywardgeek@gmail.com" target="_blank">waywardgeek@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="">On Sat, Mar 8, 2014 at 7:39 PM, Watson Ladd <<a href="mailto:watsonbladd@gmail.com">watsonbladd@gmail.com</a>> wrote:<br>
> On Sat, Mar 8, 2014 at 3:58 PM, James A. Donald <<a href="mailto:jamesd@echeque.com">jamesd@echeque.com</a>> wrote:<br>
>> On 2014-03-08 20:57, Miroslav Kratochvil wrote:<br>
>>><br>
>>> From all sources I have ever seen I can say that RC4 itself is not<br>
>>> broken. <br></div></blockquote><div>..... </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="">
>> Arc4 is not broken. It has known weaknesses, and must be used correctly in<br>
>> the light of these known weaknesses. It frequently is not used correctly.<br>
><br>
> Sorry, the bytes out of RC4 are not IID. This means an RC4 encrypted<br>
> plaintext reveals information to an attacker. This has been known<br>
> since 2000 when Fluhrer and McGrew published on this subject.<br>
><br></div></blockquote><div>......</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">You're opinion matches that of many academic security people, but<br></blockquote>
<div>...... </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
So, I agree with you that ARC4 should no longer be used, just for<br>
different reasons.<br></blockquote><div><br></div><div>Interesting good stuff above mostly snipped.</div><div><br></div><div>I might note that "no longer be used" is too strong</div><div>in this case. Perhaps replaced with AES. long key RSA</div>
<div>or something else.... in a time frame.</div><div><br></div><div>"No longer be used" falls in the category where ssh and friends</div><div>were so badly broken that telnet and passwords in the clear on the </div>
<div>wire was safer as was the situation a decade or more back. </div><div><br></div><div>Perhaps "plan to replace in N months".</div><div><br></div><div>I only say this because when folk run from something (driven by FUD) they</div>
<div>tend to herd like lemmings and too many fall of the cliff.</div><div><br></div><div>In my mind the single problem with encryption is that it</div><div>is not used enough. There are now two classes of messages</div>
<div>flowing and the minority by far is encrypted.</div><div><br></div><div>Better to use vim -x with the address of this list as a key</div><div>sort of thing. As a minimum the "listeners" would have to</div><div>
do the moral equivalent of steaming open all the letters.</div><div>Today we are living in a postcard world.</div><div><br></div><div>Technologically we need the equivalent of a plain brown</div><div>wrapping paper. </div>
<div><br></div><div><br></div><div><br></div><div><br></div></div><br clear="all"><div><br></div>-- <br><div dir="ltr"> T o m M i t c h e l l</div>
</div></div>