Is AES better than RC4

Joseph Ashwood ashwood at msn.com
Wed May 24 19:15:29 EDT 2006 

----- Original Message ----- 
From: "Ed Gerck" <edgerck at nma.com>
Subject: [!! SPAM] Re: Is AES better than RC4


> Joseph Ashwood wrote:

> SOP: discard first 100's of bytes

This is part of the lack of key agility.

>> Using it securely requires so much in the way of heroic efforts
>
> SOP: hash the key

There is far more to using RC4 securely than sumply hashing the key. Hashing 
the key only prevents recovering the original key (to the limits of the hash 
used) it does not provide for anything close to all the heroic efforts. If 
you look at the design of SSL/TLS a very significant portion of the effort 
that has gone into design of the frame/cell/whatever they call them is 
specifically to address issues like those seen in RC4.

>> [Slow rekeying speed makes RC4] unusable for any system that requires 
>> rekeying.
>
> Code RC4 in a way that makes it easy.

You simply cannot code around the fact that the RC4 key processing is dog 
slow, and that even after the original keying design there is the necessity 
to discard the first several bytes of data. So just in the keying you have 
to deviate substantially from the original design.

>
>> It's only redeeming factors are that the cipher itself is simple to 
>> write, and once keyed it is fast.
>
> simple to code/verify  is good for security too. This is a major
> point.

A Viginere cipher is easier to code, we don't recommend it. Just as with a 
Viginere cipher, building a secure protocol (even for storage) with RC4 
quickly becomes an arms race requiring heroic efforts on the design side 
along with huge amounts of compute cycles on the execution side to avoid a 
PFY with a laptop. The same amount of effort in design with AES leads to a 
simpler, more compact design of approximately the same speed. And exactly as 
Ed noted : "simple to ... verify is good for security too."

The truth is that because AES is so much simpler to build a secure protocol 
around the end result is actually easier to analyse.
                Joe 


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list