[Cryptography] RC4 again (actual security, scalability and other discussion)

Hanno Böck hanno at hboeck.de
Sat Mar 8 17:40:22 EST 2014


Simple question: Why do you want RC4?

Beside all the details the situation is:
a) it may be possible to implement RC4 in a way that avoids all the
known attacks, BUT:
b) lots of cryptographers think RC4 is crap and attacks have a real
potential to get better. Rumors about realtime RC4 attacks are there.
c) we have alternatives.

From what I hear a lot of people have a very high opinion on salsa20 or
its successor chacha20. I have done some tests with openssh recently
which supports now both rc4 and chacha20. I am not sure if this is a
fair test as I don't know implementation details (maybe one is more
optimized than the other), but chacha20 is faster. Yes, it requires a
few more lines of code, but not that much.

So: Why? I mean even if you can use RC4 in a way navigating around all
the known issues. You may do it wrong. You may learn tomorrow that
there's been a new attack on RC4. There already may be an attack you
don't know about.
Why not stay on the safe side and use a stream cipher everybody out
there thinks provides very high security?

Hanno Böck

mail/jabber: hanno at hboeck.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140308/fe489583/attachment.pgp>

More information about the cryptography mailing list