[Cryptography] RC4 again (actual security, scalability and other discussion)

Bill Cox waywardgeek at gmail.com
Sat Mar 8 22:30:06 EST 2014 

On Sat, Mar 8, 2014 at 7:39 PM, Watson Ladd <watsonbladd at gmail.com> wrote:
> On Sat, Mar 8, 2014 at 3:58 PM, James A. Donald <jamesd at echeque.com> wrote:
>> On 2014-03-08 20:57, Miroslav Kratochvil wrote:
>>>
>>>  From all sources I have ever seen I can say that RC4 itself is not
>>> broken. I'm usually proving and explaining that fact to everyone quite
>>> successfully, but it's always better if you ask someone else about his
>>> opinion. That is, as you can now probably see, roughly the whole purpose
>>> of this post. If you find any errors in following statements, please
>>> report them.
>>
>>
>> Arc4 is not broken.  It has known weaknesses, and must be used correctly in
>> the light of these known weaknesses.  It frequently is not used correctly.
>
> Sorry, the bytes out of RC4 are not IID. This means an RC4 encrypted
> plaintext reveals information to an attacker. This has been known
> since 2000 when Fluhrer and McGrew published on this subject.
>
> Sincerely,
> Watson Ladd

You're opinion matches that of many academic security people, but for
the more practical coders among us who just want real-world security,
ARC4 has been just fine for most of these years since 2000.  Just
being able to tell that 1GiB of data was most likely generated by ARC4
is interesting, but in applications where it is already known that the
encryption is ARC4 by everyone, this is a non-issue  (for example
encrypting a file with a .arc4 suffix is pretty obvious).  That number
has come down a lot from 1GiB since 2000, but it's still a non-issue.

The recent attacks on RC4 scare me a lot more than these efforts to
detect what algorithm generated the data stream.  It' not a complete
attack yet, and ARC4 remains secure currently for many applications,
but now I am concerned that ARC4 may be actually broken in the not too
distant future, and that it may already be broken in government crypto
agencies.  Of course, academics will cringe at my use of the the
phrase broken, since many feel an encryption algorithm is broken once
it's output can be detected as non-random.  That's just nonsense.  An
algorithm is only broken when an attacker can decrypt stuff.

So, I agree with you that ARC4 should no longer be used, just for
different reasons.

Bill

More information about the cryptography mailing list