[Cryptography] RC4 again (actual security, scalability and other discussion)

[Stephan Neuhaus]

On 2014-03-08, 11:57, Miroslav Kratochvil wrote:
> I've used RC4 quite extensively in one of my projects, for it is a
> "best fit" - wonderfully simple, and secure if used correctly. Since
> that, I have been experiencing reluctant comments from all sides of
> users, cryptographers, programmers and so, all of which had the
> common "RC4 is broken, is it not?" part. This opinion is generally
> supported by all "first-google" sources that can be found about RC4,
> led by wikipedia that has sources that "argue against its use in new
> systems". That's quite FUD.

"Secure if used correctly" is my main gripe with it.

Despite all the other concerns mentioned by other posters, the RC4 API
gives no indication that you, the programmer, have to manually discard
the first few thousand bits of output. RC4 is to this extent more
difficult to use correctly than, say, ChaCha20 (even though ChaCha20 is
so new that it might well have other flaws that we don't yet know about;
I'm using it merely as an illustrative example).

Given that most crypto code will not be written by crypto specialists,
and also given the wonderful apparent simplicity of its API (also
mentioned by you), RC4 is a natural candidate for an unsafe
implementation in many applications.

So I'd second the argument against RC4 in new systems.

Fun,

Stephan