[Cryptography] RC4 again (actual security, scalability and other discussion)

Tom Mitchell mitch at niftyegg.com
Mon Mar 10 02:36:53 EDT 2014

On Sat, Mar 8, 2014 at 7:30 PM, Bill Cox <waywardgeek at gmail.com> wrote:

> On Sat, Mar 8, 2014 at 7:39 PM, Watson Ladd <watsonbladd at gmail.com> wrote:
> > On Sat, Mar 8, 2014 at 3:58 PM, James A. Donald <jamesd at echeque.com>
> wrote:
> >> On 2014-03-08 20:57, Miroslav Kratochvil wrote:
> >>>
> >>>  From all sources I have ever seen I can say that RC4 itself is not
> >>> broken.

> >> Arc4 is not broken.  It has known weaknesses, and must be used
> correctly in
> >> the light of these known weaknesses.  It frequently is not used
> correctly.
> >
> > Sorry, the bytes out of RC4 are not IID. This means an RC4 encrypted
> > plaintext reveals information to an attacker. This has been known
> > since 2000 when Fluhrer and McGrew published on this subject.
> >

> You're opinion matches that of many academic security people, but

> So, I agree with you that ARC4 should no longer be used, just for
> different reasons.

Interesting good stuff above mostly snipped.

I might note that "no longer be used" is too strong
in this case.   Perhaps replaced with AES. long key RSA
or something else.... in a time frame.

"No longer be used" falls in the category where ssh and friends
were so badly broken that telnet and passwords in the clear on the
wire was safer as was the situation a decade or more back.

Perhaps "plan to replace in N months".

I only say this because when folk run from something (driven by FUD) they
tend to herd like lemmings and too many fall of the cliff.

In my mind the single problem with encryption is that it
is not used enough.   There are now two classes of messages
flowing and the minority by far is encrypted.

Better to use vim -x with the address of this list as a key
sort of thing.  As a minimum the "listeners" would have to
do the moral equivalent of steaming open all the letters.
Today we are living in a postcard world.

Technologically we need the equivalent of a plain brown
wrapping paper.

  T o m    M i t c h e l l
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140309/1ee1c60c/attachment.html>

More information about the cryptography mailing list