[Cryptography] RC4 again (actual security, scalability and other discussion)

Stephan Neuhaus stephan.neuhaus at tik.ee.ethz.ch
Mon Mar 10 14:21:49 EDT 2014

On 2014-03-10, 11:25, ianG wrote:
> Yup.  We would have been better off if they'd stuck to 40 bit crypto in
> 1994 and covered 100% of the web.  It's relatively easy to upgrade from
> 40 bit to 128 bit.

I'm not so sure. RC4 is really nice in that it doesn't have to have
length expansion. Once you try to substitute, say, AES in the mode du
jour, some length expansion will occur through the IV and perhaps
through padding. That may sound trivial, but it's not for a programmer
that really doesn't have to change anything about his or her program
other than to substitute the block of plaintext with a block of
(random-looking) ciphertext.

But I agree with you, it's real easy to upgrade from properly
implemented single-DES-CBC (say) to AES-CBC because all the machinery
for handling IVs and length expansion etc is already in place. But the
lure of RC4 is precisely that one can get away with not having this

If you do all the voodoo correctly, RC4 may be a fine cipher, but if you
don't, you end up with a program where the substitution of AES-CBC, say,
for RC4 isn't as easy as one might think.



More information about the cryptography mailing list