[Cryptography] RC4 again (actual security, scalability and other discussion)

Miroslav Kratochvil exa.exa at gmail.com
Wed Mar 12 05:29:35 EDT 2014

I have been an ARC4-DROP fan for years.  I wrote the "TinyCrypt"

> project (on SourceForge) to encrypt files with it years ago when it
> was hard to even find a simple file encryption program.  I felt it was
> secure enough up until last year when the Royal Holloway attack was
> published:
>     http://en.wikipedia.org/wiki/RC4#Royal_Holloway_attack
> As they say on Wikipedia, it's not a practical attack yet, but it
> looks scary.  That combined with rumors that the NSA has broken ARC4
> are enough for me to no longer use my own TinyCrypt ARC4 based code.
Great to hear about TinyCrypt :] Mine is called Codecrypt, here

I'm actually not sure if I got the Holloway attack right - from all sides I
seen it it looks just like another statistical attack that can be made
arbitrarily inplausible by increasing the DROP parameter. If I'm wrong,
please correct me.

> The Snowden leaks, if I'm not mistaken, seem to imply that AES is
> secure, even against the NSA.  It's even simpler to use AES from the
> openssl library than to code ARC4.

Just opinions --

I kindof dislike OpenSSL development method (it's not really transparent
and organized enough for the most-used crypto library in the world). But
that's my opinion :]

About Snowden... AFAIK, he implied that there is properly implemented
strong cryptography that is reliable. Rumors have already been around that
"strong cryptography" doesn't include RSA-2048...

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140312/f3f49ede/attachment.html>

More information about the cryptography mailing list