[9693] in cryptography@c2.net mail archive
Re: RC4 [was: RE: Passport Passwords Stored in Plaintext]
daemon@ATHENA.MIT.EDU (Adam Shostack)
Sun Oct 21 22:26:10 2001
Date: Sun, 21 Oct 2001 17:52:10 -0400
From: Adam Shostack <adam@homeport.org>
To: jamesd@echeque.com
Cc: "Trei, Peter" <ptrei@rsasecurity.com>,
Ray Dillinger <bear@sonic.net>, metaphone@eudoramail.com,
mac-crypto@vmeng.com, cryptography@wasabisystems.com,
coderpunks@toad.com, dcsb@ai.mit.edu,
"R. A. Hettinga" <rah@shipwright.com>
Message-ID: <20011021175209.A21882@weathership.homeport.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <3BC4F678.26049.47B1E@localhost>
On Thu, Oct 11, 2001 at 01:31:36AM -0700, jamesd@echeque.com wrote:
| On 8 Oct 2001, at 11:37, Ray Dillinger wrote:
| > In which case, what you've got isn't RC4 anymore
|
| You do not understand encryption.
|
| RC4 is an encryption method, that needs to be part of a
| protocol. The protocol can be designed correctly or
| incorrectly, but either way it is still a protocol that uses
| RC4.
|
| In the usual protocols that contain RC4, each session has a
| new transient session key. The fact that RC4 leaks a small
| amount of information about that session key is unimportant
| in such protocols.
|
| RC4 is like a brick that can be used to build a house.
I'd say that RC4 is like one of those cool, semi-opaque glass bricks.
Not in the sense that it is weak (you can put quite a bit of load on a
wall of those) but in the sense that it is different than your typical
dried-mud sort of brick. Designing protocols is a hard field, and
there seem to be lots of mistakes made when people use RC4. Is that
because its a bad cipher? No, its because people aren't used to
working with it. Because of that, I tend to look askew at RC4 based
systems.
Adam
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
