Re: Re: Is AES better than RC4

Thu, 25 May 2006 10:38:21 -0700

----- Original Message ----- From: "Ed Gerck" <[EMAIL PROTECTED]> 
Subject: [!! SPAM] Re: Is AES better than RC4



Joseph Ashwood wrote:



SOP: discard first 100's of bytes


This is part of the lack of key agility.


Using it securely requires so much in the way of heroic efforts


SOP: hash the key
There is far more to using RC4 securely than sumply hashing the key. Hashing the key only prevents recovering the original key (to the limits of the hash used) it does not provide for anything close to all the heroic efforts. If you look at the design of SSL/TLS a very significant portion of the effort that has gone into design of the frame/cell/whatever they call them is specifically to address issues like those seen in RC4.
[Slow rekeying speed makes RC4] unusable for any system that requires rekeying. 

Code RC4 in a way that makes it easy.
You simply cannot code around the fact that the RC4 key processing is dog slow, and that even after the original keying design there is the necessity to discard the first several bytes of data. So just in the keying you have to deviate substantially from the original design.
It's only redeeming factors are that the cipher itself is simple to write, and once keyed it is fast. 

simple to code/verify  is good for security too. This is a major
point.
A Viginere cipher is easier to code, we don't recommend it. Just as with a Viginere cipher, building a secure protocol (even for storage) with RC4 quickly becomes an arms race requiring heroic efforts on the design side along with huge amounts of compute cycles on the execution side to avoid a PFY with a laptop. The same amount of effort in design with AES leads to a simpler, more compact design of approximately the same speed. And exactly as Ed noted : "simple to ... verify is good for security too."
The truth is that because AES is so much simpler to build a secure protocol around the end result is actually easier to analyse. Joe 

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to