On Wed, 19 Aug 2015 14:55:33 -0400, Jim Starkey <j...@jimstarkey.net>
wrote:
> You're excessing fussy. No one has ever found a SHA1 collision, let
> alone a bogus hit. It is perfectly secure. It has known weaknesses,
> but even with these known weaknesses, it is impossible to crack.
>
> RC4 is perfectly secure. It is vulnerable to correlated keys as used in
> WEP. But SRP uses a session key that is a function of { server random
> number, client random number, salt, password }. Keys are NEVER reused
> and are securely computed separately on the two sides.
>
> You need to understand something about cryptography before getting your
> knickers in a twist.
I may not be an expert in cryptography, but I know enough for my day to
day work.
> There are more important things to worry about that the choice of
> algorithm, for example, the manifest weaknesses of human chosen keys.
>
> There is no point to pandering to the ignorant. If they read only
> Google News headlines, they'll get upset no matter what you do.
In my initial post I intentionally did not address the technological
details, as my intention was specifically to address the image part. The
industry consensus seems to be that moving away from RC4 and SHA1 is the
right course of action. That Firebird now (or likely 6 months from now)
release a new feature that builds on those dated algorithms is in my
opinion a PR problem, especially if you consider that it will stay for
years to come.
> The best alternative to RC4 is AES-128. It is "more" (but not
> measurably) secure but also a couple of hundred times as expensive to
> compute. If you don't believe me, run your own numbers.
AES might be more expensive, but not that expensive, especially not when
you have hardware support for AES.
------------------------------------------------------------------------------
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel
