Subject: Re: Encrypted compressed vnds
To: None <>
From: Ben Harris <>
List: tech-kern
Date: 08/07/2006 17:51:14
In article <> you write:
>Joerg Sonnenberger wrote:
>> If you want something simple, at least use a secure cipher. AES and
>> Blowfish are in the kernel already, so use them. RC4 is as well, but
>> considered weak now. DES is just not worth the effort.
>I'm not aware of any cryptographers that consider RC4 weak.

I'm not a cryptographer, but I did spend quite a lot of time looking
into attacks on RC4 while writing RFC 4345, and it has some really
rather fun weaknesses.  My favourite one is in the paper below, whereby
the keystream generator emite certain digraphs slightly more frequently
than it ought to, so if you can get lots (of order 2^31) of different
ciphertexts corresponding to the same plaintext you can get information
about the plaintext.

   [FMcG]     Fluhrer, S. and D. McGrew, "Statistical Analysis of the
              Alleged RC4 Keystream Generator", Fast Software
              Encryption:  7th International Workshop, FSE 2000, April
              2000, <>.

I view RC4 much like MD5 -- there are circumstances in which it's safe,
but I wouldn't recommend it for general-purpose use.

Ben Harris                                                   <>
Portmaster, NetBSD/acorn26           <URL:>