Re: [Firebird-devel] Fwd: RC4 for encryption?

Sun, 26 May 2013 11:08:03 -0700 

From: *Mark Rotteveel* <m...@lawinegevaar.nl <mailto:m...@lawinegevaar.nl>>

Date: Sun, May 26, 2013 at 11:53 AM
Subject: [Firebird-devel] RC4 for encryption?
To: For discussion among Firebird Developers <firebird-devel@lists.sourceforge.net <mailto:firebird-devel@lists.sourceforge.net>> 


If I understand it correctly, the new wire encryption of FB 3 uses RC4,
an encryption with known attacks and vulnerabilities. Wouldn't it be
better to research other options?

http://www.isg.rhul.ac.uk/tls/




Read the fine print.  To break a message, you need 2^30 encrypted 
versions of a message containing a 256 byte constant block starting at a 
fixed position.  Nice theoretical work, but it isn't a practical attack.



Note the chaining algorithm used for AIS stream encryption has also been 
attacked.



I initially implemented NuoDB (then NimbusDB) line encryption with 128 
bit AES.  The performance hit was about 85%, which just wouldn't fly.  
Substituting RC4 for AIS dropped this to about 4%.  As a result, I left 
the flexible encryption in place but dropped both AES and plaintext as 
options, leaving only RC4.



RC4 got a bad rep in the WiFi WEP disaster, but the actual problem was 
an idiotic design where the same short message was encrypted by cycle of 
partially generated keys.



RC4 is pretty much the de facto standard for stream ciphers because of 
its performance characteristics.  Yes, it can be attacked, but only if 
you sincerely want to be attacked.



I don't know what Firebird is now using for password validation, but I 
strongly suggest that somebody look closely at SRP (secure remote 
password) to generate session keys.  SRP is immune to all but brute 
force attacks, doesn't require that a server store anything which, if 
compromised, would allow password (or surrogates) to be computed, and 
requires a single round trip for authentication.



------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
Firebird-Devel mailing list, web interface at 
https://lists.sourceforge.net/lists/listinfo/firebird-devel






















					Reply via email to