On Sun, 26 May 2013 13:36:36 -0400, Jim Starkey <j...@jimstarkey.net> wrote: > From: *Mark Rotteveel* <m...@lawinegevaar.nl <mailto:m...@lawinegevaar.nl>> >> If I understand it correctly, the new wire encryption of FB 3 uses RC4, >> an encryption with known attacks and vulnerabilities. Wouldn't it be >> better to research other options? >> >> http://www.isg.rhul.ac.uk/tls/ > > > Read the fine print. To break a message, you need 2^30 encrypted > versions of a message containing a 256 byte constant block starting at a
> fixed position. Nice theoretical work, but it isn't a practical attack. > > Note the chaining algorithm used for AIS stream encryption has also been > attacked. Maybe I should have mentioned it explicitly, but I am also thinking of the psychology of "it is new and they use something known to be broken?". > I initially implemented NuoDB (then NimbusDB) line encryption with 128 > bit AES. The performance hit was about 85%, which just wouldn't fly. > Substituting RC4 for AIS dropped this to about 4%. As a result, I left > the flexible encryption in place but dropped both AES and plaintext as > options, leaving only RC4. Was that with or without the use of AES instructions like AES-NI (http://en.wikipedia.org/wiki/AES_instruction_set ) I thought that with use of those instructions AES actually outperformed RC4 (can't find a direct comparison right now though). > RC4 got a bad rep in the WiFi WEP disaster, but the actual problem was > an idiotic design where the same short message was encrypted by cycle of > partially generated keys. > > RC4 is pretty much the de facto standard for stream ciphers because of > its performance characteristics. Yes, it can be attacked, but only if > you sincerely want to be attacked. Ok, good to know. > I don't know what Firebird is now using for password validation, but I > strongly suggest that somebody look closely at SRP (secure remote > password) to generate session keys. SRP is immune to all but brute > force attacks, doesn't require that a server store anything which, if > compromised, would allow password (or surrogates) to be computed, and > requires a single round trip for authentication. Firebird 3 uses SRP. ------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
