You're excessing fussy. No one has ever found a SHA1 collision, let
alone a bogus hit. It is perfectly secure. It has known weaknesses,
but even with these known weaknesses, it is impossible to crack.
RC4 is perfectly secure. It is vulnerable to correlated keys as used in
WEP. But SRP uses a session key that is a function of { server random
number, client random number, salt, password }. Keys are NEVER reused
and are securely computed separately on the two sides.
You need to understand something about cryptography before getting your
knickers in a twist.
There are more important things to worry about that the choice of
algorithm, for example, the manifest weaknesses of human chosen keys.
There is no point to pandering to the ignorant. If they read only
Google News headlines, they'll get upset no matter what you do.
The best alternative to RC4 is AES-128. It is "more" (but not
measurably) secure but also a couple of hundred times as expensive to
compute. If you don't believe me, run your own numbers.
With AES-128, it is more likely that users will opt to forgo security
for reasons of performance.
Mark, you've been ranting about this for a long time. Please take some
time to master the concept of exponentiation. 2^80 is a lot smaller
than 2^160 but still so large that it can't be written out in digits.
Worry about the serious vulnerabilities, not insignificant weaknesses
found by academics and publicized by fools.
On 7/26/2015 4:03 AM, Mark Rotteveel wrote:
> I have brought this up before, and it might be a bit annoying that I do
> so again, but I remain concerned by the fact that we are about to ship a
> product (Firebird 3) that uses hashing and encryption algorithms (SHA-1
> and RC4) that most in the industry consider outdated and (relatively)
> insecure.
>
> Organizations are taking actions to deprecate and disable both (eg
> Oracle disabled RC4 in TLS in Java 8 Update 51, the IETF now prohibits
> the use of RC4 in TLS, https://tools.ietf.org/html/rfc7465).
>
> They might still be strong enough for now, but I am also concerned about
> the public image impact of releasing a product with a new security
> feature that uses algorithms considered insecure by todays standards.
>
> Mark
------------------------------------------------------------------------------
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel
