Re: Re: Is AES better than RC4

2006-05-25 Thread Joseph Ashwood
- Original Message - 
From: Ed Gerck [EMAIL PROTECTED]

Subject: [!! SPAM] Re: Is AES better than RC4



Joseph Ashwood wrote:



SOP: discard first 100's of bytes


This is part of the lack of key agility.


Using it securely requires so much in the way of heroic efforts


SOP: hash the key


There is far more to using RC4 securely than sumply hashing the key. Hashing 
the key only prevents recovering the original key (to the limits of the hash 
used) it does not provide for anything close to all the heroic efforts. If 
you look at the design of SSL/TLS a very significant portion of the effort 
that has gone into design of the frame/cell/whatever they call them is 
specifically to address issues like those seen in RC4.


[Slow rekeying speed makes RC4] unusable for any system that requires 
rekeying.


Code RC4 in a way that makes it easy.


You simply cannot code around the fact that the RC4 key processing is dog 
slow, and that even after the original keying design there is the necessity 
to discard the first several bytes of data. So just in the keying you have 
to deviate substantially from the original design.




It's only redeeming factors are that the cipher itself is simple to 
write, and once keyed it is fast.


simple to code/verify  is good for security too. This is a major
point.


A Viginere cipher is easier to code, we don't recommend it. Just as with a 
Viginere cipher, building a secure protocol (even for storage) with RC4 
quickly becomes an arms race requiring heroic efforts on the design side 
along with huge amounts of compute cycles on the execution side to avoid a 
PFY with a laptop. The same amount of effort in design with AES leads to a 
simpler, more compact design of approximately the same speed. And exactly as 
Ed noted : simple to ... verify is good for security too.


The truth is that because AES is so much simpler to build a secure protocol 
around the end result is actually easier to analyse.
   Joe 



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Is AES better than RC4

2006-05-25 Thread Ed Gerck

JA,

Please note that my email was way different in scope. My opening
sentence, where I basically said that it does not make much sense
to compare RC4 with AES, was cut in your quote -- but here it is:

AES has more uses and use modes than RC4, in addition to the fact that
it encrypts more than one byte at once. Having said that, it is curious
to note the following misconceptions:

BTW, discarding the first 100's of bytes in RC4 is easy, fast, and
has nothing to with lack of key agility. And, if you do it, you don't
even have to hash the key (ie, you must EITHER hash the key OR discard the
first bytes).

Cheers, Ed Gerck

Joseph Ashwood wrote:

- Original Message - From: Ed Gerck [EMAIL PROTECTED]
Subject: [!! SPAM] Re: Is AES better than RC4
...


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Re: Is AES better than RC4

2006-05-25 Thread Joseph Ashwood
- Original Message - 
From: Ed Gerck [EMAIL PROTECTED]

Subject: [!! SPAM] Re: Is AES better than RC4



Please note that my email was way different in scope. My opening
sentence, where I basically said that it does not make much sense
to compare RC4 with AES, was cut in your quote -- but here it is:

AES has more uses and use modes than RC4, in addition to the fact that
it encrypts more than one byte at once. Having said that, it is curious
to note the following misconceptions:


Yes I did snip that out. I figured everything we agreed on could be left out 
easily enough. I apologize for removing something you considered core to 
your view.



BTW, discarding the first 100's of bytes in RC4 is easy, fast, and
has nothing to with lack of key agility. And, if you do it, you don't
even have to hash the key (ie, you must EITHER hash the key OR discard the
first bytes).


From my view it does. Every extra clock cycle has an impact on key agility, 
even 1 byte of RC4 discards slows the rekeying process, and as a result it 
does affect the effective key agility. That only 256 discards are necessary 
does not mean that those extra 256*(clock cycles per pull) clock cycles 
don't affect key agility. At what point do we say This affects key agility 
when it increases the time by 1%? 10%? 100%? If we don't consider every 
cycle to reduce key agility it's all just a matter of scale. This does mean 
that different implementations will have different key agilities, but if you 
look hostorically RC2 makes a great example of where the attacker has 
substantially more key agility than the legitimate user, so it is not 
without precedent.

   Joe
   Joe 



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Is AES better than RC4

2006-05-24 Thread Joseph Ashwood


RC4 should have been retired a decade ago, that it has not is due solely to 
the undereducated going with whatever's fastest. It's time we allowed RC4 
to stay dead.
   Joe 



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Is AES better than RC4

2006-05-24 Thread Max

On 5/23/06, James A. Donald [EMAIL PROTECTED] wrote:


AES is new, and people keep claiming progress towards
breaking it, without however, so far producing any
breaks.

RC4 is old and has numerous known weaknesses, which are
tricky to code around, and have caught many an
implementor - notice for example Wifi.  But these are
known weaknesses, and no new ones have turned up for
some time, nor does it seem likely that they will.


I'm confused.
AES is a _block_ cipher while RC4 is a _stream_ cipher. How are you
going to compare them?

It is makes much more sense to compare AES to RC6 block cipher (if you
like something from the RC-family of ciphers) but that was already
done by the AES standard committee. RC6 became one of the five
finalists but then lost the race to Rijndael. Look at the details of
AES selection process if interested.

Max

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Is AES better than RC4

2006-05-24 Thread James A. Donald

--
James A. Donald
 AES is new, and people keep claiming progress towards
 breaking it, without however, so far producing any
 breaks.

 RC4 is old and has numerous known weaknesses, which
 are tricky to code around, and have caught many an
 implementor - notice for example Wifi.  But these are
 known weaknesses, and no new ones have turned up for
 some time, nor does it seem likely that they will.

Max wrote:
 I'm confused. AES is a _block_ cipher while RC4 is a
 _stream_ cipher. How are you going to compare them?

The question is, what is likely to be secure (assuming
no errors in the code or protocol, assuming the protocol
accommodates the known weaknesses of RC4.

--digsig
 James A. Donald
 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
 r+jgJN/UZnI2Ndd0y5iy/yo4PpzCqxx4/Ouqmr0y
 42RAM+28IfhN9Xrs5LS5o3jt9p73L5MSyLOzwwWT4

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Is AES better than RC4

2006-05-24 Thread James A. Donald

--
Joseph Ashwood wrote:
 RC4 should have been retired a decade ago,

Why?

--digsig
 James A. Donald
 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
 pvLUSroPw35whI+/0Tq1IYPZh/GDEidGMu+4KvZc
 4zyBqLBt4fFho62NSUZuECGjiLrFpqppx7lXuvebv


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: [!! SPAM] Re: Is AES better than RC4

2006-05-24 Thread Joseph Ashwood
- Original Message - 
From: James A. Donald [EMAIL PROTECTED]

Subject: [!! SPAM] Re: Is AES better than RC4



--
Joseph Ashwood wrote:
 RC4 should have been retired a decade ago,

Why?


It is in general distuingable from random, actually quite quickly.
The first few bytes are so biased that any security is imaginary.
Using it securely requires so much in the way of heroic efforts that the 
overall system slows down into the same speed class as a much simpler, more 
secure design based on AES (or 3DES, or a dozen other ciphers).
The key anti-agility slows it down to the point of being functionally 
unusable for any system that requires rekeying.
It's only redeeming factors are that the cipher itself is simple to write, 
and once keyed it is fast. Neither of these is of any substantial use after 
considering the previous major issues.
   Joe 



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Is AES better than RC4

2006-05-23 Thread James A. Donald

--
AES is new, and people keep claiming progress towards
breaking it, without however, so far producing any
breaks.

RC4 is old and has numerous known weaknesses, which are
tricky to code around, and have caught many an
implementor - notice for example Wifi.  But these are
known weaknesses, and no new ones have turned up for
some time, nor does it seem likely that they will.


--digsig
 James A. Donald
 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
 aMGHaG1NbogokuNeDdZ0lhGIuup5dcnanNmv/M3z
 4bFF4Yq8bD+vAGqsKwFG62Fy4ZEiJb+gVrl+FMJjh


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]