RC4 x 2 rounds
in [Cryptography]
|
From: Tom St Denis on 15 Jan 2010 08:57 On Jan 15, 8:47 am, Keith <m...(a)privacy.net> wrote: > Dave -Turner wrote: > > RC4 is such a simple and fast algorithm ... ok there are a few attacks > > against it, but what if I encrypted the stream twice, using two unrelated > > keys. (Two "rounds" if you will, but with different keys obviously, as using > > same key in RC4 simply decrypts the original) > > How much additional security would this secound round provide (if any)? > > From what I've read, you may be better off in terms of both security and > speed (if using RC4 is unavoidable), by just dropping the first x bytes > of the keystream, where a conservative value for x might be 3072 bytes. > > Seehttp://www.users.zetnet.co.uk/hopwood/crypto/scan/cs.html#RC4-drop > for a brief discussion. At the point where you're free to manipulate the protocol at will [double RC4 and/or drop bytes] why not just put AES-CTR in its place? Mechanically it operates on data in the same way [e.g. bit at a time] and you only need one direction of the cipher implemented. The reality is for most traffic RC4 [when keyed and IVed correctly] is secure. When you hit some website with TLS to buy an Album [I buy a lot of books/albums...] you're doing transactions that measure into the tens of kilobytes at most. That's magnitude 2^16 to maybe 2^18 at most. The best RC4 attacks require on the order of 2^30 bytes of output just to distinguish the cipher from random and that's with KNOWN PLAINTEXT [e.g. raw rc4 output]. So you'd have to do 4096 transactions with the same key/iv just to even get to that point. Where things like WEP failed largely is how they key/iv the cipher, not that they used RC4 itself. So either RC4 is secure enough for your task, or since you seem free to change the design, you should consider using a more secure cipher to start with. Tom |