I.T. Security and Linux Administration

Aug 29 2013   9:09AM GMT

When Is Secure Too Secure?: Encryption Edition

Eric Hansen Eric Hansen Profile: Eric Hansen

After reading an interesting article on posing the question of why we are still using RC4 it got me thinking, why not?

Now, the article itself states that while its not gone the route of XOR encryption just yet, its rapidly getting close to that point.  A big aspect of using RC4 is its portability and no need of CPU extensions.  RC4 was invented in 1987, made public (well, as public as it can be) in 1994, since then all hell has broken lose.

While there are no official documents by RSA on how the algorithm works, many people have been able to replicate it pretty easily, and have even wrote variants of it to improve some of its downfalls (i.e.: RC4+ and ARC).  While the article imposes that RC4 be extinct soon, we are after all still using WEP in some of our networks as well (which I believe also uses RC4 for the encryption stream).

Are there better options when we’re talking about SSL/TLS?  Always.  You can use encryption that requires hardware (fobs), use asymmetric block-stream ciphers like AES, or even write your own (which will most likely not be a better option in practice but is fun to devise regardless personally).

When it comes to IT, everything will be broken.  Everything is meant to fail, or else we’d still be content with using bit-shifting to hide our secret love letters (even rot13 is a wiser choice in that regard).

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: