On Wed, Apr 25, 2007 at 11:24:35AM +0200, Simon Josefsson wrote:
I'd rather just declare RC4 as broken and move on, though.
RC4, if used correctly, is not broken. Actually, no known attack exists on
RC4 with the first two(!) bytes discarded, if the session key is a hash
value of the concatenated key and IV. Discarding the first 256 bytes is a
safety-belt measure on my part, guarding against yet undiscovered attacks.
There are many ways to use RC4 just as there are many ways to use block
ciphers. Allowing a stream cipher like RC4 in OpenPGP would be a radical
departure from the current policy, but once we do that, the mode of use
should be specified to the same detail as the CFB mode for stream ciphers.
I have good reasons to believe that my use of RC4 is safe, but then again,
it relies on RIPEMD128 for hashing, which is not required by RFC2440. One
could use (possibly truncated) SHA1, which is a bit slower, but it makes no
real difference. If any other implementor expresses interest in RC4, I am
willing to consider switching from RIPEMD128 to SHA1.
Cheers,
--
Daniel