Comments (5)
OK, first why RC4:
- it's dead simple, see the magically tiny arcfour.h
- it's the best fit I have found for the purpose in Codecrypt
- There has been no security issue with actual RC4 on any place where it was used properly, ever. If I'm wrong or if I'm not using it properly, please prove me wrong; feel free to ask me about implementation details. Also, please be sure to understand the nature of the major existing attacks "against RC4" before you try.
- I don't have much spare time to implement other ciphers, even if I'd like to.
Why NOT RC4:
- Bad reputation gained from software that uses it wrong. I understand that people like to step back when they see the "RC4" sticker atop of something because of TLS- and WEP-caused fears etc.
- It seems that simple that people don't understand why it's secure. But that's the case with many other symmetric ciphers.
Plans for other ciphers:
- I'd use Serpent or Camellia. It shouldn't be very hard to generalize the concept of cipher in Codecrypt in similar fashion as
hash_func
is generalized and inject it into Fujisaki-Okamoto code (and possibly make several versions of the algorithm that way). - Usage of other ciphers will get problematic at some places (it's not like with RC4 which you can bend to do anything reasonable), but I guess it can get sorted out given enough programming force.
- If it goes good and I find a good implementation of Serpent/Camellia (Crypto++ impl. seems good at the first sight), I could have it working in 3-4 months (I really don't have enough time right now)
from codecrypt.
Leaving this open for possible discussion/explanation about current RC4 usage.
from codecrypt.
Awright, after some discussion and more research RC4 is going to get replaced in all internal stuff in next release. We now have XSYND and ChaCha20 implementations which more or less cover the properties of RC4; absolute RC4 avoidance will then depend on user choice -- I will certainly leave it there as an option.
The reason for doing this is the most recent attack on RC4, which gets reasonable results only from 2^24 pieces of keystream. While not practical yet, it may render RC4 insecure in some easily imaginable (although still uncommon/weird) situations.
Thanks for patience :]
from codecrypt.
PS. Serpent/Camellia are implemented in Crypto++ (already a soft dependency) so there's no problem with supporting those now as well.
from codecrypt.
Thanks...
from codecrypt.
Related Issues (20)
- Mac OSX install instructions HOT 1
- how to import key HOT 1
- Annealmail Thunderbird Add-on HOT 9
- Avoid parameters that allow timing/statistical attacks when used as decryption oracle HOT 16
- error: ambiguous local user specified HOT 9
- [REJECTED] Windows binary HOT 1
- Secret key protection HOT 6
- Entropy ? HOT 3
- A Question regarding HWRNG HOT 3
- AES HOT 2
- Ubuntu Install Problem HOT 2
- Use LGPL v2.1 instead of v3 for better license compatibility HOT 5
- Rewrite in Rust HOT 4
- Compile issue on macOS HOT 6
- How about add seed support for FMTSeq ? HOT 1
- It takes more than 10 minutes to generate keypair... HOT 2
- signed git tags / signed git commits HOT 1
- Does codecrypt also provides security regarding classical computer attacks? HOT 6
- YAY: "Package 'libcrypto++', required by 'virtual:world', not found" HOT 4
- Long List Of Errors When Running `make` HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from codecrypt.