Re: Questions regarding using ciphers as stream ciphers

Ge' Weijers (ge@Progressive-Systems.Com)
Wed, 28 Apr 1999 15:09:58 -0400

• Next message: Ian Grigg: "Re: SSL + PGP"
• Previous message: mgraffam@idsi.net: "Re: SSL + PGP"
• In reply to: Michael Bauer: "SSL + PGP"

On Mon, Apr 26, 1999 at 09:13:04PM -0400, Wall, Kevin wrote:
> Fortunately, this bit of timely information saved us from doing
> exactly that. A colleague of mine had intended to use RC4,
> a stream ciper that operates in OFB mode, with the SAME KEY each
> time; he intended using the same secret key each time to eliminate
> the key distribution problem. (This was suposed to be a quick
> fix to a relatively minor problem; namely encrypting a new candidate
> password between a servlet running in a web server and a back-end
> RMI service. See below for more details.)

Why even go though the trouble of using RC4 here? Just pull a list of
random bytes out of /dev/random and use these to XOR the
passwords. Using RC4 in this way just saves space if your plaintext is
long, but we're talking about short strings here, so a lookup table is
probably shorter.

You can do much better than this in < 100 lines of code.

Ge'

-- 
-
Ge' Weijers                                Voice: (614)326 4600
Progressive Systems, Inc.                    FAX: (614)326 4601
2000 West Henderson Rd. Suite 400, Columbus OH 43220

• Next message: Ian Grigg: "Re: SSL + PGP"
• Previous message: mgraffam@idsi.net: "Re: SSL + PGP"
• In reply to: Michael Bauer: "SSL + PGP"