David,
On Aug 26, 2004, at 3:23 PM, david jacobson wrote:
Shai Halevi wrote:On Thursday Thu, 26 Aug 2004 10:32, "Hallam-Baker, Phillip" wrote: [snip]RC4 has been compromised by Shamir & co, but as a general rule I don'tIn essence, you're claiming that it is easier to misuse a stream cipher than a block cipher. I'm interested whether others share the same view. (We all know how easy it is to misuse stream ciphers, but on the other hand it is also quite easy to misuse block ciphers.)
think any stream cipher should ever get a higher status than acceptable. A stream cipher always allows a person who has a plaintext and ciphertext
corresponding to a key to encode or decode all messages with that key that are shorter or the same size. [...]
-- Shai
For clarification I'm referring to RC-4 like ciphers that in essence are pseudo-random bit generators that are XORd with the data at both ends. As with a one-time pad, these can be used only once.
The biggest problem, in my opinion, is that if the data is structured in a way known to the attacker, he can can flip any bit(s) he likes, unless the message is protected in some way. So if he knows you are transferring $1000 into account 666666, he can easily flip the bits of the target account number to 666777.
Contrast this with any CBC mode block cipher. Flipping any bit turns the entire block it was in and all subsequent blocks to garbage.
David
Of course, the counter arugment is that if you want integrity, you should not be depending on just encryption, so I'm complaining about a property that one should not expect.
-- David Jacobson
_______________________________________________ Cfrg mailing list Cfrg at ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
_______________________________________________ Cfrg mailing list Cfrg at ietf.org https://www1.ietf.org/mailman/listinfo/cfrg