[cryptography] 100 Gbps line rate encryption

Matthew Green matthewdgreen at gmail.com
Tue Jul 16 11:15:22 EDT 2013


The use of RC4 should be avoided even with the drop-N due to biases that occur later in the key stream. You should also be extremely careful about mixing IVs with the key. At a minimum you ought to use a modern cryptographic hash function -- there's no evidence that repeating key setup is sufficient to prevent correlations. 

http://www.isg.rhul.ac.uk/tls/RC4biases.pdf

In summary, don't use RC4. Don't use it carelessly with IVs. And don't use RC4. 

Consider using Salsa20 instead. 

Matt

On Jul 16, 2013, at 10:43 AM, Thor Lancelot Simon <tls at panix.com> wrote:

> On Tue, Jul 16, 2013 at 03:23:01AM -0400, William Allen Simpson wrote:
>> On 6/22/13 8:24 PM, Greg Rose wrote:
>>> 
>>> On Jun 22, 2013, at 15:31 , James A. Donald <jamesd at echeque.com> wrote:
>>> 
>>>> On 2013-06-23 6:47 AM, Peter Maxwell wrote:
>>>>> I think Bernstein's Salsa20 is faster and significantly more secure than RC4, whether you'll be able to design hardware to run at line-speed is somewhat more questionable though (would be interested to know if it's possible right enough).
>>>> 
>>>> I would be surprised if it is faster.
>>> 
>>> Be surprised, then... almost all of the recent word- or block- oriented stream ciphers are faster than RC4. And NOTHING should still be using RC4; by today's standards it is quite insecure.
>> So I spent some (much too much) time reading old PPP archives on our
>> earlier discussions selecting an algorithm.  Sadly, 3DES was chosen,
>> but rarely implemented.
>> 
>> I cobbled together a draft based on old discussion for ARC4.  It
>> surely needs more work.  Although (as you mention) that's old stuff,
>> it has the advantage of having running code in most existing systems,
>> and could be rolled out quickly on high speed connections.
>> 
>> http://tools.ietf.org/html/draft-simpson-ppp-arc4-00
> 
> If you're really going to publish a new RFC -- even an Experimental
> one -- using RC4, you should really use RC4-drop-N.  For even moderately
> sized packets and reasonable values of N, if you effectively rekey every
> packet, you will end up wasting 25-50% of the throughput of the system.
> 
> Conclusion: RC4 is particularly poorly suited for this application
> in the modern day.
> 
> Thor
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20130716/8fd57775/attachment.html>


More information about the cryptography mailing list