Penetration Testing mailing list archives
Re: [PEN-TEST] RC4
From: Joe Shaw <jshaw () INSYNC NET>
Date: Wed, 29 Nov 2000 14:32:39 -0600
Generally, if the source to an encryption standard is out and no one has found anything wrong with it, then it's not that big of a deal. Most people are generally more concerned with proprietary standards because they are not subject to peer review. It should be noted that the RC4 source posted to USENET was work-alike code, not the actual RC4 source from RSA. RC4 is succeptable to brute force attacks when using small key lengths like 40 bits. It's possible to exhaust the entire 40 bit RC4 key space in roughly 24 hours with about $15,000 worth of todays hardware and an optimized parrallel key cruncher, so longer key lengths are preferred. -- Joseph W. Shaw Sr. Network Security Specialist for Big Company not to be named. I have public opinions, and they have public relations. On Tue, 28 Nov 2000, Jay Mobley wrote:
So , I am not pen-testing anything, but rather looking at some of my own venurabilities... and in doing so I learn that my Win2k Terminal server sends data to and from its client in a data stream encrypted with RC4. And in researching what I could about RC4 , I have seen time and time again that RC4 source was posted to a public usenet forum..... So my question is this... If one has the source code to an encryption standard... how secure is that standard??? -Jay Mobley Interactive Explorers
Current thread:
- Re: [PEN-TEST] RC4 Joe Shaw (Dec 01)
- <Possible follow-ups>
- Re: [PEN-TEST] RC4 Caskey (Dec 01)
- [PEN-TEST] Off-topic: mathematics of RSA (was Re: RC4) Bennett Todd (Dec 01)