Re: Which is more secure RC2 or RC4 ?

From: Volker Hetzer <firstname.lastname@xxxxxxxx>
Date: Thu, 13 Jul 2006 17:04:21 +0200

Homer Simpson schrieb:

I mean if
I'm using for example Asp-Encrypt, create a 128 bit key using AES, save
it in a remote place inside the registry, and then use it to
encrypt/decrypt strings of text upon inserting/reading them from the
database, wherein lies the security problem?

Now, after we've tried to talk you into designing a system /we/ think
of as secure, let's do it from the other side and answer your original
question with the added information provided above:

You believe that if you protect your data this way (key hidden
in the registry) they are secure enough for your purposes, whatever they
are. Fair enough, it's your application.

If we assume an attack that works by stealing the disk and trying every
string found in the registry (or anywhere on the disk, it's not much compared
to key exhaustion) on the data automatically then the encryption
will mean an added effort of, say, one day preparation and a few hours to
carry out the attack. This will IMHO be the only benefit encryption offers
to your data.

If you say that this is ok with regards to the value of your information, then
RC2 is entirely appropriate for this level of security. So are DES, Skipjack,
IDEA and a number of other older block ciphers. You probably won't need 128 bits
of key, 64 bit ought to be all right too in order to avoid making encryption
the weakest link in your security strategy.

I'd still avoid RC4 or any other stream cipher.

Hope this helps.

Lots of Greetings!
Volker
--
For email replies, please substitute the obvious.
.

References:
- Which is more secure RC2 or RC4 ?
  - From: Homer Simpson
- Re: Which is more secure RC2 or RC4 ?
  - From: Tom St Denis
- Re: Which is more secure RC2 or RC4 ?
  - From: rossum
- Re: Which is more secure RC2 or RC4 ?
  - From: Homer Simpson

Prev by Date: Re: Wikipedia "Cryptography" reaches Featured Article status
Next by Date: Re: Galileo codes cracked (Security by obscurity fails again)
Previous by thread: Re: Which is more secure RC2 or RC4 ?
Next by thread: Re: Which is more secure RC2 or RC4 ?
Index(es):
- Date
- Thread

Relevant Pages

Re: How can I have a user select a local MS SQL database using vb.net? TIA SAL
... Its just a general design strategy of reducing the attack surface of an application/security in ... against attack.i.ebake security into every layer of your application right from the get go. ... Just becuase they can hack a server doesn;t mean they access they can access the registry. ... but given the simplicity of encryption in dotNet framework i see little ...
(microsoft.public.dotnet.languages.vb)
Re: Password Protection
... which part of "(as plain text)" don't you understand? ... You are broadly correct that any encryption would work, ... bother to have the facility as it is just a potential security hole. ... take into consideration simply deleting the password in the Registry. ...
(microsoft.public.vb.general.discussion)
CryptoSurvey -- Results ..
... Many same or similar behavioral barriers for the ... effective utilization of many security solutions still exist limiting ... applications of encryption technologies currently in commercial ... Many people do not care about cryptography and/or security products ...
(sci.crypt)
CryptoSurvey -- Results ..
... Many same or similar behavioral barriers for the ... effective utilization of many security solutions still exist limiting ... applications of encryption technologies currently in commercial ... Many people do not care about cryptography and/or security products ...
(sci.crypt)
Re: OT - Kuwait
... > One place where I agree with you is that the scope of government intrusion ... > into the private matters of Americans is much greater than most Americans ... >>> strict security procedures to prevent unauthorized release of the keys. ... >> Feds Want to Control Encryption ...
(alt.sports.football.pro.ne-patriots)