Re: Beginner Question:Rijndael encrypted value over SSL



Matthew Fanto wrote:
On Mar 23, 3:30 am, "MichiMichi" <wwwm...@xxxxxx> wrote:
Hello Mat, thanks for your answer.

The SSL encryption is done with RC4 encryption, which is the
standard SSL encryption and gives only minimal protection. could
for sure be broken if some professional crypto dudes tries to hack it

RC4 is probably the most widely used simply because of performance
issues, but I wouldn't call it the standard. RFC 2246, which specifies
TLS (SSL v3.1) actually mandates that all implementations support
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, which would be the 3DES algorithm
(with SHA1, DSS, etc.)

I would hardly call RC4 minimal protection if it's done right, which
it is in SSL/TLS. There are certainly weaknesses in RC4, it is bias,
and everything else, but from a practical standpoint, it's not that
weak in SSL/TLS.

You can make that case for 128-bit RC4, but you don't want to generalize to include SSL's 40-bit RC4.

I don't recommend using it in any sort of new
application, and it's probably best to avoid it if at all possible,
but in your case it's probably acceptable. Obviously the much better
choice is 3DES or AES.

--Mike Amling
.