- From: Amir Herzberg <AMIR@newgenpay.com>
- Date: Sun, 20 May 2001 10:13:31 +0300
- To: "Xml Encrypt (E-mail)" <xml-encryption@w3.org>
I recommend we do NOT make a pure stream cipher a mandatory to implement requirement. By `pure` I refer to a stream cipher like RC4, designed for efficient implementations (also in hardware). I do not refer to using CBC (or similar) mode for the block cipher (3DES/AES), which is a good idea (in fact I think we probably should mandate ONLY CBC mode). Reasons for not mandating any stream cipher: -- With rapidly improving processor speeds, pure stream ciphers are less critical than in the past. -- No established standard. This in particular means we need to make a crypto choice here, and I think this group is not best suited for such a decision. Result: whatever choice we make, it is likely to be incompatible with most hardware stream ciphers. But the main motivation for `pure` stream ciphers is hardware implementation. QED -- Some concerns about the main contender, RC4 (I meant ARCFOUR...). In particular, Mantin and Shamir discovered some weaknesses, which disappear (almost) completely, when you discard the first 256 output bytes. The initialization of the original RC4 used 1000 commands, and discarding 256 byte doubles it. Best regards, Amir Herzberg CTO, NewGenPay Inc. See demo and lectures/overviews/tutorials on crypto-security for mobile, e-commerce, etc. in http://www.newgenpay.com/mpay/course/course.html
Received on Sunday, 20 May 2001 03:10:00 UTC