RC4-MD5 versus AES256-SHA

Discussion:

(too old to reply)

Ace

2008-06-06 03:20:31 UTC

Hi,

I know that DHE-RSA-AES256-SHA is more secure than RC4-SHA but it needs
more computation power and RC4-MD5 is faster. I saw the mixed response on
RC4-MD5 usage. OpenSSL lists it as medium strength cipher but I found that
many people have listed attacks on this, possible in an hour. What is the
releality? How much secure is to go with RC4-MD5? Is there any other suite
that is faster and secure too than DHE-RSA-AES256-SHA? I know that DES and
3DES are bad. What about IDEA-CBC-SHA? It is faster but is it secure too?

--
I may be miles away... but I am just a email away.... so keep emailing...!!!
Cheers,
Rajan

Victor Duchovni

2008-06-06 04:12:23 UTC

Permalink

Post by Ace
I know that DHE-RSA-AES256-SHA is more secure than RC4-SHA

The DHE part especially, as it yields forward-secrecy. So far, RC4
with fully random keys has held up reasonably well.

Post by Ace
but it needs
more computation power and RC4-MD5 is faster.
I saw the mixed response on
RC4-MD5 usage. OpenSSL lists it as medium strength cipher but I found that
many people have listed attacks on this, possible in an hour.

1 hour attacks against 128-bit RC4 are not yet published in the academic
(non-military) crypto community.

Post by Ace
What is the
releality? How much secure is to go with RC4-MD5? Is there any other suite
that is faster and secure too than DHE-RSA-AES256-SHA? I know that DES and
3DES are bad. What about IDEA-CBC-SHA? It is faster but is it secure too?

What problem are you solving? Is bulk encryption performance (as opposed
to say, PKI handshakes, ...) really your bottleneck?

--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org

Ace

2008-06-06 05:28:28 UTC

Permalink

Hi Victor,

PKI Handshakes are always the cause of worry when it comes to performance
but now I am facing problems even with the normal encryption. The data size
is around 2k. Woud you suggest using RC4-MD5?

On Thu, Jun 5, 2008 at 9:12 PM, Victor Duchovni <

Post by Victor Duchovni

Post by Ace
I know that DHE-RSA-AES256-SHA is more secure than RC4-SHA

The DHE part especially, as it yields forward-secrecy. So far, RC4
with fully random keys has held up reasonably well.

Post by Ace
but it needs
more computation power and RC4-MD5 is faster.
I saw the mixed response on
RC4-MD5 usage. OpenSSL lists it as medium strength cipher but I found

that

Post by Ace
many people have listed attacks on this, possible in an hour.

1 hour attacks against 128-bit RC4 are not yet published in the academic
(non-military) crypto community.

Post by Ace
What is the
releality? How much secure is to go with RC4-MD5? Is there any other

suite

Post by Ace
that is faster and secure too than DHE-RSA-AES256-SHA? I know that DES

and

Post by Ace
3DES are bad. What about IDEA-CBC-SHA? It is faster but is it secure too?

What problem are you solving? Is bulk encryption performance (as opposed
to say, PKI handshakes, ...) really your bottleneck?
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org

--
I may be miles away... but I am just a email away.... so keep emailing...!!!
Cheers,
Rajan

Victor Duchovni

2008-06-06 13:01:04 UTC

Permalink

Post by Ace
PKI Handshakes are always the cause of worry when it comes to performance
but now I am facing problems even with the normal encryption. The data size
is around 2k. Woud you suggest using RC4-MD5?

I never suggest optimizing something, until there is clear evidence
that the thing being optimized plays a significant role in the observed
performance. I am skeptical that MD5 vs SHA1 will make a noticeable
difference, so if you want RC4 use RC4-SHA, but only if the performance
advantage over DHE-RSA-AES256-SHA is critical.

Ace

2008-06-06 17:56:56 UTC

Permalink

Thanks Victor! Yes the performance is critical. Another thing is, I just
checked the PKI handshakes with RC4 and was amazed to see the 75% of gain in
performance. Am I loosing something more than DH parameters in handshakes
when going with RC4?

On Fri, Jun 6, 2008 at 6:01 AM, Victor Duchovni <

Post by Victor Duchovni

Post by Ace
PKI Handshakes are always the cause of worry when it comes to performance
but now I am facing problems even with the normal encryption. The data

size

Post by Ace
is around 2k. Woud you suggest using RC4-MD5?

--
I may be miles away... but I am just a email away.... so keep emailing...!!!
Cheers,
Rajan

Victor Duchovni

2008-06-07 04:08:06 UTC

Permalink

Post by Ace
Thanks Victor! Yes the performance is critical. Another thing is, I just
checked the PKI handshakes with RC4 and was amazed to see the 75% of gain in
performance. Am I loosing something more than DH parameters in handshakes
when going with RC4?

You lose forward-secrecy, if your private key is ever disclosed, *all*
past traffic (if it was recorded) can be decrypted. This is not the
case with DHE (aka EDH) ciphers. Neither RC4-SHA nor RC4-MD5 use EDH
key exchange.

You have to decide how much security you need and at what cost. A factor
of 2 in performance is not necessarily compelling, a factor of 10 or
100 generally is, but no security at all, is faster still, you have to
draw the line somewhere that makes sense.