On Sat, Sep 17, 2011 at 08:18:14AM +0100, Nicholas Bamber wrote: > * Package name : libcrypt-rc4-perl > Version : 2.02 > Upstream Author : Kurt Kincaid (sifukurt@yahoo.com) > * URL : http://search.cpan.org/dist/Crypt-RC4/ > * License : Artistic or GPL-1+ > Programming Lang: Perl > Description : Perl implementation of the RC4 encryption algorithm > > A simple implementation of the RC4 algorithm, developed by RSA Security, > Inc. > Here is the description from RSA's website: Why are you adding this to the archive? RC4 is less secure than many other algorithms. It may be faster and simpler, but security-wise, it's on its way out. > Independent analysts have scrutinized the algorithm and it is considered > secure. This is simply not true. RC4 is extremely vulnerable to related-key attacks, the initial bytes of the keystream leak significant amounts of information of the key, and those initial bytes tend to be very biased (the first byte has a 37% chance of being 0x01 and the second has a 12% chance of being 0x03; they should each be 1/256). Also, RC4's keyspace is not flat; that is, it has weak keys. These vulnerabilities have been practically exploited to break WEP (see aircrack-ng). If you insist on adding this to the archive, please note in the description that RC4 is vulnerable to a variety of security attacks and should not be used except in protocols that have specially designed countermeasures to avoid these problems. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
Attachment:
signature.asc
Description: Digital signature