Paid Advertising is
ha.ckers sla.cking
This group should mostly be dealing with how web applications enable networking security issues that are otherwise not there. Everything is being tunneled over port 80 now so what does that enable and how do we fix it? 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Posted by: BrianWGray
Date: August 27, 2007 10:58AM

Anyone able to explain/discuss with me in any depth why RC4-MD5 encryption for ssl would be considered a medium security encryption? Are their available utilities etc. for simplified decryption that I may not know about that make it more of a security risk.

- QnJpYW5XR3JheUBnbWFpbC5jb20=

Options: ReplyQuote
Re: RC4-MD5
Posted by: thornmaker
Date: August 27, 2007 12:17PM

RC4 has had several weaknesses uncovered in the past few years. Wikipedia has a nice writeup: .

Options: ReplyQuote
Re: RC4-MD5
Posted by: BrianWGray
Date: August 27, 2007 02:38PM

Thanks for reference link. :) I appreciate it.

I'm trying to figure out why N-Stalker would complain about RC4-MD5 and not RC4-SHA.

Edited 1 time(s). Last edit at 08/27/2007 03:41PM by BrianWGray.

Options: ReplyQuote
Re: RC4-MD5
Posted by: Malkav
Date: January 08, 2008 04:38PM

it all depends of your position.

for a cryptographer, it's broken, dead, don't talk about it. too much design flaws, both MD5 and RC4.
MD5 has a collision space which is *ginormous* (we are speaking here of guys who computes mersennes primes in their heads FFS) and RC4 has a really *weak* PRNG scheme (like the one you love when you launch aircrack)

SHA1 has been broken but AFAIK SHA128 and upper are still considered secure. but it's just a matter of time, as it's a pure question of computing power.
you'll note that in a HMAC scheme, where you ignore collisions (yeah, intercepting a packet, modifying the payload (if it's not encrypted), and finding a collision, and reemiting the packet. in realtime. roger me senseless with a sledgehammer if you can do that)

in conclusion, avoid RC4 at all cost (not even good enough to stirr an entropy pool), but as long as you're in an HMAC situation, MD5 still worth a try.

Options: ReplyQuote

Sorry, only registered users may post in this forum.