# Triple RC4 = Strong encryption

• I have taken over a system written in ASP and am porting it to ASP.NET - one of the requirements is that certain data fields be encrypted with "Strong" encryption (this is actully a possible compliance issue too) - The only easy to use VBScript encryption code they found online was for RC4 - the problem is that for certain applications RC4 is not considerd "Strong" enough.

So they had a brain storm - just like the DES algoritihm was strengthed into 3DES by tripple encrypting it what they did was made a function called Encrypt3RC4 which was basiclly

return value = rc4Enc(rc4Enc(rc4Enc(value to be encrypted),key),key),key)

and viola - a new "strong" encryption method has been born   3RC4

The problem is that RC4 is a stream cipher that is reversable (call rc4 on itself and you get the input value)

Well at least they didn't decide to take it one more level and make it "stronger" by making it 4RC4

• # Re: Triple RC4 = beetle juice

@DeepICE2 said:

return value = rc4Enc(rc4Enc(rc4Enc(value to be encrypted),key),key),key)

Careful... say his name 3 times and he appears!

• any competent programmer with an internet connection can write an RSA algorithm.  that's the strongest encryption invented at this time. (although there are some other ones that are close).

• @tster said:

any competent programmer with an internet connection can write an RSA algorithm.  that's the strongest encryption invented at this time. (although there are some other ones that are close).

One of the professors in the university used to say that the strongest encryption he can think of is to use a 1GB key and just XOR the bytes, saving the offset in the key to start decrypting in the first 4 bytes of the result, so as long as you and the other party have the key and noone else it's totally irreversible.  According to his words a radio noise would be perfect for creating the key - you know it's absolutely random and noone can reproduce it in any way.

• @nsimeonov said:

@tster said:

any competent programmer with an internet connection can write an RSA algorithm.  that's the strongest encryption invented at this time. (although there are some other ones that are close).

One of the professors in the university used to say that the strongest encryption he can think of is to use a 1GB key and just XOR the bytes, saving the offset in the key to start decrypting in the first 4 bytes of the result, so as long as you and the other party have the key and noone else it's totally irreversible.  According to his words a radio noise would be perfect for creating the key - you know it's absolutely random and noone can reproduce it in any way.

What you have just described is termed a 'one-time pad'.  The one-time pad has been proven to be absolutely unbreakable encryption (in contrast to the more common symmetric and public/private key algorithms we all use, which have not been proven secure), as long as the 'pad' is *absolutely unpredictable*.

Let me clarify: "unpredictable" != "random".  A sequence that passes the chi-squared and every other randomness test in the world is not unpredictable if it came from a Mersenne twister, a book of random numbers, closing stock prices, or any other publicly-available piece of information.  First and foremost, this also means that the 'pages' of the one-time pad *must not* be re-used -- otherwise the results will be susceptible to cryptanalysis.  The Soviets used one-time pads during the Cold War, and accidentally reused a few pages.  A (relatively) recently declassified program known as the VENON project discovered this.

The whole system works because since every byte of the key is independent of every other byte, even if you figure out what one byte of the key is, it doesn't help you get *any part* of the rest of the message.  Therefore, if you can find a pattern in the key data, you can use cryptanalysis to find chunks of the ciphertext that fit that pattern.

Wikipedia has a very detailed article on all of this at http://en.wikipedia.org/wiki/One-time_pad -- it has some interesting information on the VENON project I mentioned.

• @tster said:

any competent programmer with an internet connection can write an RSA algorithm.  that's the strongest encryption invented at this time. (although there are some other ones that are close).

This thread is just full of proof that you have to be very careful of who you hire to write code related to cryptography.

That triple-RC4 is apparently someone who heared about triple-something at one point, only not realizing that what it was supposed to be was triple-DES with three different keys.

And tster here, well, isn't even making a lot of sense.  There are many RSA algorithms out there, an they certainly aren't all the strongest out there.  At least one's been broken in fact.

The two codes that have withstood the most scrutiny and are most trusted by those who need cryptography are DES and AES.  And as far as I can tell, the only reason not to use triple-DES is when you don't want to spend that much CPU time.

• @Neil said:

@tster said:
any competent programmer with an internet connection can write an RSA algorithm.  that's the strongest encryption invented at this time. (although there are some other ones that are close).

This thread is just full of proof that you have to be very careful of who you hire to write code related to cryptography.

That triple-RC4 is apparently someone who heared about triple-something at one point, only not realizing that what it was supposed to be was triple-DES with three different keys.

And tster here, well, isn't even making a lot of sense.  There are many RSA algorithms out there, an they certainly aren't all the strongest out there.  At least one's been broken in fact.

The two codes that have withstood the most scrutiny and are most trusted by those who need cryptography are DES and AES.  And as far as I can tell, the only reason not to use triple-DES is when you don't want to spend that much CPU time.

From what I had heard (slightly before my time) DES was getting so weak (before moving to 3DES) that it was jokingly being referred to as the "Ederal-Fey Anderd-Stay".

• DES's algorithm isn't getting weak; the big problem with it is its key length. 56 bit keys can be broken by exhaustion.

However, with 3DES you get 168 key bits, and you're fine that way.

• @Neil said:

@tster said:
any competent programmer with an internet connection can write an RSA algorithm.  that's the strongest encryption invented at this time. (although there are some other ones that are close).

<snip>

And tster here, well, isn't even making a lot of sense.  There are many RSA algorithms out there, an they certainly aren't all the strongest out there.  At least one's been broken in fact.
<snip>

lol.  I used RSA as an example because it's super easy to program.  I did it in like 3 hours, and that was including making it fit into some software.  I'm sure someone with more experience than me could do it faster.  it's super hard to bread as long as you don't do something stupid with it.  plus you can use however large keys you want.  I personally used a 2000 bit key just for the fun of it.  if you needed a faster algorithm try the AES.  that's pretty widely accepted as a secure cipher.

• @tster said:

@Neil said:
@tster said:
any competent programmer with an internet connection can write an RSA algorithm.  that's the strongest encryption invented at this time. (although there are some other ones that are close).

<snip>

And tster here, well, isn't even making a lot of sense.  There are many RSA algorithms out there, an they certainly aren't all the strongest out there.  At least one's been broken in fact.
<snip>

lol.  I used RSA as an example because it's super easy to program.  I did it in like 3 hours, and that was including making it fit into some software.  I'm sure someone with more experience than me could do it faster.  it's super hard to bread as long as you don't do something stupid with it.  plus you can use however large keys you want.  I personally used a 2000 bit key just for the fun of it.  if you needed a faster algorithm try the AES.  that's pretty widely accepted as a secure cipher.

Reimplementing RSA would probably make a good wtf in the right circumstances.

Why would you want to write a RSA implementation yourself? You are far more likely to make some fundamental mistake or error which nullifies the entire point of the encryption. Using a implementation written by some person who has spent their entire life studying cryptology would be easier and more secure. Cryptology is one of those things I try and keep my little head out of if it's anything important. I preferr to leave it to those people that know what they are doing.

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.