"Mariano Martinez Peck"<
[hidden email]> wrote:
> > Anyway.... I do need encrypt/decrypt and it should be fast. I have just
> > tried ARC4 and seems to be fast. I have a few questions:
> >
> > - If I make the ARC4 key larger is it likely to be safer?
> > - How does ARC4 compare to blowfish from security point of view? Is
> > blowfish much more secure or not that much?
> >
> >
>
> mmm reading a bit more I would say ARC4 may not be the most accurate for my
> case. Why? Because I may have many fields from many objects all being
> protected with the same password (hence, same key for the ARC4). This may
> affect ARC4 security, right? And even more that key is not a random stream
> but a fixed one (the " SecureHashAlgorithm new hashMessage: aString" of
> the password they are protected with)....
With stream ciphers (or block cipher in modes that emulate a stream cipher, e.g. OFB, CTR) you absolutely must not reuse the same key to encrypt different data (
http://en.wikipedia.org/wiki/Stream_cipher_attack). You could try to devise a way to avoid re-using the exact same key, e.g. generate the encryption key by mixing in a unique id of the field that you're encrypting along with the password, but unless you really know what you're doing, it's quite easy to make a fatal mistake in your design. Best way to do this is to stick with standard solutions. You're trying to use passwords for encryption, so your standard options would be PKCS#5, bcrypt or scrypt.
HTH,
Martin
_______________________________________________
Glass mailing list
[hidden email]
http://lists.gemtalksystems.com/mailman/listinfo/glass