Requires Free Membership to View
SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!
Michael S. Mimoso, Editorial Director
My recommendation is not to use RC4. But first, I'll answer your question about PGP.
The OpenPGP standard requires that any of the ciphers it uses be at least 128-bits in key size. It also allows for Triple-DES (which is 168 bits, but probably no stronger than 128 -- it would take several paragraphs to explain that fully), Twofish at 256 bits, and AES at all three of its strengths, 128, 192 and 256.
PGP 6.0 predates Twofish and AES, however.
RC4 is used in a lot of SSL implementations, but rarely in object encryption. The reason is that since it is a stream cipher, it has to be used carefully. All stream ciphers have this problem. Misuse of a stream cipher was perhaps the biggest problem in the crack of RC4 in WEP (Wired Equivalent Privacy).
However, RC4 is also starting to show its age. There have been a number of small flaws found in it, of late. I wouldn't panic, myself, but I wouldn't start any new applications using it. Friends I respect, however, are more firm and say you should stop using it right away.
For more info on this topic, visit these SearchSecurity.com resources:
This was first published in March 2004