Problem solve Get help with specific problems with your technologies, process and projects.

Can you recommend RC4 128-bit encrypted software?

Can you recommend RC4 128-bit encrypted software? We are currently using PGP 6.0 and are unable to determine the encryption level.

My recommendation is not to use RC4. But first, I'll answer your question about PGP.

The OpenPGP standard requires that any of the ciphers it uses be at least 128-bits in key size. It also allows for Triple-DES (which is 168 bits, but probably no stronger than 128 -- it would take several paragraphs to explain that fully), Twofish at 256 bits, and AES at all three of its strengths, 128, 192 and 256.

PGP 6.0 predates Twofish and AES, however.

RC4 is used in a lot of SSL implementations, but rarely in object encryption. The reason is that since it is a stream cipher, it has to be used carefully. All stream ciphers have this problem. Misuse of a stream cipher was perhaps the biggest problem in the crack of RC4 in WEP (Wired Equivalent Privacy).

However, RC4 is also starting to show its age. There have been a number of small flaws found in it, of late. I wouldn't panic, myself, but I wouldn't start any new applications using it. Friends I respect, however, are more firm and say you should stop using it right away.

For more info on this topic, visit these SearchSecurity.com resources:

  • Ask the Experts: Encrypting credit card numbers in a Web-based order-entry system
  • Executive Security Strategies: Cryptography basics for infosecurity managers
  • Tip: One-time pads explained

This was last published in March 2004

Dig Deeper on Disk and file encryption tools