Comparison of Triple DES and RC4

What is Triple DES?

First, let’s discuss what Triple DES, aka “3DES” is.  It’s a cryptography method based on the Data Encryption Standard (DES). DES is a block cipher designed to encrypt and decrypt data blocks that contain 64 bits by utilizing a 64-bit key. Singh, G., & Supriya, S. (2013).  The main difference between the two encryption implementations is that Triple DES utilizes the DES cipher three times during its encryption/decryption processes by utilizing three key combinations totaling 168 bits, each of the three keys being 56 bits long. 

“There are three options to use a combination of sub – key that has become standard in the encryption process and decryption process using 3DES cryptographic method, that are: 1. Three sub – key have different combinations (3K3DES). 2. K1 and K2 have different combinations, whereas K1and K3have the same combinations (2K3DES). 3. Three sub – key has the same combinations.” Ratnadewi, Adhie, R. P., Hutama, Y., Saleh Ahmar, A., & Setiawan, M. I. (2018). Triple DES has been implemented to secure electronic payments, email, and web browsers.

What is RC4?

Now, let’s discuss what RC4 is.  RC4 is an acronym for “Rivest Cipher 4”, which is a stream cipher developed by Ron Rivest of RSA Security in 1987.  It processes either input or unit data at one time, which can either be bits or a byte.  By doing so, the encryption/decryption process can be based on the variable length, and the RC4 algorithm doesn’t have add extra bytes to encrypt or wait for a certain amount of data input before it’s processed.

The algorithm for RC4 has two stages, key generation and encryption.   The first phase is key generation and tends to be the most difficult, as it’s used to generate a variable encryption which utilizes two arrays, states and keys, and the results of merged steps.  “This merger operation consists of swapping, modulo, and other formulas. Modulo operation is the process that produces the residual value of the shares. “For example, 11 divided by 4 is 2 with the rest of division is 3, if 7 modulo 4, it will produce 3. The variable emerges from the encryption key generation process will be conducted XOR with the plaintext to produce encrypted text.” Sumartono, I., Siahaan, A., & Mayasari, M. (2016).

While the RC4 algorithm is very simple and easy to implement, a key problem is that if it is implemented improperly, it may lead to weak cryptographic systems. This is one of the key reasons why RC4 is slowly being phased out. The weaknesses behind RC4 as a TLS cipher due to statistical biases in the keystream has been well documented [RFC7465], and these statistical   numbers are certainly a concern for any consumer of the RC4 cipher.  However, the RC4 Kerberos encryption types have additional flaws.  “These flaws reduce the security of applications that use the encryption types; the weakening   occurs for various reasons, including the weakness of the password hashing algorithm, the reuse of key material across protocols, and the lack of a salt when hashing the password.” Internet Engineering Task Force (IETF). (2018).  Also, other weaknesses were found with RC4 biases, where testers attacked a WPA-TKIP network within an hour. They were surprised that this was possible using only known biases, and expect these types of attacks to further improve in the future. Based on their results, they are strongly urging people to stop using RC4 altogether. Vanhoef, M., & Piessens, F. (2015).

Regarding Triple DES, in 2001 AES (Advanced Encryption Standard) was created with the intent of coexisting with 3DES and eventually replacing it by 2030, thereby allowing for a gradual replacement.  However, there have been multiple vulnerabilities uncovered which appear to accelerating the process. For example, the “Sweet32” exploit took advantage of an issue with collision attacks in 3DES. After the exposure of this exploit, the NIST proposed that 3DES encryption be deprecated, and soon thereafter, restricted its usage. Deprecated meaning in this case that the use of the algorithm and key length is still allowed; however, the user must bear some of the risk involved. As guidance via draft by NIST on July 19, 2018, the “Triple Data Encryption Algorithm (TDEA or 3DES) is officially being retired. The current guidelines are proposing that, after a period of public consultation, 3DES is deprecated for all new applications and usage is disallowed after 2023.” Henry, J. (2018).

While AES would be my first choice to replace 3DES and RC4, for now, 3DES would be my choice as it’s still supported for a few more years, while the users of RC4 has mostly been told to stop using it right away.

In the RSA public key encryption scheme, each user has a public key, e, and a private key, d. Suppose Bob leaks his private key. Rather than generating a new modulus, he decides to generate a new public and new private key. Is this safe?  First, let’s review what RSA is.

What is RSA?

RSA is an acronym for its designers (Rivest, Shamir, and Adleman).  RSA is one of the best-known cryptosystems out there for digital signatures or key exchange.  It utilizes both variable key size and encryption block size, and implements prime number for generation of both the private and public keys.  These keys are then used for the encryption and decryption process. 

Suppose Bob leaks his private key. Rather than generating a new modulus, he decides to generate a new public and new private key. Is this safe?

The biggest concern with the RSA keys is that their weak key generation makes RSA very susceptible to attacks.  Therefore, it has to be done properly. Here are the steps needed to happen in order to generate secure RSA keys:

1. “Large Prime Number Generation: Two large prime numbers pp and qq need to be generated. These numbers are quite large: At least 512 digits, but 1024 digits is considered safe.
2. Modulus: From the two large numbers, a modulus nn is generated by multiplying ppand qq.
3. Totient: The totient of n,ϕ(n)n,ϕ(n) is calculated.
4. Public Key: A prime number is calculated from the range [3,ϕ(n))[3,ϕ(n)) that has a greatest common divisor of 11 with ϕ(n)ϕ(n).
5. Private Key: Since the prime in step 4 has a gcd of 1 with ϕ(n)ϕ(n), we are able to determine its inverse with respect to modϕ(n)modϕ(n).” Steyn, B. (2012). The effectiveness of the RSA algorithm is derived from the fact that it’s difficult to convert the large integers into prime numbers.

There are other factors to consider. One is that the strengths with RSA are based on the keys that utilize large prime numbers. Another is the “Common modulus attack”, where if everyone is given the same modulus “n” but different (e,d) pair, then under certain conditions, it is possible to decrypt the message without d.”  Preetha, M., & Nithya, M. (2013). This is the step Bob wanted to skip (not generating the new modulus), therefore it is a not a safe alternative for key replacement.

CONCLUSION

Considering the risk involved with skipping some steps and generating both the public and private keys, Bob should not generate both keys for distribution.

REFERENCES

• Champlain College. (2019). Week 3: Assignment – DES, RC4 and RSA. Retrieved from https://champlain.instructure.com/courses/1072154/assignments/10950864
• Henry, J. (2018). 3DES is Officially Being Retired. Retrieved from https://www.cryptomathic.com/news-events/blog/3des-is-officially-being-retired
• Internet Engineering Task Force (IETF). (2018). RFC 8429: Deprecate Triple-DES (3DES) and RC4 in Kerberos. Retrieved from https://www.rfc-editor.org/rfc/rfc8429
• Preetha, M., & Nithya, M. (2013). A STUDY AND PERFORMANCE ANALYSIS OF RSA ALGORITHM. International Journal of Computer Science and Mobile Computing, 2(6), 126-139. Retrieved from https://www.ijcsmc.com/docs/papers/June2013/V2I6201330.pdf
• Ratnadewi, Adhie, R. P., Hutama, Y., Saleh Ahmar, A., & Setiawan, M. I. (2018). Implementation Cryptography Data Encryption Standard (DES) and Triple Data Encryption Standard (3DES) Method in Communication System Based Near Field Communication (NFC). Journal of Physics: Conference Series, 954, 012009. doi:10.1088/1742-6596/954/1/012009
• Singh, G., & Supriya, S. (2013). A Study of Encryption Algorithms (RSA, DES, 3DES and AES) for Information Security. International Journal of Computer Applications, 67(19), 33-38. doi:10.5120/11507-7224
• Steyn, B. (2012). How RSA Works With Examples. Retrieved from http://doctrina.org/How-RSA-Works-With-Examples.html
• Sumartono, I., Siahaan, A., & Mayasari, M. (2016). An Overview of the RC4 Algorithm. IOSR Journal of Computer Engineering (IOSR-JCE), 18(6), 67-73. Retrieved from DOI: 10.9790/0661-1806046773
• Vanhoef, M., & Piessens, F. (2015). All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS. Retrieved from www.rc4nomore.com/vanhoef-usenix2015.pdf