Reply to post: Re: WPA or WPA2?

RC4 crypto: Get RID of it already, say boffins

Michael Wojcik Silver badge

Re: WPA or WPA2?

Good encryption is effectively unbreakable no matter how much data you have. Flawed encryption is crackable some of the time, by those with resources. Bad encryption is just not considered encryption.

Terms like "good", "flawed", and "bad" are meaningless in this context, unless they're defined by a threat model.

If my threat model is, say, that I might lose a device and some random idiot who finds it might browse through files looking for sensitive information, then RC4 covers that just fine. For this particular application, if my threat model is "teenager next door might hop on my WiFi and eat up bandwidth streaming porn", then WPA with RC4 covers that too. Hell, WEP covers it; it's trivially breakable for anyone who makes a bit of effort, but that pretty much excludes the neighborhood kids, because they have better things to do with their time, and because there are easier targets (i.e., unsecured networks) in the area.

I know, I know - Reg readers and scribes1 are clearly incapable of understanding the basic concepts of information security, in particular the notion that security is always relative and only meaningful under a threat model. But I enjoy pointing this out in the comments of every story on cryptography, because I'm an annoying bastard.

1Any security researcher saying "the RC4 crypto algorithm needs to be wiped from the face of the Earth" is being careless, or is simply incompetent. RC4 is fine for many applications under many threat models. The fact that it's inadequate - sometimes severely - for other applications and under other threat models means it has to be used cautiously. But hyperbole like this is simply foolishness, and encourages poor security thought and practice.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019