in reply to Re: Crypt::CipherSaber replacement... Crypt::CBC?
in thread Crypt::CipherSaber replacement... Crypt::CBC?
After thinking about it some more, I can almost guarantee your system is insecure.
The way stream ciphers like RC4 work is to take a key as a seed value to a pseudo-random number generation function. Each bit of output in the PRNG is XOR'd with the data (much like an OTP).
The problem with this is that if you use the same encryption key twice (which I assume your password database would be, and is also where Microsoft screwed up with NT3), an attacker can easily recover the key by comparing the two encrypted values. This can also be a problem when encrypting large amounts of data with the same key (which is where WEP screwed up).
The solution is to stick with block ciphers like AES.
"There is no shame in being self-taught, only in not trying to learn in the first place." -- Atrus, Myst: The Book of D'ni.