Score:2

MS CryptoAPI RC4-1024 vs AES-128?

cn flag

I'm trying to figure out MS CryptoAPI to generate a symmetric key on one computer then an RSA key on another, send over that public key to use to export the symmetric key to that other computer. I'm looking at their example here and it appears to create a session (symmetric) key of RC4 with a bit length of 1024 and then an RSA (AT_KEYEXCHANGE) of 1024 bits. Which then makes me wonder, how does RC4-1024 compare with AES-128? Or am I wrong on what that sample is actually doing?

Score:5
in flag

MD5 based key derivation and RC4 encryption. Really? Example created in 2018? Microsoft should be ashamed of itself. I don't see that 1024 bit key, I see a 128 bit key created from the aforementioned MD5, and PKCS#1 RSA encryption. As for the key size "The sizes of a session key can be set when the key is generated. The key size, representing the length of the key modulus in bits, is set with the upper 16 bits of this parameter. Thus, if a 128-bit RC4 session key is to be generated, the value 0x00800000 is combined with any other dwFlags predefined value with a bitwise-OR operation."

RC4 is relatively broken as the generated key stream is biased, AES with hardware acceleration should easily be more secure if used correctly. You want to use OAEP and an authenticated mode such as GCM (but good luck finding an example). Oh yeah and "Each of these CSPs has a default 128-bit symmetric key length for RC2 and RC4 and a 1,024-bit default key length for public key algorithms.". You should aim for at least 2048 bit and if possible 4096 bit; the latter should give you over 128 bit security.

Next year all of the crypto you see on that page will turn 30 years of age. Modern crypto has been around since Shannon (1949) with the initial big boom in the seventies, about 50 years ago. There is no 1024 bit RC4, just 128 bit RC4. The RSA key is too small using 1024 bits and please do not even thingk about copying that key derivation method for the password.

The code is not structured well at all either; the one thing you could learn from it are the calls to the cryptographic library and the way you could incrementally encrypt the file rather than doing it all in one go.

user3161924 avatar
cn flag
You're right, I need to get my eyes fixed. 0x00800000 was seeing 0x08000000.
Maarten Bodewes avatar
in flag
That would make 2048 bit - times 16 after all :P
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.