assurance - RE: [Assurance] RC4 encryption
Subject: Assurance
List archive
- From: "Capehart,Jeffrey D" <>
- To: "" <>
- Subject: RE: [Assurance] RC4 encryption
- Date: Tue, 26 Feb 2013 16:39:43 +0000
- Accept-language: en-US
- Authentication-results: sfpop-ironport03.merit.edu; dkim=neutral (message not signed) header.i=none
RC4 used as a symmetric key cipher negotiated during the Public-Key
Cryptographic exchange with SSL protects the key which could be partly why it
was allowed for limited use in the NIST SSL/TLS document as an exception.
There was more to it than that, but that was the gist I got.
Looks like footnote 17 is also needed...
#17: RC4 is acceptable for use on Government "Client" systems in very
limited circumstances where secure information is to be transferred between
Government systems and non-government servers, and 3DES or better (e.g., AES)
is not supported by the server. For example, many vendor web sites providing
supplies to the government support nothing stronger than RC4, and credit card
information must be conveyed and secured to order supplies. In such cases
risk is limited to exposure of government credit card information, and
agencies may wish to take this risk to expedite ordering of supplies. RC4
should never be used on Government "Server" systems where government
owned/generated data is to be made available in a secure manner to "client"
systems.
-----Original Message-----
From:
[mailto:]
On Behalf Of Brian Arkills
Sent: Tuesday, February 26, 2013 11:28 AM
To:
Subject: RE: [Assurance] Question on Protected Channel - SSL/TLS
Accepting RC4 would resolve the Active Directory stored secrets issue too.
- RE: [Assurance] RC4 encryption, Capehart,Jeffrey D, 02/26/2013
- Re: [Assurance] RC4 encryption, Cantor, Scott, 02/26/2013
Archive powered by MHonArc 2.6.16.