Hello,
commit [1] introduced an embedded implementation of RC4 cipher to
generate secure transaction IDs:
```
the implementation to use a more secure way of generating
unique IDs. It starts by obtaining a key with reasonable
entropy which is used with an RC4 stream to generate
the cryptographically secure transaction IDs.
```
Besides the general rule “don’t roll your own crypto”, RC4 is just
broken and can't really be considered as a CSPRNG.
I wonder are there any particular reasons to use RC4 instead of random
IDs generated
(1) either with the help of a function similar to the function
currently used to generate the initial key (`randomize_key()`[2]),
(2) or with the help of corresponding function from one of well known
crypto libraries (for example, `RAND_bytes()` from OpenSSL)?
(1) wouldn't introduce new dependencies but might have performance
impact. Is this important / reason behind RC4 usage?
[1] https://github.com/c-ares/c-ares/commit/7a77f24d26f755421b91a0ea3852b6348d637861
[2] https://github.com/c-ares/c-ares/blob/master/src/lib/ares_init.c#L2504
Received on 2021-03-16