Written By: Chad Upton
The as3crypto library is an open source ActionScript 3 encryption library available from google code.
In an earlier post I demonstrated how to take plaintext and encrypt it into an unreadable file, then decrypt it so you could read it again. This is very useful in Flash or Flex projects where you need to hide data from the user, either because it’s sensitive information such as software licenses or personal info, or because tampering with it could cause your application to function incorrectly (ex. application settings).
In that post, I used the AES encryption algorithm but I promised a future post that talked about why. In this post, I want to revisit the secret key encryption choices in as3crypto, breaking down the choices, their strengths and weaknesses.
This guide should be used for general knowledge or to narrow down encryption methods you should consider for your project. Before making a final decision, you should deeply investigate that method to ensure it is right for your implementation.
In as3crypto, the secret key encryption choices are DES, 3DES, RC4, XTEA, AES and BlowFish.
DES
DES stands for “Data Encryption Standard.” It was developed to improve the security of US government computer systems and was completed in 1974. It has a fairly short key at 56 effective bits (8 of the 64 bits are used as a checksum and not encryption). Many encryption methods have been developed since then; it is the second fastest compared to other methods in as3crypto but it has a large number of vulnerabilities.
It should not be used unless absolutely necessary for legacy support, even then you should be considering migration to a modern cipher. As an interesting side note, there are also rumors of an NSA backdoor in this algorithm.
3DES
3DES, or “triple DES”, was developed in the late 90s as a simple way to make DES stronger and more resistant to brute force attacks (trying every possible key). It’s called “3DES” because it applies the DES algorithm three times. As you can probably guess, it’s about three times slower than DES. It does provide more security, but it’s not an ideal choice when considering what else is available. It may be required to support legacy systems.
RC4
RC4 is a fairly modern and widely used cipher method. It was developed in 1987 by Ron Rivest of RSA security (RC4 stands for “Rivest Cipher 4”). Many of you probably use this cipher everyday without realizing it. Secure website (SSL) certificates use this cipher and some wifi encryption systems use it too. It is not without its share of weaknesses, especially in certain implementations. For that reason, it has been completely deprecated by some platforms, including Microsoft .NET.
When implemented correctly, RC4 can offer a fair amount of security but there are better options available in most cases. That said, there is one case where it should at least be considered: when you have tens of megabytes of data or more to encrypt. RC4 is by far the fastest cipher method in the as3crypto library. It is about 4.5 times faster than Blowfish (third fastest in library), but keep in mind it is slightly less secure than Blowfish.
XTEA
XTEA has fewer vulnerabilities than RC4, so it is slightly more secure. But, this is the slowest encryption method in the as3crypto library. Frankly, the only case where I could see this being used in ActionScript is when you’re interacting with other systems that use XTEA encryption. If you’re developing a new system, choose one of the following methods.
AES
AES is one of the best general purpose secret key encryption methods in as3crypto. Like I mentioned above, there may be cases where another method is more appropriate, but AES is going to be the method of choice in many cases, particularly because many other systems that your application may interact with will use it.
It has a lot of credibility because it is the standard encryption used by the US government and the first publically available cipher approved by the NSA. It is fast and secure, although it does have some known weaknesses that can usually be protected by prevented brute force attacks. This method should not be overlooked.
Blowfish
Blowfish was developed in 1993 by Bruce Schneier, who has developed many other cryptographic algorithms, written several articles and books on security, and also publishes a free monthly security newsletter called CRYTPO-GRAM, which I subscribe to and recommend.
In as3crypto, Blowfish 256 performs more than twice as fast as AES 256. It is also capable of using a 448 bit key, although the as3crypto implementation uses a 256 bit key. When compared to AES 256, Blowfish gives you slightly better security since it has no known cryptanalysis. It’s may not be as widely used as AES, but for great speed and security, it should not be overlooked. For many projects, this is an excellent choice of encryption.
Conclusion
If you don’t have any legacy system requirements, you should start by looking at Blowfish or AES encryption. One of these is likely going to meet your requirements, especially if you’re working with less than a megabyte of data. With large amounts of data these two may be too slow, so be sure to look at RC4 in more detail — it’s really fast. All of the others are likely going to be used because you’re working with a legacy system that requires them.
Tags: 3, Actionscript, as, as3crypto, cipher, decryption, encryption, Flex
