Editing CipherSaber (section)

==Security and usability==
CipherSaber is strong enough and usable enough to make its political point effectively.  However, it falls markedly short of the security and convenience one would normally ask of such a cryptosystem.  While CipherKnights can use CipherSaber to exchange occasional messages with each other reasonably securely, either for fun or in times of great distress, CipherSaber strips cryptography to its bare essentials and it does not offer enough features to be suitable for wide deployment and routine daily use.  CipherSaber's author in fact asks users to download and install [[Pretty Good Privacy|PGP]] as one of the steps of becoming a CipherKnight.  CipherSaber can be seen as a last-resort fallback system to use if programs like PGP are [[ban (law)|ban]]ned.  Some, but not all of CipherSaber's sacrifices and shortcomings are unique to RC4.

* CipherSaber provides no [[authentication|message authentication]]. This vulnerability, shared by all pure stream ciphers, is straightforward to exploit.  For example, an attacker who knows that the message contains "'''Meet Jane and me tomorrow at 3:30 pm'''" at a particular point can recover the keystream at that point from the ciphertext and plaintext.  Then the attacker can replace the original content with any other content of exactly the same length, such as "'''3:30 meeting is cancelled, stay home'''" by encrypting it with the recovered keystream, without knowing the encryption key.
* Like most ciphers in use for bulk data transfer today, CipherSaber is a symmetric-key cipher.  Thus, each pair of communicating users must somehow securely agree on an encryption key, and each user must securely store the encryption keys of those they are to communicate with.  Agreeing on encryption keys when the only communications channels available are insecure is the classic [[chicken-and-egg problem]] solved by [[public key cryptography]] as provided by PGP-like programs.  Avoiding the need for secure symmetric key agreements between every pair of users is of considerable convenience and generally improves security. A protocol typically used to achieve good efficiency and convenience is to use a public key cipher such as [[RSA (cryptosystem)|RSA]] for key exchange, then a symmetric-key cipher such as CipherSaber for bulk data transfer using the negotiated key.
* The short key-setup RC4 used in CipherSaber-1 is broken: RC4's original key scheduling is now known to be too weak to protect a large number of ciphertexts encrypted using the same key.  CipherSaber-2 modifies CipherSaber-1's key setup procedure by repeating it multiple times in the hope of improving its security (the result is equivalent to using conventional RC4 starting with a key that's been preprocessed by a complex algorithm).  While this procedure is believed to close the RC4 key scheduling vulnerability, its effectiveness has not been proven.
* Like any chosen-key cipher, both versions of CipherSaber are vulnerable to [[dictionary attack]] if the chosen key (which would normally be a password or passphrase) does not have sufficient [[Entropy (information theory)|entropy]].  Symmetric-key cryptography implementations usually include a facility for generating [[random]] keys when high security is required. The CipherSaber site recommends generating high entropy random passphrases using [[Diceware]].
* Like most other cryptosystems (including [[Pretty Good Privacy|PGP]]), CipherSaber makes no provisions at all to prevent attackers from ''detecting'' (as opposed to decrypting) the encrypted messages.  This is a potentially serious problem in some situations for which CipherSaber was designed: if the government has banned the distribution of cryptographic software, it probably also will want to pounce on anyone who it finds sending encrypted messages.  See [[traffic analysis]] and [[steganography]] for more about these issues and their countermeasures.