Bad security advice regarding RC4 in symcrypt.h

[Myriachan]

The following line regarding RC4: https://github.com/microsoft/SymCrypt/blob/main/inc/symcrypt.h#L4836

// Typically this is done by concatenating the key and a nonce or IV to generate the RC4 key.

is bad security advice. You really don't want to do that with RC4; you want to use a KDF to combine a key with an IV if you really have to use RC4 for some reason.

Ref: https://www.cs.cornell.edu/people/egs/615/rc4_ksaproc.pdf section 6

### Tasks

[NielsFerguson]

Thank you for your feedback!

This gets complicated. Most systems didn't start using KDFs until RC4 was already deprecated. I've been doing this for 30 years and I don't think I've ever seen a real-world system using a proper KDF to derive an RC4 key. (Although we did create a not-a-KDF mixing function for RC4 keys in TKIP as a Wifi encryption algorithm to allow legacy HW to keep using RC4 until they could get AES). The real security advice is to not use RC4 at all.

In general, SymCrypt is a computational library which takes no stance on the proper way to use it. After all, we implement RC2, RC4, MD2, MD4, MD5, SHA-1, RSA512, short elliptic curves, etc. The codebase should not include security advice, as advice ages whereas code does not.

Let's plan to delete this comment. It might take a while as we are very busy right now, and there is a delay getting updates from our internal repo to GitHub.

Thanks again,

Niels

[mlindgren]

I can make a quick change to remove the comment. As Niels said, it might take a while for this update to get pushed back to the public repo.

Thanks for your report!