From: mpjohnso@nyx10.cs.du.edu (Michael Johnson)
Date: Tue, 13 Dec 94 14:00:18 PST
To: cypherpunks@toad.com
Subject: Re: More 40-bit RC4 nonsense
In-Reply-To: <199412131742.JAA27330@netcom5.netcom.com>
Message-ID: <9412132159.AA08756@nyx10.cs.du.edu>
MIME-Version: 1.0
Content-Type: text/plain


Raph Levien writes:

>   If I recall correctly, the first byte out of the RC4 stream has
>about a 40% chance of being the first byte of the key. Thus, if the
>40-bit "secret" part of the key is the _beginning_ of the full 128-bit
>key, then the keyspace is effectively reduced by about seven bits,
>meaning that I would be able to crack a key on my PC in a couple of
>days or so.
>   Of course, if the "clear" 88 bits went first, there would be no
>advantage whatsoever. The SSL document very carefully does not say
>how they combine the two key parts to form the 128-bit key. Does
>anyone know?

Why did the NSA require that an application using the Sapphire Stream Cipher
be limited to a _32-bit_ session key instead of the well-known _40-bit_
limit for RC4?  I wonder if there are other key bit leaks that cover the other 
60%?

Hmmm....