From: Doug Hughes <Doug.Hughes@Eng.Auburn.EDU>
Date: Thu, 17 Aug 95 11:27:25 PDT
To: gpowers@spectrum.bradley.edu
Subject: Re:  Netsacpe's Offical Response
Message-ID: <199508171825.NAA16520@edison.eng.auburn.edu>
MIME-Version: 1.0
Content-Type: text/plain


>So in conclusion, we think RC4-40 is strong enough to protect consumer-level
>credit-card transactions -- since the cost of breaking the message is
>sufficiently high to make it not worth the computer time required to do so
....
....
>Finally, we'd like to reiterate that all this person has done is decrypt
>one single RC4-40 message. RC4 the algorithm and products which use the
>algorithm remain as secure as always.
>
>
>

I disagree with the cost assumptions that it costs $10K. These
are "relatively" imaginary costs. If you already have the machines 
(like a lot of universities and corporations) then the marginal
cost of breaking the key is practically nil. The person doing the
cracking certainly doesn't incur any costs. So what if it takes
2 weeks. An evil student/hacker/whatever would be willing to wait two
weeks for a credit card with a $5-$oo limit if he could just use
the machines at night when people might not notice. 
Just my $.02

Re: security of RC4 - agreed completely.