This has got to be the scariest crypto-related paper I've ever read. Detailed therein is just an unnatural amount of screwing up for any one company, much less one product. How many of us had to explain to a sci.crypt newbie why we can't use the same one-time-pad string or cipher stream repeatedly? Here we have Microsoft re-using RC4 keys in OUTPUT FEEDBACK MODE. In the same session, fer God's sake, you and the server both use the same XOR stream to encrypt? This is not a subtle, excusable boo-boo. It's not even a crypto mistake: it's a basic inability to comprehend what the exclusive-or operation does. I gotta admit, my first impression was that Schneier, et al, were engaging in a heapin' helpin' of MS-bashing on their page. Having read the paper, however, I'm now convinced that they brushed too (po-)lightly over some real howlers. One might get the false impression that these are subtle flaws, rather than gaping holes from Hell. We gotta convince Bill to fire his crypto people, for the good of humanity. I suggest we get the message across by sending MS a bunch of t-shirts reading, "Everything I ever needed to know about crypto I learned from the LANMAN hash." -Xcott ==- Xcott Craver -- Caj@niu.edu -- http://www.math.niu.edu/~caj/ -== "This is a different thing: it's spontaneous and it's called 'wit.'" -The Black Adder