Bob Glassley wrote:
2) Considering RC4 is a proprietary scheme, have there been any concerted efforts to validate it's strength or lack of? If so, could you give a pointer to any documents I could review.
There has been considerable discussion of the security of RC4 on this list, and some subtle (i.e. worrisome but not disasterous) weaknesses have been found. Lotus Notes' use of RC4 is not subject to the weaknesses disclosed to date because it does not encrypt recognizable plaintext with the first few bytes of the RC4 stream.
My understanding was that the problems exposed with RC4 that you mentioned, were with the particular implemenation by Netscape. I guess I better go back to the archive and do some reading. :-)
Some RC4 keys that begin with specific values make it somewhat easier to guess the first few bytes of the encrypted data. This is a (probably minor) weakness of RC4, and is in no way specific to Netscape. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.