Raph Levien writes:
If I recall correctly, the first byte out of the RC4 stream has about a 40% chance of being the first byte of the key. Thus, if the 40-bit "secret" part of the key is the _beginning_ of the full 128-bit key, then the keyspace is effectively reduced by about seven bits, meaning that I would be able to crack a key on my PC in a couple of days or so. Of course, if the "clear" 88 bits went first, there would be no advantage whatsoever. The SSL document very carefully does not say how they combine the two key parts to form the 128-bit key. Does anyone know?
Why did the NSA require that an application using the Sapphire Stream Cipher be limited to a _32-bit_ session key instead of the well-known _40-bit_ limit for RC4? I wonder if there are other key bit leaks that cover the other 60%? Hmmm....