I notice in the Netscape SSL spec the 40-bit export-approved RC4 key generation is a little more complicated than I would have thought. First a 128 bit "master key" is chosen and 88 bits are revealed, leaving 40 bits secret. Then the RC4 session key is generated as the MD5 hash of this master key plus about 32 bytes of publically known but random information. I'm not clear whether the 128-bit output of the MD5 hash is then used as the RC4 key, or whether only 40 bits are used (and if so, whether there are any public bits in the key besides these 40). If the former, then this extra hash step should really slow down exhaustive search of the key space. If the latter, then it is not clear why the master key is key-size restricted at all since it is not likely to be used in searching the key space. Maybe someone from Netscape could clear up how this is done. Hal