Sticking my foot in my mouth, I wrote:
If I recall correctly, the first byte out of the RC4 stream has about a 40% chance of being the first byte of the key. Thus, if the
Wrong. It _is_ true that the first byte of the key has a 40% probability of being the first byte of the initial state vector. It is _not_ true that the first byte of the initial state vector is the first byte out of the RC4 stream. Next time I will check the (alleged) source code before making a fool of myself. Thus, my attack shortcut will not work. Kipp Hickman informs me that the salt is concatenated with the secret part in such a way that the secret portion is least significant. This seems wise because of the key/statevector characteristic, but wouldn't make too much difference either way in practice. Sorry for the confusion. Raph