John A. Limpert says:
Why would the attacker need to run the key setup 65536 times?
I could have been more clear. Forgive a little bit of code... Here is the beginning of the alleged RC4: for(counter = 0; counter < 256; counter++) state[counter] = counter; index2 = 0; key->x = key->y = index1 = index2 = 0; for(counter = 0; counter < 256; counter++) { index2 = (key_data_ptr[index1] + state[counter] + index2) % 256; swap_byte(&state[counter], &state[index2]); index1 = (index1 + 1) % key_data_len; } If it was changed to for(counter = 0; counter < 256; counter++) state[counter] = counter; key->x = key->y = index1 = index2 = 0; for(i = 0; i < 65536) { /* stir the pot a long time */ for(counter = 0; counter < 256; counter++) { index2 = (key_data_ptr[index1] + state[counter] + index2) % 256; swap_byte(&state[counter], &state[index2]); index1 = (index1 + 1) % key_data_len; } } Then the prepare_key routine would take much much longer. The idea is that a 64 bit crypto routine can be arbitrarily secure against brute-forcing, if you are willing to pay a runtime penalty every time you use it. thad -- Thaddeus Beier email: thad@hammerhead.com Technology Development vox: 408) 286-3376 Hammerhead Productions fax: 408) 292-8624