More 40-bit RC4 nonsense
Michael Johnson
mpjohnso at nyx10.cs.du.edu
Tue Dec 13 14:00:18 PST 1994
Raph Levien writes:
> If I recall correctly, the first byte out of the RC4 stream has
>about a 40% chance of being the first byte of the key. Thus, if the
>40-bit "secret" part of the key is the _beginning_ of the full 128-bit
>key, then the keyspace is effectively reduced by about seven bits,
>meaning that I would be able to crack a key on my PC in a couple of
>days or so.
> Of course, if the "clear" 88 bits went first, there would be no
>advantage whatsoever. The SSL document very carefully does not say
>how they combine the two key parts to form the 128-bit key. Does
>anyone know?
Why did the NSA require that an application using the Sapphire Stream Cipher
be limited to a _32-bit_ session key instead of the well-known _40-bit_
limit for RC4? I wonder if there are other key bit leaks that cover the other
60%?
Hmmm....
More information about the cypherpunks-legacy
mailing list