Hi,
On Wed, Apr 25, 2007 at 10:26:43AM +0200, Heiko Stamer wrote:
Please note the following paper [1] by Andreas Klein, which is submitted
to Designs, Codes and Cryptography. AFAIK his attack is possible, even if
the first bytes of the keystream are discarded.
[1] http://cage.ugent.be/~klein/RC4/RC4-en.ps
Thank you for the interesting paper. I was not familiar with this particular
result, though the weakness it exploits is well known. In order to avoid
such problems, I hash the key and the IV. From page 20 of the referenced
paper (last paragraph):
"An other interesting idea is to compute the session key from the main key
and the initialization vector via a hash function [1]. The hashing would
avoid ALL ATTACKS (emphasis mine) similar to the FMS-attack or the attacks
described in this work."
Cheers,
--
Daniel