[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Lotus Notes RSA Implementation Question

Bob Glassley wrote:
> >>2)  Considering RC4 is a proprietary scheme, have there been any
> >>concerted efforts to validate it's strength or lack of?  If so, could
> >>you give a pointer to any documents I could review.
> >>
> >There has been considerable discussion of the security of RC4 on this list, and
> >some subtle (i.e. worrisome but not disasterous) weaknesses have been
> >found. Lotus Notes' use of RC4 is not subject to the weaknesses disclosed
> >to date because it does not encrypt recognizable plaintext with the first few
> >bytes of the RC4 stream.
> My understanding was that the problems exposed with RC4 that you
> mentioned, were with the particular implemenation by Netscape.  I
> guess I better go back to the archive and do some reading. :-)

Some RC4 keys that begin with specific values make it somewhat easier to
guess the first few bytes of the encrypted data.  This is a (probably
minor) weakness of RC4, and is in no way specific to Netscape.


Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation
[email protected] - http://home.netscape.com/people/jsw
Any opinions expressed above are mine.