Re: [PEN-TEST] RC4

[Joe Shaw <jshaw () INSYNC NET>]

Generally, if the source to an encryption standard is out and no one has
found anything wrong with it, then it's not that big of a deal.  Most
people are generally more concerned with proprietary standards because
they are not subject to peer review.  It should be noted that the RC4
source posted to USENET was work-alike code, not the actual RC4 source
from RSA.

RC4 is succeptable to brute force attacks when using small key lengths
like 40 bits.  It's possible to exhaust the entire 40 bit RC4 key space in
roughly 24 hours with about $15,000 worth of todays hardware and an
optimized parrallel key cruncher, so longer key lengths are preferred.

--
Joseph W. Shaw
Sr. Network Security Specialist for Big Company not to be named.
I have public opinions, and they have public relations.

On Tue, 28 Nov 2000, Jay Mobley wrote:

> So , I am not pen-testing anything, but rather looking at some of my own
> venurabilities... and in doing so I learn that my Win2k Terminal server
> sends data to and from its client in a data stream encrypted with RC4. And
> in researching what I could about RC4 , I have seen time and time again that
> RC4 source was posted to a public usenet forum..... So my question is
> this... If one has the source code to an encryption standard... how secure
> is that standard???
>
>
> -Jay Mobley
> Interactive Explorers