nisse@lysator.liu.se (Niels Möller) writes:
Simon Josefsson simon@josefsson.org writes:
There are some keys which are even weaker, for example keys beginning with 00 00 FD and 03 FD FC, see this paper:
This still exploits statistical properties of the first few generated bytes, right?
Yes, that's true.
So if you generate and discard the first 512 or 1024 bytes or so of the keystream, the statistics for these keys shouldn't be much different from any oter keys, right?
Right. I think 512 bytes is a bit on the low end these days, conservative recommendations are now up 3072 bytes:
http://www.users.zetnet.co.uk/hopwood/crypto/scan/cs.html#RC4-drop
Note that the RC4 keystream can be distinguished from random with only about a few GB's of stream output regardless of how many initial bytes are dropped. This suggests to me that there are attacks that will work regardless of how much initial output you discard.
/Simon