nisse@lysator.liu.se (Niels Möller) writes:
Daniel Kahn Gillmor dkg@fifthhorseman.net writes:
A problem is that the key setup of ARCFOUR is quite weak, you should never use keys with structure, keys that are ordinary passwords, or sequences of keys like ``secret:1'', ``secret:2'', ...
The problem with arcfour is not that some particular keys are unexpectedly weak, but that the key bits are not spread out very well into the internal state (sorry if this description is a bit vague; my understanding is also a bit vague...).
There are some keys which are even weaker, for example keys beginning with 00 00 FD and 03 FD FC, see this paper:
http://impic.org/papers/WeakKeys-report.pdf
On the other hand, RC4 is broken so the function might as well always return 1 to indicate that the key is weak since it is used with RC4. :-)
/Simon