from
The Free On-line Dictionary of Computing (8 July 2008)
RC4
<cryptography> A {cipher} designed by {RSA Data Security,
Inc.} which can accept {keys} of arbitrary length, and is
essentially a {pseudo random number generator} with the output
of the generator being {XOR}ed with the data stream to produce
the encrypted data. For this reason, it is very important
that the same RC4 key never be used to encrypt two different
data streams. The encryption mechanism used to be a trade
secret, until someone posted source code for an {algorithm}
onto {Usenet News}, claiming it to be equivalent to RC4. The
algorithm is very fast, its security is unknown, but breaking
it does not seem trivial either. There is very strong
evidence that the posted algorithm is indeed equivalent to
RC4.
The United States government routinely approves RC4 with
40-bit keys for export. Keys this small can be easily broken
by governments, criminals, and amateurs. The exportable
version of {Netscape}'s {Secure Socket Layer}, which uses
RC4-40, was broken by at least two independent groups.
Breaking it took about eight days; in many universities or
companies the same computing power is available to any
computer science student.
See also Damien Doligez's SSL cracking page
(http://pauillac.inria.fr/~doligez/ssl/), RC4 Source and
Information (http://cs.hut.fi/crypto/rc4), SSLeay
(http://cs.hut.fi/crypto/software.html#ssleay), Crypto++
(http://cs.hut.fi/crypto/software.html#crypto++), Ssh
(http://cs.hut.fi/crypto/software.html#ssh), A
collection of articles
(http://cs.hut.fi/crypto/rc4-breaking).
(1996-10-28)