On Tue, Dec 21, 2010 at 4:00 PM, Joachim Schipper <joac...@joachimschipper.nl> wrote: > If our RC4 state is <nanotime_noise><known>, an attacker may be able to > predict *most* of the RC4 state through the first couple of rounds > (until <nanotime_noise> sufficiently interferes with the known state). > > It *seems harder* (but I'm not an expert on this kind of thing!) to > predict the first couple of rounds if <nanotime_noise> is hashed (which > means that you have to re-do the complete calculation for each possible > <nanotime_noise>, which may not necessarily be the case above), and if > this hashing is used to distribute the noise over the entire initial > state of the cipher (so that no known portion exists).
The attacker either knows nanotime or they don't. If they know it, they know md5(nanotime) as well. RC4 is weak sauce and leaks its key in the beginning, but we avoid that by discarding, so there's no way to tell what the initial state is except by guessing. And guessing md5(whatever) is no harder than guessing whatever. The md5 step would only be helpful if the initial key to rc4 were then also used to something *else*, meaning it had some value apart from being the key. But it doesn't.
