>Hi.  The definition of dr in src/lib/crypto/combine_keys.c mishandles
>the rc4 enctype.  In particular, It will encrypt the constant using
>rc4 directly in the long-term key.  No cipher state is used for rc4,
>so the rc4 PRNG is always positioned at the same point in the cipher
>stream.
>[...]

I think maybe I'm just jet-lagged, or perhaps I'm missing something
about RC4 (I know it's a stream cipher, but not the details).  But
can you elaborate on this statement?

>effectively  for rc4 dr(k, c) is c^rc4(k).

Hm, I guess that after reading Brezak's draft, I see that there doesn't
seem to be a Derive-Key() for RC4 (not as I understand it).

--Ken