>Well, there is a derive-key for rc4, but it only takes keyusage as >input, not a string. Hm, I think I'm confused. I see where the keyusage gets fed into the algorithm in the Brezak draft, but what I don't see is anything that looks like derive-key for rc4. Maybe we're not talking about the same thing. >Defining dk interms of dr would work for rc4 if you had a reasonable >definition of dr, but you currently do not. Maybe I'm being dense again (and not knowing much about rc4, other than glancing over the routines that implement it) but would it be reasonable to pretend for the purposes of rc4 and dr that the blocksize was equal to the keysize? I think that would prevent the attack you described. Or just keep state between calls to the encryption routine. Like you said, dr still needs to be defined for rc4; just thinking out loud here. --Ken