>Well, there is a derive-key for rc4, but it only takes keyusage as
>input, not a string.

Hm, I think I'm confused.  I see where the keyusage gets fed into the
algorithm in the Brezak draft, but what I don't see is anything that
looks like derive-key for rc4.  Maybe we're not talking about the
same thing.

>Defining dk interms of dr would work for rc4 if you had a reasonable
>definition of dr, but you currently do not.

Maybe I'm being dense again (and not knowing much about rc4, other than
glancing over the routines that implement it) but would it be
reasonable to pretend for the purposes of rc4 and dr that the blocksize
was equal to the keysize?  I think that would prevent the attack you
described.  Or just keep state between calls to the encryption
routine.

Like you said, dr still needs to be defined for rc4; just thinking out
loud here.

--Ken