On Wed, 2005-08-24 at 22:32 -0400, Mrs. Brisby wrote: > > There are several attacks that can be used to derive the original key > > state, but they all require huge samples of data to analyze. > > No they don't. That's the problem. They only need a large number of > _uses_ of the key, not large amounts of data. Adding some random junk to > the beginning of the plaintext would help some, but I don't think SQLite > does this. >
RC4 is a pseudorandom number generator (PRNG) against which the plaintext is XORed to yield cyphertext. Weaknesses in RC4 have been found where the first few numbers coming out of the PRNG leak information about the key. If an attacker can guess the first few bytes of plaintext, and hence guess the first few numbers from the PRNG, and can do this many many times (millions of times) then the attacker can eventually reconstruct the key. The usual defense against this attack (and the one used by SQLite) is to discard the first 1000 bytes or so of information coming out of the PRNG. No key information leaks into later bytes of the PRNG stream (at least as far as we know) so this secures the cypher from attack. -- D. Richard Hipp <[EMAIL PROTECTED]>