> > Correct me if I am wrong - RC2 and RC4 are not public key cyrptosystems, > > and hence are not "prone" to the problems with low moduli. > > You are wrong. > > If the key is only 128-bit, that's a much smaller keyspace to > brute-force attack than a 1024-bit key. > > (do the math) You add a qualifier here -- "brute force attack" -- that makes your statement technichally correct, but misleading. You generally see keyspaces of 1024 bits (etc) in public key cryptosystems (RSA/PGP). You see 128-bit keysizes on traditional cryptosystems, like RC2, RC4, IDEA (the -real- encryption in PGP), etc. The problem here is that the best way to break a public-key cryptosystem is _not_ by brute force. RSA gets it's strength from the fact that it's very hard to factor a large number (1024 bits, for example) made up of two multiplied large primes, into it's individual primes. To break RSA, you 'simply' have to factor the key, which is orders of magnitude faster than a brute force attack on the system. Large key sizes are required for public-key cryptosystems, because HUGE advances are being made in number factoring. 1024-bit keys are still out of reach, but for how long? In the case of RC2 and RC4, the best (known -- Important word here) attack is a brute force attack on the key -- something that is, for the moment, prohibative. Giveen huge advances in current technology, it'd still take YEARS to crack -one- key. Anyhow, bottom line is that saying "RSA with a 1024 bit key is more secure than RC4 with a 128 bit key" is a bit silly -- You're comparing apples to oranges. Nobody's going to brute-force attack RSA, since there are much better ways to crack the system. -WW