>>10
I don't have references, just experience. An example is when I enter the wrong password my local unrar doesn't know for sure what's wrong, complaining of a bad CRC and suggesting that since it needs a password, perhaps I got it wrong. Otherwise bad CRC is always reported as a corrupt archive. I'd say that's fairly conclusive.
I know that the CRCs are not part of the payload (this would be pretty fucking stupid if you think about it.) However, there are two ways to produce rar files (encrypted or not), one is pkzip-style (a collection of compressed files) and the other is tgz-style (a compressed collection of files--"solid" compression.) It's common to use solid compression on the unencrypted format, and the other form on encrypted files (from observation.) I do believe these are the defaults for virtually every rar compressor, though I have found at least one encrypted rar with solid compression. With the solid encrypted format, from observation, there is still a CRC in the clear. I expect there are individual CRCs to be found in a subheader as well, but I really didn't check. I do believe there is a "TOC"/subheader is encrypted in this case, but I don't remember this part clearly.