Fatally flawed RC4 should just die, shout angry securobods
It's the Swiss Cheese of infosec and we're all gazing through its holes
Security researchers have banged another nail into the coffin of the ageing RC4 encryption algorithm.
The latest password recovery attacks against RC4 in TLS by Christina Garman of Johns Hopkins University, Prof. Kenny Paterson and research student Thyla van der Merwe (both of Royal Holloway, University of London) show that attacks against the scheme are getting better and easier so RC4 "needs to die", as the researchers themselves put it.
The continued use of RC4 in TLS is "increasingly indefensible", the researchers conclude in an abstract of their work.
Despite 2013's high-profile attacks on the RC4 algorithm in TLS, its usage is today (March 2015) still running at about 30 per cent of all TLS traffic.
This is attributable to the lack of practicality of the existing attacks, the desire to support legacy implementations, and resistance to change.
We provide new attacks against RC4 in TLS that are focused on recovering user passwords, still the pre-eminent means of user authentication on the web today.
Our attacks enhance the statistical techniques used in the previous attacks and exploit specific features of the password setting to produce attacks that are much closer to being practical. We report on extensive simulations that illustrate this.
We obtain good success rates with 226 encryptions of the password. By contrast, the previous generation of attacks required around 234 encryptions to recover an HTTP session cookie.
The research - which also involved the development of "proof of concept" implementations of the attacks against the BasicAuth and IMAP protocols – is explained in full in a paper here (PDF, 34 pages).
Independent researchers agree that RC4 needs to be pensioned off even though some question whether the attack developed by is a practical concern.
"RC4 must die. Despite, not because of, attacks like the one described here which is extremely impractical," said Martijn Grooten, editor of Virus Bulletin and occasional security researcher.
Caveats about whether or not attacks could be economically pulled off aside, there's little or no disagreement about the direction of travel, which is that the cipher ought to be consigned straight towards the cyber equivalent of Boot Hill cemetery. The only reason it's still around is that websites are reluctant to drop support even for obsolete technology.
RC4, developed in 1987, is a popular stream cipher that's often used in HTTPS connections to protect sensitive network traffic from eavesdroppers, among other uses.
Potential attacks have been documented for years but they are now decreasing in complexity to the point where using the cipher is risky even before considering the implication of the revelations from NSA whistleblower Edward Snowden.
Leaks from Snowden suggested that US and UK spies have developed "groundbreaking cryptanalysis capabilities", which ultimately allow the intelligence agencies to break RC4 encryption. Distrust of the cipher is spreading.
Microsoft urged Windows developers to ditch the RC4 encryption algorithm and pick something stronger back in November 2013. Cisco also told its customers to "avoid" the cipher around the same time.
The IETF moved towards killing off the venerable-but-vulnerable RC4 cipher with a proposal that net-standard clients and servers need to quit using RC4 in Transport Layer Security (TLS) that surfaced in December 2014. ®