RC4: your time is up

RC4 is a widely used stream cipher - an encryption algorithm - designed by Ron Rivest in 1987 for RSA Security (now a division of EMC). In 1994 the source code for RC4 was leaked on the Internet, and it quickly became popular because of its simplicity and speed. Because "RC4" is trademarked, for many years implementations went under names such as ARCFOUR and ARC4.

RC4 has been widely used, both in WEP and WPA wireless card standards, and in SSL and TLS. There have been various attacks on RC4 over the years, one of which broke WEP in 2001 and resulted in the development of WPA. This particular attack, known as the Fluhrer, Mantin and Shamir attack, did not affect SSL/TLS.

In 2011, the BEAST attack on TLS targeted the cipher block chaining (CBC) encryption mode, which is used with most algorithms except for RC4. In CBC mode, each encrypted block of data depends on the block before it. At the time it was recommended that TLS users to switch to RC4 from other algorithms. Unfortunately, this was to be rather short-lived advice.

It had been long-known that there were some statistical biases in the output generated by RC4, but no way had been found to exploit them effectively. In 2013, the Royal Holloway attack demonstrated that portions of HTTPS cookies could be recovered, although the number of connections required was large.

In 2015 came the Bar Mitzvah attack, as well as improvements to the Royal Holloway attack, and it is these vulnerabilities that have put the final nail in the coffin of RC4 use in TLS. These attacks both require far fewer connections to retrieve portions of the plain text, and are on the cusp on being practically exploitable.

Consequently, RFC 7465 now prohibits the use of RC4 in TLS cipher suites (as of 2015). All RC4 cipher suites should be disabled.

In our CompleteFTP server, this is done by unchecking all cipher suites with RC4 in their names that are listed in "Available cipher suites" for FTPS. The "SECURE_CIPHERS" setting should also be unchecked. Version 9.0 of CompleteFTP will remove the RC4 suites from the SECURE_CIPHERS list.

Posted by John Faulds in