Cryptographers Break Commonly Used RC4 Cipher

Sparrowvsrevolution writes "At the Fast Software Encryption conference in Singapore earlier this week, University of Illinois at Chicago Professor Dan Bernstein presented a method for breaking TLS and SSL web encryption when it's combined with the popular stream cipher RC4 invented by Ron Rivest in 1987. Bernstein demonstrated that when the same message is encrypted enough times--about a billion--comparing the ciphertext can allow the message to be deciphered. While that sounds impractical, Bernstein argued it can be achieved with a compromised website, a malicious ad or a hijacked router." RC4 may be long in the tooth, but it remains very widely used.

Arcfour

[Hatta]

This is the cipher known as 'arcfour' in SSH. I use it regularly when speed is more important than security, which is frequently. I'm not sending a billion of the same files anywhere, so I will continue to use it.

Re:Arcfour

[Joce640k]

Oh, wait, it's the arcfour key scheduling thing again.

This is an old arcfour weakness, not news. Everybody knows about it (and how to avoid it). The SSL people just never bothered to do it.

Re:Arcfour

[Hatta]

Irrelevant. As long as I only send one copy of the compressed data, it should be safe. A better objection is that it probably would take more CPU to compress the data before sending it over RC4 than it would to just switch to AES with no compression.

Re:Arcfour

[slew]

As I understand it, ARC4 originally stood for 'Alleged' RC-4 since it was reverse engineered from RSA's proprietary RC4 implementation. The name RC4 is trademarked by RSA and they refuse to confirm that ARC4 was 100% compatible with their trademarked RC4, so for these two reason, the name ARC4 stuck.

Of course nobody today disputes that there is any actual difference between the public ARC4 and RSA's RC4...

Jokes on him!

[Kenja]

I always change my message after the 999,999,999th time I send it with the same encryption key.

rfc4345

[cachimaster]

If I understood the article, the reported RC4 weakness is known since so long ago there is a RFC about it (rfc4345) that TLS implementation just ignores. SSH also uses RC4 in a non-vulnerable way, and that's why it's not broken, and it's perfectly possible to have a secure RC4 algorithm by simply discarding the first N bytes, where N>1000.

Re:Gmail uses RC4

[heypete]

Yup. RC4 is really fast in software and so can scale really easily without needing any real change in server capacity.

Also, most browsers support Elliptic-Curve Diffie-Hellman key exchange with RC4 which provides perfect forward secrecy with substantially less computing overhead as using the standard DH key exchange protocols.

Hmm. Now to change some settings. Whee.

Re:Oh, come on ... heh.

[bill_mcgonigle]

Anyone know what Cipher Suite configuration is the "safest" now? :)

You're screwed. You have the PCI people who are freaked out over CBC ciphers because of BEAST, you have lots of LTS distros not offering TLS 1.2, and you have people under FIPS who are your customers, so you wind up having to offer RC4 as a cipher to meet all of the above requirements. And even if you assume FIPS-managed clients will be controlling their ciphers to meet their internal requirements, you have to explain this to the PCI scanner vendor every. single. time.

If the LTS vendors could backport TLS 1.2, that would solve many headaches.