It’s been more than 25 years since Ron Rivest invented his RC4 stream cipher, and after all that time it’s still being used widely, which is something of an achievement in the crypto world. However, for more than 15 years researchers have known about a weakness in RC4 that could enable an attacker to decrypt the keystream. Now, a cryptographer has published an attack that exploits that vulnerability and causes serious problems with TLS implementations.
Daniel J. Bernstein, a professor at the University of Illinois at Chicago, presented his research on secret-key cryptosystems this week and the major revelation was a practical attack against a known weakness in RC4 that enables an attacker to compromise a victim’s session with a site protected by TLS. The fact that the first 256 bytes of an RC4 key contained biases has been known for more than 15 years, but the work that Bernstein and his fellow researchers did shows that an attack against TLS/RC4 is feasible.
RC4 is a stream cipher, so it encrypts plaintext by mixing it with a series of random bytes, making it impossible for anyone to decrypt it without having the same key used to encrypt it. But, the bytes used to encrypt the plaintext aren’t really as random as they should be, at least at the beginning of the process. That makes it possible for an attacker to figure out the plaintext of an encrypted message with access to enough TLS requests. The problem is that there are biases in the keystream, making life easier for an attacker.
“We’ve known about this for more than ten years. But as far as we knew, there was no way to attack this in RC4 in the way it’s used in SSL. A lot of crypto people are mystified about why we thought that,” said Thomas Ptacek, principal at Matasano Security. “It’s really kind of blatant. It turns out that the way that this is crappy in TLS is really easy to exploit.”
However, Ptacek said, just because it can be exploited doesn’t mean that it’s the best way to go after a target’s encrypted session. In fact, there are many better ways to accomplish the same goal, and much more quickly. The attack that Bernstein and his colleagues described requires hundreds of millions of identical browser requests and could take a while to execute.
“It’s a technique that is relatively easy to write code for, unlike some other cryptanalysis attacks, but it’s slow and expensive to use in the real world,” Ptacek said. “There’s no way you would not notice this attack. The actual attack is really painful to launch. The likelihood of this being exploited in the wild is low. If you’re looking for a way to break a user’s encrypted session quickly, this is not it. You’d go after application layer vulnerabilities long before you’d do this. You’d have a lot more luck with phishing or spoofing SSL or counting on people to ignore certificate warnings.”
Although RC4 is ancient in cryptography terms, it’s still used widely, and in fact in the wake of the BEAST and CRIME attacks of the last couple of years securty experts recommended that sites switch to RC4 from other ciphers as a way to defend against the weaknesses those attacks exploit. That may still be the better choice in many cases, but the results from Bernstein and his colleagues show that RC4 is even less safe than previously thought.
“It’s hard to overstate how bad this behavior is from a stream cipher,” Ptacek said.