New RC4 Attack Dramatically Reduces Cookie Decryption Time

A paper, expected to be presented at USENIX, describes new attacks against RC4 that make plaintext recovery times practical and within reach of hackers.

Two Belgian security researchers from the University of Leuven have driven new nails into the coffin of the RC4 encryption algorithm.

A published paper, expected to be delivered at the upcoming USENIX Security Symposium next month in Washington, D.C., describes new attacks against RC4 that allow an attacker to capture a victim’s cookie and decrypt it in a much shorter amount of time than was previously possible.

The paper “All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS,” written by Mathy Vanhoef and Frank Piessens, explains the discovery of new biases in the algorithm that led to attacks breaking encryption on websites running TLS with RC4, as well as the WPA-TKIP, the Wi-Fi Protected Access Temporal Key Integrity Protocol, in order to recover cookies.

Vanhoef and Piessens explain how an attacker can use these findings to decrypt a user’s website cookie, for example, that should be secured over an encrypted channel. Their attacks, however, are not limited to cookies.

“This means the attacker can perform actions under the victim’s name (e.g. post status updates and send messages), gain access to personal information (e.g. to emails and chat history), and so on,” the academics said.

Their research dramatically improves on prior work in this area, allowing them to decrypt a cookie inside of 75 hours, making the attacks practical, they said. Against real devices, they said they were able to trim attacks down to 52 hours.

The researchers said that in order to pull off an attack, a number of encrypted cookies must be captured from the TLS stream and converted into likely cookie values that are brute-forced until the right one is found.

From the paper:

“To break WPA-TKIP we introduce a method to generate a large number of identical packets. This packet is decrypted by generating its plaintext candidate list, and using redundant packet structure to prune bad candidates. From the decrypted packet we derive the TKIP MIC key, which can be used to inject and decrypt packets. In practice the attack can be executed within an hour. We also attack TLS as used by HTTPS, where we show how to decrypt a secure cookie with a success rate of 94 percent using 9×2^27 ciphertexts. This is done by injecting known data around the cookie, abusing this using Mantin’s ABSAB bias, and brute-forcing the cookie by traversing the plaintext candidates. Using our traffic generation technique, we are able to execute the attack in merely 75 hours.”

Microsoft and other leading technology companies have already taken steps to deprecate RC4 in TLS implementations, as well as other weak algorithms such as SHA-1. This paper introduces new short- and long-term biases and explains how the researchers calculated estimated cookie values in order to decrypt the information.

“While previous attacks against RC4 in TLS and WPA-TKIP were on the verge of practicality, our work pushes them towards being practical and feasible,” the paper says. “We consider it surprising this is possible using only known biases, and expect these types of attacks to further improve in the future.”

Suggested articles