Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Encrypted Web and Wi-Fi at risk as RC4 attacks become more practical

Lucian Constantin | July 20, 2015
There's an old saying in the security community: Attacks always get better. The latest case where that holds true is for the aging RC4 cipher that's still widely used to encrypt communications on the Internet.

Encryption

There's an old saying in the security community: Attacks always get better. The latest case where that holds true is for the aging RC4 cipher that's still widely used to encrypt communications on the Internet.

Researchers Mathy Vanhoef and Frank Piessens from the University of Leuven in Belgium devised a new attack method that can recover authentication cookies and other sensitive information from Web connections encrypted with RC4.

The RC4 (Rivest Cipher 4) algorithm was designed in 1987 by renowned cryptographer Ron Rivest and remained a trade secret until 1994, when it was leaked on the Internet. Since then it has been implemented in a number of popular protocols, including SSL (Secure Socket Layer) and its successor, TLS (Transport Layer Security); the WEP (Wired Equivalent Privacy) and WPA (Wi-Fi Protected Access) wireless security standards; Microsoft's RDP (Remote Desktop Protocol) and MPPE (Microsoft Point-to-Point Encryption), BitTorrent and others.

Researchers have found and reported multiple weaknesses in RC4 over the years, but for the most part those attacks have remained theoretical or have not applied to RC4 as used in SSL/TLS.

In 2013, researchers from Royal Holloway, University of London, devised an attack against the TLS implementation of RC4 that required the observation of around 13x(2^30) -- or, 13 times two to the 30th power -- encrypted versions of a plaintext string in order to decrypt it. The string could be an authentication cookie that's included in every Web request sent by a client to a TLS server or some other similarly repeated piece of sensitive information.

The Royal Holloway attack was considered non-practical for the vast majority of real-world attackers, but did lead to speculation that intelligence agencies like the U.S. NSA might have the capability to pull it off.

Vanhoef and Piessens estimate that decrypting cookies using the Royal Holloway attack would take over 2,000 hours. By comparison, their new method, which they named RC4 NOMORE, would take only 75 hours.

That's because their attack requires a lower number of observations and because it can force a victim's browser to generate more requests per second than the Royal Halloway attack, 4,450 compared to 1,700.

"In contrast to previous attacks, this short execution time allows us to perform the attack in practice," the researchers wrote on a website that details their technique. "When we tested the attack against real devices, it took merely 52 hours to successfully perform the attack."

Fifty to seventy hours is still a long time, but the RC4 NOMORE attack has the benefit that it doesn't have to be continuous. The encrypted requests don't need to be captured all at once, so the collection can be resumed at a later time if the victim closes his browser or computer.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.