RC4

RC4, ARC4 or Arcfour is a stream cipher that has with standards such as HTTPS, SSH 1 and WEP or WPA found widespread use.

RC4 (Ron 's Code 4 ) was developed in 1987 by Ronald L. Rivest, is a trademark of RSA Security and officially secret ( security by obscurity ). ARC4 ( Alleged RC4) or Arcfour goes back to an anonymous publication of source code in 1994 and is open source.

Description

A random sequence is generated from a one-time only key to use. The plaintext is linked bit by bit XOR with the random sequence to encrypt the data.

The random number generator uses a so-called S-Box, a random permutation or substitution of the numbers 0 to 255 The S-box is calculated in a first step from the secret key and then used to calculate the random sequence. After each calculation step two values ​​of the S-box are swapped.

The security of such a method is only guaranteed if the random sequence is not repeated. Therefore, the key or the password may only be used once. For the composition of S-box and the values ​​of two other variables, there are about 21684 possibilities, what would a key length of 210 (1684 /8) correspond to characters. After the birthday paradox, it is expected that it comes with a key length of ( (1684 /2) / 8) are key 105 characters, produce the identical permutations of S-Box. Known are now at least two 24 characters ( 192 bits ) long keys that lead to the same permutation of the S-box. Thus there are two different keys that lead to the same result encryption.

The algorithm is very easy to implement with virtually any hardware and software and very efficiently computable.

In WEP, the unique key was determined by simply setting a fixed secret key and a session key. In this case, however, it is possible to derive the fixed secret key. If the key is selected using a hash function or less randomly, but the RC4 can also be considered to be safe.

For Microsoft Windows systems, which are connected to an NT domain, the login password, which the user enters in the GINA surface encrypted after previous negotiating a key via RC4 -HMAC and transmitted through a Kerberos - frame to the server. The negotiation of the key place during the message " network connections are preparing " instead.

Algorithm

The core of the process is the so-called S-box, a random permutation or permutations of the standard alphabet ( byte values ​​0-255). By means of the S-box, a random string is generated, referred to as the bit by bit by the addition modulo 2, and XOR operation is associated with the message stream. The S-box is initially defaulted as identity map, such that for i = 0 to 255.

The initial assignment of the S - box can be described by the following pseudo - code. The S-box is calculated from the key of the length byte:

K []: given key string length 5-256 bytes   L: = length of the key in bytes   s []: byte vector of length 256   For i = 0 to 255     s [i ]: = i   j: = 0   For i = 0 to 255     j: = (j S [ i] k [ i mod L] ) mod 256     Swap s [i ] with s [j ] The subsequent calculation of the random sequence is analogous:

Clear []: given plaintext string of length X   schl []: vector for storing the ciphertext   i: = 0   j: = 0   For n = 0 to X-1     i: = (i 1 ) mod 256     j: = (j S [ i] ) mod 256     Swap s [i ] with s [j ]     random number: = s [ (s [ i] s [j ] ) mod 256 ]     schl [n ]: = random number XOR clear [n ] Decrypting the same algorithm is used, wherein the ciphertext is input instead of the plaintext. Two XOR operations with the same random number cancel each other out, and as issue arises again the plaintext.

Security

Like any stream cipher RC4 also offers no integrity protection. If an attacker modifies a bit of an encrypted message, so it changes with it the same bit of the plaintext.

The first practical attack on the RC4 cipher succeeded Scott Fluhrer, Itsik Mantin and Adi Shamir in 2001. RSA Security then recommended to discard the first 256 bytes of the keystream. Andreas Klein improved the attack, so it will work even if the first 256 bytes are discarded. He recommended to discard the output of the first 12 rounds.

Beginning of 2013 it was proposed a new attack scenario of Alfardan, amber, Paterson, Poettering and Schuldt, the statistical anomalies in the key table of RC4 used to decrypt a plaintext, which is transmitted over multiple encrypted with RC4 TLS connections.

Jacob Appelbaum believes that the NSA could break the RC4 encryption in real time. Bruce Schneier described this as a plausible conjecture.

The European Agency for Network and Information Security recommends replacing RC4 by Rabbit or Snow 3G. The Federal Office for Security in Information Technology does not recommend the use of RC4. So is for example the German Finance Agency RC4 from November 2013 no longer a.