RC4 crypto: Get RID of it already, say boffins

This one simple attack busts WPA-TKIP in less than an hour


Remember how many times the crypto world has shouted that the RC4 crypto algorithm needs to be wiped from the face of the Earth? It just got even worse, with researchers demonstrating an attack that can be executed in 52 hours.

Belgian researchers preparing for August's Usenix Security Symposium in Washington, DC, reckon they can decrypt cookies encrypted with RC4 within 75 hours (PDF here).

Mathy Vanhoef and Frank Piessens of the University of Leuven worked on sites running TLS with RC4, and Wi-Fi's also-known-to-be-weak WPA-TKIP.

As they explain here, the weakness of RC4 (inherited by systems using it) is based on biases in the RC4 keystream. The bias was already known, and is why vendors like Microsoft are working to deprecate it. What's different in the new work is the acceleration of the cryptanalysis Vanhoef and Piessens carry out.

For HTTPS sessions secured by TLS and using RC4 for encryption, the authors reckon they can “decrypt a secure cookie with a success rate of 94 per cent using 9x227 cyphertexts”.

This is comparable to work published in March which claimed success using 226 encryptions of a password.

To break TLS/HTTPS, the Belgian researchers injected known data around the cookie, “abusing this by using Mantin's ABSAB bias, and brute-forcing the cookie by traversing the plain-text candidates … we are able to execute the attack in merely 75 hours”.

(That is, with 75 hours' worth of sample data, the researchers were able to complete an attack, compared to the “2,000 hours”required for previous attacks.)

If JavaScript code is added into the victim's browser, “we were able to execute the attack … within merely 52 hours”.

For WPA-TKIP it's even worse – the researchers' attack can be “executed within an hour”:

“To break WPA-TKIP we introduce a method to generate a large number of identical packets. This packet is decrypted by generating its plaintext candidate list, and using redundant packet structure to prune bad candidates. From the decrypted packet we derive the TKIP MIC key, which can be used to inject and decrypt packets”.

In practice, the problem is that it's hard to get rid of something so widely used. Back in March, around 30 per cent of all TLS traffic still used RC4. ®

Similar topics


Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading

Biting the hand that feeds IT © 1998–2022