RC4 Attack in SSL/TLS
As Matthew Green says, RC4 is old and crummy. The advantage is RC4 is pretty fast, requires less hardware and does not require padding such as CBC-mode. On the other hand, about 50 percent of SSL traffic uses RC4 because it was recommended to use instead of CBC due the BEAST and Lucky Thirteen attacks.
The multisession attack can only be carried out by a determined attacker who can generate sufficient sessions for the attack. Sufficient is defined as more than 16 million sessions where they can recover a limited amount of plaintext. As such, the attacks do not pose a significant danger to ordinary users of TLS in their current form. However, please remember the cryptographer’s adage: attacks always get better, they never get worse. Otherwise, fix it today, so you don’t have to fix it in the future.
The idea is the bytes coming out of the RC4 aren’t quite random-looking. They have small biases. By getting many different encryptions of the same message using different keys, the attacker can use the small deviations to figure out what was encrypted.
The research team states there are several possible countermeasures against their attacks:
- Switch to CBC-mode ciphersuites. This is a suitable countermeasure provided previous CBC-mode attacks, such as BEAST and Lucky Thirteen, have been patched. Many implementations of TLS 1.0 and 1.1 now have patches against these attacks.
- Switch to AEAD ciphersuites, such as AES-GCM. This is probably a future solution as support for AEAD ciphersuites is specified in TLS 1.2, which is not widely supported.
- Patch TLS’s use of RC4. This solution is not practically deployable given the large base of legacy implementations and the lack of a facility to negotiate such a byte discarding procedure.
- Modify browser behavior. There are ways to modify the manner in which a browser using TLS handles HTTP GET requests to make the attack less effective. However, care is needed to avoid potential future improvements to their attack.
The bottom line is the industry needs to move to TLS 1.2 and use AEAD ciphersuites.
For website operators and browser users, you need to use the common support technique. Use the latest version of your software and apply patches as they become available.
I love the team’s answer to the question, “Why doesn’t the attack have a cool name?”
Response, in Western culture, naming one’s attacks after obscure Neil Young albums is now considered passé. And I thought Zuma, Re-ac-tor or Fork in the Road would have been great attack names. For now it’s just called the AlFardan-Bernstein-Paterson-Poettering-Schuldt (AlFBPPS) attack.
Updated April 4, 2013: Opera is making changes to address the problems with RC4. Hopefully the other browsers will follow suit.