RC4

RC4. It is a stream cipher algorithm designed in 1987 by Ron Rivest of RSA Security. For many years, its design was a trade secret, but it was anonymously leaked to the Cypherpunks mailing list in 1994. Despite its simplicity and speed, widespread cryptanalysis has revealed significant vulnerabilities, leading to its deprecation in modern TLS and WPA protocols.

Overview

Originally developed for RSA Data Security, Inc., the algorithm was famously reverse-engineered and posted to the sci.crypt newsgroup. It saw extensive adoption in numerous Internet standards, including early versions of the Secure Sockets Layer protocol and the Wired Equivalent Privacy standard for IEEE 802.11 networks. Its integration into major software products from Microsoft and Netscape Communications cemented its position as one of the most ubiquitous ciphers of the 1990s and early 2000s. The algorithm's design emphasizes software efficiency, avoiding complex operations like those found in the Data Encryption Standard.

Algorithm

The cipher operates by maintaining a 256-byte internal state array, often denoted as S, which is initialized using a variable-length key scheduling algorithm. This initialization phase involves permutations based on a secret key, typically between 40 and 256 bits. The core of the cipher is the pseudorandom generation algorithm, which produces a keystream by continuously swapping bytes within the state array and outputting a byte of the keystream. This keystream is then combined with the plaintext using the XOR operation to produce ciphertext. The entire process is symmetric, with identical logic used for both encryption and decryption.

Security and cryptanalysis

Significant weaknesses were identified over time, including biases in the initial output bytes and vulnerabilities in the key scheduling process. Research by Fluhrer, Mantin and Shamir revealed the devastating Fluhrer, Mantin and Shamir attack, which could recover the secret key from certain Wired Equivalent Privacy implementations. Further analysis showed the keystream is susceptible to distinguishing attacks, allowing an adversary to differentiate it from true randomness. These flaws were instrumental in the compromise of the Temporal Key Integrity Protocol used in early Wi-Fi Alliance certifications. Notable cryptanalysts from institutions like Weizmann Institute of Science and University of California, Berkeley have published extensive attacks, leading to its formal deprecation by the Internet Engineering Task Force.

Usage and applications

Beyond its use in Secure Sockets Layer and Wired Equivalent Privacy, RC4 was implemented in the Microsoft Windows operating system for features like the Encrypting File System. It was also a core component of the Kerberos (protocol) authentication system and was used in various applications from Oracle Corporation and the Apache HTTP Server. The cipher found a niche in certain Secure Shell implementations and was optionally supported in older versions of the OpenSSL library. Its speed made it popular for encrypting high-volume network traffic in products from Cisco Systems before stronger alternatives like the Advanced Encryption Standard were mandated.

Variants and successors

In response to its weaknesses, several modified versions were proposed, including RC4-dropN, which discards initial keystream bytes to mitigate bias attacks. Spritz was a later redesign by Ron Rivest and his team to address the original algorithm's structural flaws. The development of RC5 and RC6 block ciphers by RSA Laboratories represented a different evolutionary path toward more secure designs. The eventual adoption of the Advanced Encryption Standard, following a public competition organized by the National Institute of Standards and Technology, effectively supplanted RC4 for most standardized cryptographic applications. Modern protocols like Transport Layer Security 1.3 explicitly prohibit its use in favor of Authenticated Encryption algorithms such as ChaCha20-Poly1305.