Ben Laurie blathering

The BBC Thinks RC4 is Crackable

Newsnight got a ton of flak over describing file sharing as theft. But, they whine, the real point is that encryption is being used, like, all over the place! And this means that the good folk at GCHQ will have a terrible time decrypting it all. Which they need to do to catch all the paedophiles and terrorists, obviously.

What they’ve totally missed is that the volume is not the issue, the strength of the encryption is. Newsnight’s self-styled “resident ubergeek”, Adam Livingstone, thinks RC4 is weak and could be cracked if only those pesky BitTorrenters wouldn’t clutter up the ‘net with their encrypted copies of broadcast TV (which, of course, they shouldn’t be sharing anyway – just because anyone can watch it, it doesn’t mean anyone can watch it, now does it? That stands to reason).

Mr. Livingstone should try consulting some real geeks before he opens his big mouth again.

Oh, and they also sob:

What we’d really like to hear is a debate on the issue we did raise. If the ISPs can’t now detect torrent data, then how will the security services manage it? And if they do figure it out, won’t RnySmile and company just up the ante again?

If you want a debate on that, dude, then provide somewhere to debate it. Or just read my blog – that’s your kind of debate: unidirectional.


  1. Many implementations of RC4 (such as the one used for WEP encryption) *are* crackable — RC4 doesn’t use unique nonces, so in order to be secure an implementation should generate the RC4 key by taking the “actual” key and hashing it with a nonce (generally created using some sort of HMAC scheme).

    RC4 also has a key schedule that’s susceptible to attack, and the first few bytes of encrypted data are skewed statistically and can reveal information about the key — with enough messages the key is fairly easily discovered. (This is why WEP can now be broken in a matter of minutes with easily obtained tools.)

    Generally RC4 is no longer considered “secure enough” — modified implementations (such as WPA) are OK in practical terms, but use of RC4 is largely discouraged.

    Comment by Mat Hall — 9 Mar 2006 @ 15:29

  2. Indeed it is the case that there are many ways to shoot yourself in the foot with RC4, just as there are with other cryptographic algorithms.

    This does not equare to RC4 not being considered secure. Properly used, it is secure.

    Comment by Ben — 10 Mar 2006 @ 11:04

  3. And as the article said “the RC4 encryption IN QUESTION (my emphasis) isn’t so very powerful” and as even Azureus themselves say this implimentation isn’t intended to be and isn’t very secure, I’d say someone else might “try consulting some real geeks before he opens his big mouth again.”

    Fair point about the lack of debating forum though.

    Comment by wigwam — 11 Mar 2006 @ 13:48

  4. You slightly overstate the security of RC4.

    First, how is anyone to know whether they’re using RC4 “properly” or not? It was never officially published, so there’s never been an official spec to refer to which documents proper usage. Some stream ciphers have strong key schedules, in which case simply concatenating key and IV would be perfectly proper. It’s only with hindsight that we say WEP’s usage was “improper” (though you might argue that a good cryptographer would look at RC4’s key schedule and say “let’s not rely on that”).

    Second, even when used “properly” there’s the Fluhrer/McGrew trigraph distinguisher which requires a few gigabytes of output. On the one hand, it’s only a distinguisher, but on the other hand you can’t defend against it by for example changing keys every kilobyte. It’s because of that attack that RC4 is no longer recommended.

    Comment by Paul Crowley — 12 Mar 2006 @ 8:53

  5. You need to separate the RC4 issues from the usage issues. WEP is a marvelous case because of the sheer number of bad decisions in it that could have easily been right.

    For example, one of the most devestating WEP attacks is that it only has 2^24 different keystreams, no matter what stream cipher you use. RC4 isn’t the issue. The issue is that you shouldn’t send a stream cipher to do a block cipher’s job. If WEP used God’s Own Cipher, there would still be this 2^24th attack.

    As for it, itself, the biggest problem with it is that it’s kinda sorta okay. For most of the things it’s used for (SSL connection for a web page), it’s mostly okay. If you were setting up a new site, I would put it in the negotiation list last, but the costs of eliminating it (lots of stupid systems like browsers in phones stop working) are higher. Either you lose those people as users, or they go in plaintext. RC4 at a decent keylength (like 128 bits) is not so bad that you might as well do it in plaintext. In the total security chain, it is by no means the weak link.

    But on the other hand, using it in a new system is silly. There are many better alternatives.

    Comment by Jon Callas — 12 Mar 2006 @ 22:46

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress