What is RC4?

Rivest Cipher 4, or RC4, is a stream cipher created in 1987. A stream cipher is a type of cipher that operates on data a byte at a time to encrypt that data. RC4 is one of the most commonly used stream ciphers, having been used in Secure Socket Layer (SSL)/ Transport Layer Security (TLS) protocols, IEEE 802.11 wireless LAN standard, and the Wi-Fi Security Protocol WEP (Wireless Equivalent Protocol). RC4 owes its popularity, relating to stream ciphers, to its ease of use and performance speed. Now, significant flaws mean RC4 is not used nearly as often as before.

How secure is RC4?

RC4 was initially used in many applications, like SSL/TLS and WEP, until severe vulnerabilities were found in RC4 in 2003 and 2013. As RC4 was used in WEP, attackers had a chance to practice cracking it as often as they wished. With this practice, a flaw was found in RC4 where the encryption key used by RC4 could be cracked in less than a minute. RC4 keys can come in sizes of 64 or 128-bits, and the 128-bit key is able to be obtained in seconds. At the time, WEP was the only security protocol used for Wi-Fi, so the next phase, Wi-Fi Protected Access (WPA), had to be rushed for use.

Another vulnerability was discovered in RC4 in 2013 while it was being used as a workaround for a cipher block chaining issue that was discovered in 2011. Cipher block chaining is an operational mode used by block ciphers, which RC4 did not use. A group of security researchers found a way around RC4, with only a slight increase in processing power necessary in the previous RC4 attack. Due to these vulnerabilities, and other smaller ones found later, RC4 is no longer a cipher that is recommended to be used.

Variants of the RC4 cipher

There are 4 variants to the regular RC4 cipher:

  1. Spritz – Spritz is used to create cryptographic hash functions and deterministic random bit generator.
  2. RC4A – This is a variant that was proposed to be faster and stronger than the average RC4 cipher. RC4A was found to have not truly random numbers used in its cipher.
  3. VMPC – Variably Modified Permutation Composition (VMPC) is a version of RC4 that was found to have not truly random numbers used in its cipher, like RC4A.
  4. RC4A+ – RC4A+ is an advanced version of RC4A that is longer and more complex than RC4 and RC4A, but is stronger as a result of its complexity as well.

Advantages and Disadvantages

RC4 boasts a number of advantages compared to other stream ciphers:

  • RC4 is extremely simple to use, thus making the implementation simple as well.
  • RC4 is fast, due to its simplicity, which makes it a better performing cipher.
  • RC4 also works with large streams of data swiftly and easily.

Though it has advantages, RC4 has many disadvantages as well:

  • The vulnerabilities found in RC4 means RC4 is extremely insecure, so very few applications use it now.
  • RC4 cannot be used on smaller streams of data, so its usage is more niche than other stream ciphers.
  • RC4 also does not provide authentication, so a Man in the Middle attack could occur, and the RC4 cipher user would be none the wiser.