The world's most-used software stream cipher, RC4, is not just insecure, but also vulnerable to practical attacks, researchers say. As a result, many security experts, including Alan Woodward, have called on organizations to quickly ditch RC4, which is widely used for corporate WiFi security as well as Transport Layer Security.
"RC4: you just wonder to yourself why is it still in the encryption suites," says Woodward, who's a visiting professor of computer science at England's Surrey University, as well as an adviser to Europol, the association of European police agencies. His concern stems from warnings in recent years that a known weakness in RC4 could theoretically be exploited to crack anything that was encrypted using the algorithm.
But Woodward's call to now eliminate RC4 from enterprises has been prompted by the so-called RC4 NOMORE attack, developed by researchers Mathy Vanhoef and Frank Piessens from the University of Leuven in Belgium.
The researchers, who will present a related paper at the August Usenix Security Symposium in Washington, D.C., say their proof-of-concept attack demonstrates how an attacker could decrypt TLS cookies encrypted with RC4 within 75 hours, as well as break the RC4-based WPA-TKIP ( WiFi Protected Access Temporal Key Integrity Protocol), used to secure some WiFi devices, within about an hour. "Based on these results, we strongly urge people to stop using RC4," they say.
In an interview with Information Security Media Group, Woodward notes that the warning to eliminate RC4 comes on the heels of warnings to excise other insecure technology from enterprises, including Oracle's Java browser plug-in and Adobe Flash, both of which continue to be frequent zero-day attacks targets.
"We can send a spaceship to Pluto, why can't we do without Flash, for god's sake?" he says. "Most of the zero days that have come out have to do with Java and Flash. They're obvious targets."
In this interview with Information Security Media Group, Woodward also discusses:
- Why the quest for backwards compatibility is undermining information security;
- Legacy infrastructure problems, such as domain name system security and insecure Border Gateway Protocol Internet routing;
- The need for more "secure by default" approaches that focus on having to turn technology on, rather having to disable it.
In addition to his role as visiting professor at the department of computing at University of Surrey, Woodward is a cybersecurity adviser to Europol's European Cybercrime Center, as well as non-executive director at TeenTech, which encourages teenagers to pursue careers in the fields of science, engineering and technology.