The RC4 protocol remains a troublesome part of the SSL, and weaknesses allow for a new Man-in-the-Middle attack vector.
According to the new Hacker Intelligence Initiative Report from Imperva, titled “Attacking SSL when using RC4”, an attack which targets the very basic encryption which is used by SSL/TLS, as well as independently of SSL/TLS, can break supposedly sensitive communications. Around 30 per cent of SSL connections use RC4, despite the cipher being designed more than a quarter of a century ago.
New attack methods are more “stable” than previously published attacks on SSL, Imperva found, and it works in more scenarios. It said that on every attempt, the attacker has some chance to succeed in stealing data from a target as every single time someone uses SSL with RC4 to protect their data, that person has a small but non-negligible chance to have his data compromised.
In the new weakness, named “Invariance”, Imperva said that as RC4 encryption keys are generated for upstream and downstream communication, where the upstream key is used for encryption of client-to-server communication and the downstream key for encryption of server-to-client communication, the Invariance Weakness is expressed only in the first 100 bytes of the keystream.
If an attacker can “sniff” a large number of SSL connections encrypted with RC4, and finds a weak key, the attacker predicts the LSBs of the keystream bytes and uses these to extract the LSBs of the plaintext bytes from the ciphertext with significant advantage.
“In order to fulfil this scenario, the attacker needs to determine which SSL sessions are the ones in which weak keys were used,” the report said. “For this isolation, the attacker can use the fact that the first encrypted bytes include the SSL ‘Finished’ message and HTTP request, both having predictable information. Thus, when a weak key is used, the plaintext patterns are XOR-ed with keystream patterns, generating ciphertext patterns visible to the attacker.”
In an email to IT Security Guru, Amichai Shulman, CTO of Imperva, said that exploiting the vulnerability when RC4 is being used for SSL/TLS is easier than in other usages. Asked why RC4 is still included as a legitimate ciphersuite, he said that even though it is known to be weak, it is probably there is no better or popular, streamcipher.
He said “Creating a new cipher is not easy. RC4 was believed to be strong for many years. The process of accepting a new standard cipher is long and tedious (see how long it took to standardise AES). I think that basically the community is leaning towards not using stream ciphers anymore and therefore once RC4 is officially retired I’m not sure a new stream cipher will emerge. “
Imperva encourages web administrators to disable RC4 in their SSL configuration; web users to disable RC4 in their browser SSL configuration; and browser providers to remove RC4 from their SSL cipher list.