Cryptography Reference
In-Depth Information
secret for seven years. It has been used in many commercial products, including
Lotus Notes, Oracle Secure SQL, and not least the popular Internet browser
Netscape Navigator. In contrast to RC5, which is a block algorithm, RC4 is a
typical stream cipher: a byte sequence is created dependent on a key of variable
length and used as a one-time pad. The ciphertext results from simple bytewise
XORing of the key byte sequence with the plaintext, and the reversion works
similarly.
Up to September 10, 1994, this was basically everything people knew about
this algorithm. On that date, a C program that produced the same results as the
commercial software packages that used RC4 suddenly emerged in the Internet
newsgroup
sci.crypt
anonymously (through the
cypherpunks
mailing list). That
was it — RC4 was revealed. Part of the response was rather unfriendly. I quote
the original posting by David Sterndark (NETCOM On-line Communication
Services) in the same newsgroup on September 14, 1994, as an example:
I am shocked, shocked, I tell you, shocked, to discover that the cypherpunks have
illegally and criminally revealed a crucial RSA trade secret and harmed the secu-
rity of America by reverse engineering the RC4 algorithm and publishing it to the
world.
I will join this ugly game that harms the security of America and present you
with the algorithm in Figure 5.21.
The method is astonishingly simple and extremely easy to program (it is very
software-friendly, but less suitable for hardware). Since index
i
traverses all
values from 0 to 255 cyclically, each number,
P
i
, is swapped with another one
every 256 steps at the most. How
j
changes obviously cannot be told unless
one knows the key. To determine the key byte, RC4 uses the sum of two secret
P
k
as index. Therefore, a statement about a few
P
k
would probably not tell
us much. The RC4 design is really simple and clever. According to comments
by the company RSADSI, no attack using differential or linear cryptanalysis
is known. More doesn't appear to be known. I am convinced that this will
change, because such a simple and important algorithm will surely be studied
thoroughly.
But bear in mind that RC4 is a stream cipher and as such is vulnerable to
insertion attacks (see Section 5.1.1). If a software package uses RC4 without
an initialization vector (which could precede the key in the simplest case), then
this software is dangerous, no matter how good RC4 may be! You can read
about other methods that implement this good algorithm in security-ineffective
ways in
txt/cryptana/wlanrc4.txt
on our Web site.
