Login | Register   
LinkedIn
Google+
Twitter
RSS Feed
Download our iPhone app
TODAY'S HEADLINES  |   ARTICLE ARCHIVE  |   FORUMS  |   TIP BANK
Browse DevX
Sign up for e-mail newsletters from DevX


advertisement
 

RC4 Usage Errors Leave Your Data Exposed : Page 2

Some inherent usage errors in many applications that employ the RC4 algorithm leave the applications vulnerable to attacks. Learn these errors and how to rectify them.


advertisement
The Solutions
There are a number of ways to rectify this issue. They include:
  • If you are using RC4, never use the same key to encrypt more than one message.
  • If you must use the same key (you'd better have a good reason!) then consider using a salt with the key.
  • Don't use a stream cipher. Use a block cipher such as RC2, 3DES, or AES (when available).
There is one more issue about RC4 you should be aware of: RC4 is susceptible to a bit-flipping attack. Because RC4 encrypts data a byte at a time, an attacker can modify one byte of ciphertext and the recipient would not know the data is changed. This is particularly dangerous if the attacker knows the format of a message, but not the message. Imagine that an attacker knows a message is constructed like this:

hh:mm dd-mmm. bbbbbbbbbbbbbbbbbbbbbbbbbbbb

Where:
  • hh = hour (using 24-hour clock)
  • mm = minutes
  • dd = day
  • mmm = three-letter month abbreviation
  • bbbbb = message body
Imagine the following scenario. Gandalf (a good guy) decides to send a message to Frodo (another good guy), which before RC4 encryption is:

18:00 03-Sep. Meet at Weathertop. Gandalf.

Note: We assume that Gandalf and Frodo have a pre-determined shared key they use to encrypt and decrypt data.



As you can see, Gandalf wants to meet Frodo at Weathertop at 6pm on September 3rd. As an attacker you do not have the plaintext, only the ciphertext. However, you could change one or more of the encrypted bytes in the time and date field and then forward the changed message to Frodo. If you're lucky, when Frodo decrypts the message the time will not be 18:00, and Frodo won't make it to Weathertop at the allotted time. This is a great attack, because RC4 does not detect errors! In the case of a block cipher such as DES, a tweak to one bit will change at least 64 bits (the block size) when the data is decrypted, making tampering somewhat evident. In short, bit-flipping is much harder to pull off against a block cipher.

(By the way, if you have no idea who or what Gandalf, Frodo, or Weathertop are, then may I suggest you read J.R.R. Tolkien's wonderful book, "The Lord of the Rings".)

You can rectify this problem by using digital signatures or message authentication codes (MAC), but that's a topic for another day!

RC4 has proven to be a fast and secure encryption method, but usage issues abound—most notably key re-use and bit-flipping attacks. Use the steps outlined in this article to help mitigate these issues: don't re-use encryption keys and use some form of message authentication technique, such as an HMAC or digital signature to determine that your messages haven't been altered.



Michael Howard is a program manager on the Windows 2000 security team. He is the author of Designing Secure Web-Based Applications for Microsoft Windows 2000 and has spoken about security-related issues at many events, including Microsoft Tech�Ed, Microsoft Professional Developer's Conferences, and numerous industry gatherings.
Comment and Contribute

 

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

Sitemap