Cryptography

 describe the strengths and weaknesses of RC4.  When and why was its use discontinued?  What algorithms replaced RC4?   You are also required to post a response to a minimum of two other students.

 You must use at least one scholarly resource.   Every discussion posting must be properly APA formatted.  

Raghuram

Rivest Cipher 4

Rivest Cipher 4 refers to a stream cipher in cryptography that generates a keystream by using a secret internal state consisting of a version of all 256 possible bytes and two 8-bit index-pointers (AlFardan et al., 2013). RC4 stream ciphers are mostly used because of their speed and simplicity. These stream ciphers are easy to use, they can only be used once, and it also has a high-performance rate compared to other ciphers. Despite having strengths, RC4 stream ciphers have vulnerabilities, and they do not give authentication. They fail to use related or non-random algorithm keys and fail to fling the output keystream’s start.

 In September 2015, Microsoft broadcasted the discontinued support for RC4 on cipher on Internet Explorer 11 and Microsoft Edge since it was no longer secure cryptographically. RC4 cipher use was discontinued because it’s a stream cipher that is more manipulable than the mutual block ciphers. So if they are not used together alongside a robust message authentication code, the encryption is susceptible to a flicking attack and is also susceptible to an attack if not applied correctly (Jindal & Singh, 2015). RC4 stream ciphers cannot be applied to small data streams, which also made it deprecated.

Since RC4 is known to have several flaws in the method it uses and constructs keys, most security professionals endorse the use of other symmetric algorithms (AlFardan et al., 2013). The Advanced Encryption Standard (AES) and the Triple Data Encryption Standard (3DES) are mainly used algorithms. The Triple Data Encryption Standard is a balanced key block cipher placed on the trio DES cipher algorithm to each data chunk. Simultaneously, the Advanced Encryption Standard is a symmetrical block cipher selected by the U.S. government to guard classified information. It is put into operation in hardware and software through the universe to encode delicate data. It is fundamental for government computer security, electronic data security, and cybersecurity.

References

AlFardan, N., Bernstein, D. J., Paterson, K. G., Poettering, B., & Schuldt, J. C. (2013). On the Security of RC4 in {TLS}. In 22nd {USENIX} Security Symposium ({USENIX} Security 13) (pp. 305-320).

Jindal, P., & Singh, B. (2015). RC4 encryption-a literature survey. Procedia Computer Science, 46, 697-705.

Avinash

RC4 Algorithm Strengths The difficulty of knowing where any value is in the table, the difficulty of knowing which location in the table is used to select each value in the sequence, a particular RC4 Algorithm key can be used only once and encryption is about 10 times faster than DES. RC4 Algorithm Weakness the algorithm is vulnerable to analytic attacks of the state table, one in every 256 keys can be a weak key. These keys are identified by cryptanalysis that is able to find circumstances under which one of more generated bytes are strongly correlated with a few bytes of the key. WEAK KEYS: these are keys identified by cryptanalysis that is able to find circumstances under which one or more generated bytes are strongly correlated with small subset of the key bytes. These keys can happen in one out of 256 keys generated. The first weakness is the existence of large classes of weak keys in which a small part of the secret key determines a large number of bits of the initial permutation KSA output. In addition, the Pseudo Random Generation Algorithm PRGA translates these patterns in the initial permutation into patterns in the prefix of the output stream and thus RC4 has the undesirable property that for these weak keys its initial outputs are disproportionally affected by a small number of key bits (Sullivan, 2018).

            RC4 is demonstrably broken and unsafe to use in TLS as currently implemented. The difficulty is that, for public web sites that need to support a wide user base, there is practically nothing 100% secure they can use to replace RC4. We now have no choice but to accept that, no matter what settings we use, some segment of the user base will be at risk. Web application administrators should strongly consider disabling RC4 in their applications’ TLS configurations. Web users (particularly power users) are encouraged to disable RC4 in their browser’s TLS configuration. Browser providers would do well to consider removing RC4 from their TLS cipher lists. Organizations leveraging Imperva Secure Sphere to protect their business-critical web applications and data, and wherein Secure Sphere is set to handle TLS connections on behalf of the applications, can configure Secure Sphere to stop using the weak ciphers and work only with robust ciphers (Sullivan, 2018).

References:-

Sullivan, N. (2018, August 27). Killing rc4: The long goodbye. Retrieved March 09, 2021, from 

https://blog.cloudflare.com/killing-rc4-the-long-goodbye/