Follow Slashdot stories on Twitter


Forgot your password?

Submission + - Cryptographers Break Commonly Used RC4 Cipher For Web Encryption (

Sparrowvsrevolution writes: At the Fast Software Encryption conference in Singapore earlier this week, University of Illinois at Chicago Professor Dan Bernstein presented a method for breaking TLS and SSL web encryption when it's combined with the popular stream cipher RC4 invented by Ron Rivest in 1987. Bernstein demonstrated that when the same message is encrypted enough times--about a billion--comparing the ciphertext can allow the message to be deciphered. While that sounds impractical, Bernstein argued it can be achieved with a compromised website, a malicious ad or a hijacked router.

It's long been suspected that RC4 had weakness based on biases in how it generates random numbers. But sites have nonetheless been moving back to the scheme in response to news of vulnerabilities in AES and Triple DES exploited by recent cryptographic attacks like BEAST and Lucky 13, both of which showed flaws in SSL and TLS in combination with block ciphers. With the news of RC4's insecurity it now seems that it's likely safer to stick with those more modern ciphers and depend on browser vendors to patch the flaws used by those other attacks.

This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

Cryptographers Break Commonly Used RC4 Cipher For Web Encryption

Comments Filter:

Profanity is the one language all programmers know best.