The RC4 algorithm In Transport Layer Security and Secure Sockets Layer

OWASP 2013-A9 OWASP 2017-A9 OWASP 2021-A6 OWASP PC-C1 CAPEC-310 CWE-829 ISO27001-A.14.1.2 WASC-04 WSTG-CRYP-01

RC4 was first introduced by a group of security scientists (Nadhem AlFardan, Dan Bernstein, Kenny Paterson, Bertram Poettering and Jacob Schuldt). They found out that a new attack against TLS with RC4 encryption allowed an attacker to recover plaintext data from the TLS connection. This attack was possible because of a flaw in the keystream generated by the RC4 algorithm. If the same plaintext is encrypted, again and again, it will leave traces. A remote attacker can perform a plaintext-recovery attack by sniffing the initial bytes of network traffic. The RC4 algorithm can be implemented in both TLS and SSL protocol. The RC4 algorithm is vulnerable during the initialisation phase when the algorithm does not properly combine state data with key data. The attacker can then use a brute-force attack using LSB values.

Impact

Using this vulnerability, an attacker can:-

  • perform a Man-In-The-Middle (MITM) attack. In this attack, an attacker can sniff the communication medium to access sensitive information about the end-users.

  • access the session cookie and recover parts of the cookie to access sensitive information. The attacker can use a BEAST attack to obtain a large number of encryptions. The attacker will use Javascript to make the end users download malicious files from an attacker-controlled website. The downloaded malware is used to generate many HTTPS requests to the victim web server. The session cookies are also included in these requests. An attacker who needs a new SSL connection using the new RC4 keystream prefixes can force terminate SSL session, even after the target encrypted cookie is sent. After this process, the browser will automatically establish a new SSL session every time when the next HTTPS request is sent.

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Reconfigure the application and try to avoid the use of RC4 ciphers. It is recommended to use the TLS version 1.2 with AES-GCM suites. This suite is subjected to browser and web server support.
  • The application admin should disable RC4 in their application’s TLS configurations. This change can help to secure the application.
  • We encourage to disable RC4 in the end user browser’s TLS configuration. Internet browser providers should consider removing RC4 from their TLS cipher lists.







Related Articles