RC4 (also known as Rivest Cipher 4) is a form of stream cipher. It encrypts messages one byte at a time via an algorithm.
Plenty of stream ciphers exist, but RC4 is among the most popular. It's simple to apply, and it works quickly, even on very large pieces of data. If you've ever used an application like TSL (transport layer security) or SSL (secure socket layer), you've probably encountered RC4 encryption.
But you may not know how it works.
We'll take a high-level approach and explain what the Rivest Cipher is in terms anyone can understand. We'll also explain why it's helpful, and we'll point out a few known limitations.
What is a Rivest Cipher?
In 1987, a man named Ron Rivest developed the RC4 encryption method. He intended to keep the rules of the cipher secret, and if his plan had worked, he would have created one of the safest tools anyone could use to protect information. Unfortunately, his plans didn't succeed.
In 1994, an anonymous person posted an intricate description of the cipher's rules in a public space. Now that RC4's rules are out in the open, we know much more about how it works. Unfortunately, that means hackers know a lot more about how to break it too.
RC4 relies on:
- Key inputs. This tool generates an eight-bit number (cipher) that's impossible to guess.
- Keystreams. The cipher scrambles plain text.
- Product. An X-OR operation combines the keystream with the cipher.
Developers continue to build on and improve RC4 encryption. They hope to minimize hacking risks, although experts say hackers can still get through. New versions include RC4A, VMPC, and SPRITZ. All are more complex and take longer to break, but the hacking risks persist.
Programmers keep working on tools like this due to ongoing hacking risks. Encryption protects very delicate information, including company trade secrets. People must share that data so others can work with it. But without encryption, anyone could see the data as it passes from one person to another.
Poor encryption tools create vulnerabilities hackers can exploit. The stronger the system, the more completely it can protect you.
How does RC4 work?
RC4 encryption isn't omnipresent. In fact, the Internet Engineering Task Force has explicitly banned RC4's use in some spaces. But knowing how the tool works could help you improve upon it as you look for ways to protect your data.
To explain things simply, RC4 relies on this step-by-step model:
- Initiate: You input a secret key and the text you'd like to protect.
- Encrypt: The cipher scrambles your text via encryption. The work happens byte by byte rather than in chunks.
- Send: Your scrambled text heads to the recipient. That person should have a copy of the secret key you used to protect the data.
- Decryption: The recipient walks back through these steps to uncover your original text.
For the math-minded among us, let's dig a little deeper. RC4 relies on two mathematical concepts:
- KSA: A key-scheduling algorithm initializes the process in an array typically referred to as "S." That "S" is processed 256 times, and bytes from the key are mixed in too.
- PRGA: Data is fed in byte by byte, and a mathematical model modifies it. The model looks up values, add them to 256, and uses the sum as the byte within the keystream. It swaps each element with another at least once every 256 rounds.
RC4 relies on random number generators. But unlike other stream ciphers, RC4 doesn't need linear-feedback shift registers.
RC4’s encryption tools are sophisticated. They typically contain 256 bytes, and the text passes through mathematical rules multiple times before it's considered complete. If you intercept data encrypted with RC4, you'll see only a series of zeroes and ones. But if you have the proper key, you can transform that data into legible information.
Despite its complexity, RC4 is remarkably fast. In fact, it's one of the fastest tools on the market. For people who don’t want to spend long minutes on both encryption and decryption, that speed is ideal.
Pros and cons of RC4
Should you use this form of encryption, or should you keep digging until you find a tool that's perfect in every way? Understanding the risks and benefits can help you make a smart choice for yourself and your business.
Speed and ease of use are among RC4's major benefits. With just a few lines of code, you can implement protections with RC4 encryption, and you won't cause any kind of lag or drag for your users.
But RC4 can be hacked, especially if you use the same key repeatedly. If a hacker breaks the code once, and you use the same key, you've extended an open invitation to decode everything you send. You must proceed with care.
RC4 also isn't ideal if you have tiny bits of data to send across. The tool is meant for use on very large pieces of information, and it can break down when applied to something small.
Move past encryption
Scrambling data before you send it should be part of every company's security plan. But you'll also need to protect your servers, and you'll need tools to help you spot and stop malignant software. We can help.
At Okta, we're industry leaders in security. Learn more.
References
The Most Efficient Distinguishing Attack on VMPC and RC4A. ECRYPT.
Ethical Hacking: Breaking Cryptography (For Hackers). (September 2019). Infosec.
Prohibiting RC4 Cipher Suites. (February 2015). Internet Engineering Task Force.
The RC4 Stream Encryption Algorithm. (2005). William Stallings.
Stream Ciphers and Message Integrity. (June 2017). Alexei Kojenov.
