I've heard about the "Bar Mitzvah attack" that exploits weak keys used by the RC4 algorithm. My organization uses...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
RC4 and is reluctant to move off it because of performance concerns. How serious are the risks around RC4, and is there anything else my enterprise can do to maintain the security of RC4?
This is a good example of using data to drive decisions around information security risks. I am curious more about the performance concerns of RC4 alternatives and the costs associated with the potential additional processing power necessary to address these concerns. These costs may be reasonably calculated -- for example, if you have eight servers in a load-balanced cluster for a high-volume Web application and you now need two additional servers to handle the same load, those two servers would be a hard cost. Likewise, the cost to switching off of using the RC4 algorithm could also be calculated.
The "Bar Mitzvah attack" requires a sniffer or man-in-the-middle attack to passively collect data and extract parts of the plaintext key and some of the plaintext data. Based on this data, the attacker is then able to reduce the time needed to break the encryption to get access to all of the plaintext data.
If your enterprise does not want to replace the RC4 algorithm, it should note that maintaining the security of the environment will require making other improvements to how SSL and TLS are used, so it is worth the additional effort to migrate away from RC4 in general.
The RC4 algorithm has been known to be weak for the last decade; enterprises should start planning to migrate to AES as soon as possible. While the algorithm is not completely broken, an attack that makes using RC4 futile is only a short time away. Rather than needing an emergency to replace RC4, careful planning to replace it now with AES should be done. Also, RC4 is used in more than just SSL -- it is also in wireless encryption -- so identifying where the RC4 algorithm is used in the enterprise will be one of the first steps to making the change.
Ask the Expert:
Want to ask Nick Lewis a question about enterprise threats? Submit your question now via email. (All questions are anonymous.)
Don't miss SearchSecurity's encryption and cryptography primer
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
The CIA Vault 7 cache exposed the Brutal Kangaroo USB malware, which can be spread to computers without an internet connection. Learn how this is ...continue reading
Kaspersky Lab recently accused Windows 10 of acting as an antivirus block to third-party antimalware software. Discover how your software is being ...continue reading
QakBot malware triggered hundreds of thousands of Microsoft Active Directory account lockouts. Discover the malware's target and how these attacks ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.