pixel_dreams - Fotolia
I've heard about the "Bar Mitzvah attack" that exploits weak keys used by the RC4 algorithm. My organization uses RC4 and is reluctant to move off it because of performance concerns. How serious are the risks around RC4, and is there anything else my enterprise can do to maintain the security of RC4?
This is a good example of using data to drive decisions around information security risks. I am curious more about the performance concerns of RC4 alternatives and the costs associated with the potential additional processing power necessary to address these concerns. These costs may be reasonably calculated -- for example, if you have eight servers in a load-balanced cluster for a high-volume Web application and you now need two additional servers to handle the same load, those two servers would be a hard cost. Likewise, the cost to switching off of using the RC4 algorithm could also be calculated.
The "Bar Mitzvah attack" requires a sniffer or man-in-the-middle attack to passively collect data and extract parts of the plaintext key and some of the plaintext data. Based on this data, the attacker is then able to reduce the time needed to break the encryption to get access to all of the plaintext data.
If your enterprise does not want to replace the RC4 algorithm, it should note that maintaining the security of the environment will require making other improvements to how SSL and TLS are used, so it is worth the additional effort to migrate away from RC4 in general.
The RC4 algorithm has been known to be weak for the last decade; enterprises should start planning to migrate to AES as soon as possible. While the algorithm is not completely broken, an attack that makes using RC4 futile is only a short time away. Rather than needing an emergency to replace RC4, careful planning to replace it now with AES should be done. Also, RC4 is used in more than just SSL -- it is also in wireless encryption -- so identifying where the RC4 algorithm is used in the enterprise will be one of the first steps to making the change.
Ask the Expert:
Want to ask Nick Lewis a question about enterprise threats? Submit your question now via email. (All questions are anonymous.)
Don't miss SearchSecurity's encryption and cryptography primer
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading
Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these ... Continue Reading