Attack breaks RC4 cipher in 75 hours, busts SSL, WPA

— 9:12 AM on July 17, 2015

Researchers have found yet another way to attack the aging RC4 stream cipher, an encryption scheme still used by many websites' SSL setups and the legacy Wi-Fi encryption protocol WPA-TKIP. The new attack only requires 75 hours' worth of collected data, or 52 hours if JavaScript is injected into a victim's browser.

The RC4 cipher has been under scrutiny for quite some time. Several research papers detail a variety of methods that would make an attack computationally feasible. The previous minimum data collection time that researchers believed necessary was around 2,000 hours, which was deemed practical enough to be concerning. The new attack is more practical still.

RC4 itself was originally designed in 1987, and systems administrators everywhere have been advised to disable it in their servers' SSL setups. Despite those warnings, it's still available in about 30% of SSL-secured websites. Meanwhile, TKIP is still allowed in 71% of protected Wi-Fi networks. Last March, the Wi-Fi Alliance recommended that administrators disable WPA entirely. Home users should check their router settings and ensure that their Wi-Fi networks are secured using WPA2 only.

Like what we're doing? Pay what you want to support TR and get nifty extra features.
Top contributors
1. BIF - $340 2. Ryu Connor - $250 3. mbutrovich - $250
4. YetAnotherGeek2 - $200 5. End User - $150 6. Captain Ned - $100
7. Anonymous Gerbil - $100 8. Bill Door - $100 9. ericfulmer - $100
10. dkanter - $100
Tip: You can use the A/Z keys to walk threads.
View options

This discussion is now closed.