The RC4 attack can be used to quickly decrypt web cookies that are supposed to be protected by the HTTPS protocol.
The RC4 attack can be used to quickly decrypt web cookies that are supposed to be protected by the HTTPS protocol.

Two researchers with the University of Leuven have developed a new, more practical attack technique that exposes weaknesses in the RC4 encryption algorithm.

RC4 is one of the encryption techniques supported by HTTPS protocol, which ensures the security of web communications, and Mathy Vanhoef and Frank Piessens indicated that their technique is so effective that users may want to consider no longer using the algorithm.

Vanhoef and Piessens refer to the technique as the RC4 NOMORE attack – it stands for Numerous Occurrence MOnitoring & Recovery Exploit – and it can be used to decrypt web cookies that are supposed to be protected by the HTTPS protocol, as well as other data that is repeatedly encrypted.

As explained in a website outlining the threat, obtaining a cookie can enable an attacker to log into a website as if they were the target. The attacker can then perform actions such as posting status updates and sending messages, or gain access to personal information such as emails and chat history.

“When the victim visits an unencrypted website, the attacker inserts malicious JavaScript code inside the website,” the researchers wrote. “This code will induce the victim to transmit encrypted requests which contain the victim's web cookie. By monitoring numerous of these encrypted requests, a list of likely cookie values can be recovered. All cookies in this list are tested until the correct one is found.”

Vanhoef and Piessens said that the attack relies on two types of statistical biases in the keystream.

“The first one is that two consecutive bytes are biased towards certain values,” the researchers wrote. “These are commonly called the Fluhrer-McGrew biases. The second type of biases is that a pair of consecutive bytes is likely to repeat itself. These are called the Mantin's ABSAB biases. Both types of biases are combined in our attack. These biases allow us to decrypt repeated plaintext such as cookies.”

Comparing their technique to other previously developed RC4 attacks, the researchers ultimately determined that their method dramatically decreases execution time – about 75 hours or less, which is something they said is worrisome.

Additionally, after demonstrating their attack against a fake website and victim who was using Internet Explorer, they said this is the first time weaknesses in RC4 – when used in TLS and HTTPS – are exploited against real devices.

Vanhoef and Piessens said that users can take actions to make attacks more expensive, as well as increase the execution time of attacks, but they added that there is no way to prevent the technique from being executed – a problem since RC4 is said to be used in about 30 percent of HTTPS deployments.

The researchers will be presenting their findings at the upcoming USENIX Security Symposium in Washington D.C. They also released a whitepaper with plenty of additional details, including how they can break a Wi-Fi Protected Access Temporal Key Integrity Protocol (WPA-TKIP) network within an hour.

“More precisely, after successfully executing the attack, an attacker can decrypt and inject arbitrary packets sent towards a client,” Vanhoef and Piessens wrote. “In general, any protocol using RC4 should be considered vulnerable.”