• Home
• Protector
• Portable Penetrator
• Cloud Penetrator
• Penetrator
• Partners

You are here: Resources > IT Security Technical Resources Part4 > RC4

RC4

RC4 in cryptographic terms is a software stream cipher that's quite popular and ubiquitous in the field. It's also known by the names of ARC4 or ARCFOUR (Alleged RC4). This prevalent cipher has a wide range of applications, and it's particularly paired up with widely used protocols such as SSL or Secure Sockets Layer for Internet traffic protection as well as WEP for the sake of safeguarding wireless networks from the evils of malware and cybercrime. Although it's quite renowned for its speed in software and its simplicity in use, RC4 isn't perfect by any stretch of the imagination. It also suffers from shortcomings and susceptibilities that make administrators wary about using it in newer, more complicated systems. More to the point, whenever nonrandom or interconnected keys are used with the cipher, or whenever the start of the output keystream isn't discarded, RC4 is especially vulnerable to cracking.

There are ways of utilizing RC4 that can result to open and weak cryptosystems, such as its dubious applications with WEP. Ron Rivest of RSA Security (one of the three people who figured out the RSA algorithm and revealed its secrets to the general public) was the one who designed RC4 way back in 1987. Officially, the acronym "RC4" stands for "Rivest Cipher 4", but unofficially, it's believed to be termed as "Ron's Code", because Rivest also made block cipher codes such as RC2, RC5, and RC6. At first a trade secret, RC4's description was published on the Cypherpunks mailing list back in September 1994 by an anonymous source. The post eventually found its way to the sci.crypt newsgroup, which then led to it going viral, its secrets revealed in a variety of sites within the early nineties Internet.

The exposed code was established to be real because its output was proven to match that of propriety applications that made use of the licensed RC4 as its protection cipher of sorts. Ever since the algorithm was leaked, it was no longer considered a trade secret. Furthermore, because the name "RC4" remains a trademarked brand, the cipher has been alternatively called ARC4 (Alleged RC4) and ARCFOUR to avoid any trademark disputes. Rivest himself, ironically enough, has linked the English Wikipedia article describing RC4 in his course notes even though his company, RCA Security, has never formally and legitimately released the algorithm to the general public. Ever since it was exposed and even before that, RC4 had become a staple of IT security.

It has become part of typically used encryption standards, with applications extending to TLS, WPA for wireless cards, and WEP. Nevertheless, its main claims to fame are its quickness and straightforwardness. There are few algorithms out there that can beat RC4's ease of use, efficiency, and intuitiveness when implemented on both hardware and software. When compared to modern stream ciphers like eSTREAM, RC4 doesn't take an individual nonce next to the key. It's the cryptosystem that defines how to merge the long-term key and the nonce to produce RC4's stream key.