RC4

In cryptography, RC4 (also called ARC4 or ARCFOUR) is a way to hide information so only the right people can see it. It was once used a lot because it worked fast and easy on computers. But experts found problems with RC4, making it not safe for keeping secrets.

One big problem with RC4 is that if part of the hidden data is used in a certain way, or if the same secret code is used more than once, bad people can uncover the hidden messages. This problem made some old ways of keeping wireless internet safe, like the WEP system, unsafe.

Because of these problems, important groups like the IETF asked people to stop using RC4 with some internet safety systems called TLS protocol. Big companies like Mozilla and Microsoft also told people to stop using it. Some people made new versions of RC4 like Spritz, RC4A, VMPC, and RC4⁺.

History

RC4 is a type of code called a stream cipher. It was created by Ronald Rivest from RSA Security in 1987. The name RC4 means "Ron's Code." It is part of a group of codes that includes RC2, RC5, and RC6.

At first, the details about RC4 were kept private. But in 1994, someone posted how it works online. After that, people looked closely at RC4 and found ways to break it. RC4 was used in many important systems, like wireless networks and internet security. But later, people learned it had weaknesses. Because of these issues, it was no longer allowed for some uses starting in 2015. Even with its problems, RC4 was liked because it worked quickly and could be used in many different ways.

Description

RC4 is a way to hide information, called a stream cipher. It makes a random-looking set of numbers, called a keystream. This set of numbers is mixed with the original message to hide it. To see the message again, the same process is done using the same keystream, which brings back the original message.

The keystream is made using a secret setup called a state. This state has two parts: a mixed-up list of numbers from 0 to 255, and two pointers that move through this list. The mixing starts with a secret key, and then the keystream is made by moving the pointers and mixing the numbers in the list. Even though RC4 is easy and quick for computers to use, it has some problems that make it less safe today.

Security

RC4 is a type of encryption tool called a stream cipher. It does not use a special number, called a nonce, with the main key. This can cause problems if the same key is used many times. Attackers might then find patterns in the data.

Because of how it works, RC4 can be easier to change or attack without extra safety checks. It was once useful because it avoided a problem that affected other encryption tools. But scientists found new ways to break RC4, especially when many messages use the same key. Because of these issues, using RC4 for important online safety stopped in 2015.

RC4 variants

RC4 has some weaknesses, especially when the first part of its output is used. One way to fix this is to ignore the first few bytes, which is called RC4-drop_N.

Several versions of RC4 have been created to make it stronger. These include RC4A, VMPC, RC4⁺, and Spritz. Each version changes the way RC4 works to try to fix its problems.

RC4-based protocols

RC4 is a kind of encryption used in many technologies and systems. Some of these include WEP for wireless networks, TKIP (which works with WPA), and the BitTorrent protocol encryption. It was also used in older versions of Microsoft Office XP, Microsoft Point-to-Point Encryption, and PDF files.

Other systems like Transport Layer Security and Secure Sockets Layer once allowed RC4 as a choice, but later rules stopped its use. RC4 could also be chosen as an encryption method in Secure Shell, Remote Desktop Protocol, Kerberos, and Skype, among others. When marked with "(optionally)", RC4 was just one of several possible encryption choices for these systems.