You are on page 1of 24


RC4 Stream Cipher

Prof. Dr. Raul Fernando Weber and Oscar Núñez Mori

Institute of Informatics, UFRGS RS-Brazil
April 30, 2004

• Introduccion
• Secret Key Cryptosystem
• Description
• Source codes of RC4
• RC4 uses OFB
• Pro
• Cons
• Applications
• References
In t r o d u c t io n
RC4 is a stream cipher symmetric key
algorithm. It was developed in 1987 by
Ronald Rivest for RSA Data Security, Inc

RC4 is Ron's code # 4 or Rivest, but the RSA

official term is "Rivest Cipher 4".

Rivest also designed the block ciphers RC2

and RC5, and the block cipher RC6 with

Cipher is a cryptographic algorithm used for

encryption and decryption [1].

Symmetric key algorithm is an algorithm that

uses the same key to encrypt and decrypt,

Stream cipher is algorithm that encrypts

data one byte at a time [1]
RC4 is essentially a pseudo random number generator
(PRNG) with the output of the generator being XORed with
the data stream to produce the encrypted data.

The encryption mechanism used to be a trade secret by

RSA Data Security, until someone posted source code for
an algorithm onto Usenet News, claiming it to be
equivalent to RC4.

There is very strong evidence that the posted algorithm

is indeed equivalent to RC4 [3].
– 1994, leaked to cypherpunks mailing list. An
alleged copy of the RC4 source code was published
– 1995, first cryptanalysis (USENET post)

– 1996, appeared in “Applied Cryptography,” by B.

Schneier as “alleged RC4” [5].
Secret Key Cryptosystem


- RC4 is essentially a pseudo-random number generator initialized
from a secret key of up to 256 bytes.

- The RC4 algorithm generates a "keystream" which is simply XORed

with the plaintext to produce the ciphertext stream.

- Decryption is exactly the same as encryption.

- It uses 256 bytes of memory, S[0] through S[255], and integer

variables, i, j, and k [4].

The RC4 algorithm consists of an initialization stage, which

uses the key to initialize the pseudo-random number generator:

for i = 0 ... 255

S[i] = i
for i = 0 ... 255
j = (j + S[i] + key[i mod key_length]) mod 256
swap (S[i],S[j])
Once the generator has been initialized, both encryption and
decryption is performed using values output from the generation

- The process of encryption and decryption is as follows:

i = 0
j = 0
loop until the entire message is encrypted/decrypted
i = (i + 1) mod 256
j = (j + S[i]) mod 256
k = S[(S[i] + S[j]) mod 256]
output the XOR of k with the next byte of input
Source codes of RC4

- Perl's Version: This was originally implemented by John Allen

as a perl4 script [8]:

#!/usr/bin/perl -p
INIT{sub Q{$s[($_[0]+=$_[1])%=256]}sub
Q$y,$_+hex$k[$x%@k]}@s=0..255}s/\C/$&^chr Q S Q$y,Q$x/eg

- RC4 Source Code: This optimized ARC4 implementation is based

on the original usenet post: RC4 Algorithm revealed, in
sci.crypt (sep. 1994). Thiw implementation of the
ARC4 algorithm by Christophe Devine has GNU General Public
License [9].

- RC4 Stream Cipher Library 1.0 [10].

RC4 uses OFB

Output Feed Back mode (OFB): A Block Cipher in output feedback

mode works as a key stream generator producing a pseudo-random
key sequence a block at a time. By XOR-ing the key stream with
the plaintext the block cipher actually works as a stream cipher


- The difficulty of knowing where any value is in the

table [1].

- The difficulty of knowing which location in the table

is used to select each value in the sequence [1].

- Encryption is about 10 times faster that DES [1].

- support of 8-bit architecture

- simplicity (to circumvent export regulations)

- It is ideal for software implementations, as it
requires only byte-length manipulations

- According to Ilya Mirov [5], RC4 is the most widely-

used stream cipher in the world.
-The RC4 algorithm is vulnerable to analytic attacks of the
state table.

-One in every 256 keys can be a weak key. These keys are
identified by cryptoanalysis that is able to find
circumstances under which one of more generated bytes are
strongly correlated with a few bytes of the key.

- As with all stream ciphers, RC4 is easily broken if the

same key is used twice. This problem is usually solved by
hashing the key with a unique initialization vector (IV)
each time it is used, and sending the IV along with the
message [4].

- It is strongly recommended that the first outputs of this

PRNG generator be discarded and not used to encrypt messages
(256 discards are recommended for maximum security.) Failure
to do so can expose messages to an attack in which the RC4
key can be exposed (see "Fluhrer, Mantin and Shamir Attack")
It is vulnerable to a brute force attack using current

The United States government routinely approves RC4 with

40-bit keys for export. Keys this small can be easily
broken by governments, criminals, and amateurs.

The exportable version of Netscape's Secure Socket

Layer, which uses RC4-40, was broken by at least two
independent groups. Breaking it took about eight days;
in many universities or companies the same computing
power is available to any computer science student [3].

RC4 is used in many applications as follows:

- Browsers: Internet Explorer, Nescape, Mozilla, Opera etc.,
- Commercial ssh
- K Desktop Environment 3.1.0
- WEP (Wired Equivalent Privacy) in IEEE 802.11 standard,
- TKIP (Temporal Key Integrity Protocol) also known as WEP2,
- TLS (Transport Layer Security),
- WPA (Wi-Fi Protected Access),
- Microsoft XBOX,
- Microsoft PPTP,
- Microsoft Office,
- Adobe Acrobat,
- Oracle SQL,
– Lotus Notes,
– Cellular Digital Packet Data,
– OpenBSD pseudo-random number generator, etc.
Browsers use RC4
KDE 3.1.0 uses RC4
Commercial SSH uses arcfour (RC4)

WEP uses RC4

TKIP uses RC4

[1] ht tp ://w w w .n /~g rog an s/algorit hm _ history _ and _ descrip tio.htm
[2] ht tp ://w w w .w isdom .w eizm an n 4/rc4.htm l
[3] ht tp ://w om b at.d oc/fold i?RC 4
[4] ht tp ://en .w ikip /w iki/RC 4_ cip her
[5] “ Old an d N ew A ttacks on RC 4” b y Ily a M iron ov . A p p lied C y p to, Stan d ford
(ily a M iron ov .p p t)
[6] “ Sy m m etric K ey C ry p tog rap hy ” b y Prof . D r.A n d reas Steffen . 2000-2003
Zu rcher H ochschu le Wint erthu r. Sichere N etzw erkkom m u n ikation (SN K ).
10/10/2003. (SN K _ Sy m .p p t)
[7] “ Wireless Secu rity : Prob lem s an d Solut ion s” b y William A A rb au g h. In SA N S
2002 T echn ical C on feren ce Session 1-3. 2002. (1-3_A rb au g h.p d f)
[8] http ://w w w .cy phersp /ad am /rsa/rc4.htm l
[9] http ://w w w .cr0.n et :8040/cod e/cry p to/rc4/
[10] http ://w w w .sev illaon lin /A ctiv eX /v b 5/RC 4L ib .htm
[11] “ N ext G en eration Wireless L A N Secu rity T echn olog y ” b y Su n n y C han .
C han n el D ev elop m en t Su p p ort M an ag er. http :// w w w
[12] htt p ://w w w
Thank you very much.