Prohibiting RC4 Cipher Suites
Microsoft Corp.
One Microsoft Way
Redmond
WA
98052
USA
andreipo@microsoft.com
General
Internet Engineering Task Force
TLS
This document requires that Transport Layer Security (TLS) clients and servers
never negotiate the use of RC4 cipher suites when they establish connections. This
applies to all TLS versions. This document updates RFCs 5246, 4346, and 2246.
RC4 is a stream cipher that is described in ; it is widely
supported, and often preferred by TLS servers. However, RC4 has long been known
to have a variety of cryptographic weaknesses, e.g., see ,
, and . Recent cryptanalysis results
exploit biases in the RC4 keystream to recover repeatedly
encrypted plaintexts.
These recent results are on the verge of becoming practically exploitable;
currently, they require 2^26 sessions or 13x2^30 encryptions. As a result, RC4 can
no longer be seen as providing a sufficient level of security for TLS sessions.
This document requires that TLS (
) clients and servers never
negotiate the use of RC4 cipher suites.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in .
Because of the RC4 deficiencies noted in , the following apply:
TLS clients MUST NOT include RC4 cipher suites in the ClientHello message.
TLS servers MUST NOT select an RC4 cipher suite when a TLS client sends such a
cipher suite in the ClientHello message.
If the TLS client only offers RC4 cipher suites, the TLS server MUST terminate
the handshake. The TLS server MAY send the insufficient_security fatal alert in this
case.
lists the RC4 cipher suites defined for
TLS.
This document helps maintain the security guarantees of the TLS protocol by prohibiting
the use of the RC4-based cipher suites (listed in ),
which do not provide a sufficiently high level of security.
Key words for use in RFCs to Indicate Requirement Levels
The Transport Layer Security (TLS) Protocol Version 1.2
The Transport Layer Security (TLS) Protocol Version 1.1
The TLS Protocol Version 1.0
Permutation after RC4 Key Scheduling Reveals the Secret Key
A Practical Attack on Broadcast RC4
Weaknesses in the Key Scheduling Algorithm of RC4
On the Security of RC4 in TLS and WPA
Applied Cryptography: Protocols, Algorithms, and Source Code in C
The following cipher suites defined for TLS use RC4:
TLS_RSA_EXPORT_WITH_RC4_40_MD5
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_DH_anon_EXPORT_WITH_RC4_40_MD5
TLS_DH_anon_WITH_RC4_128_MD5
TLS_KRB5_WITH_RC4_128_SHA
TLS_KRB5_WITH_RC4_128_MD5
TLS_KRB5_EXPORT_WITH_RC4_40_SHA
TLS_KRB5_EXPORT_WITH_RC4_40_MD5
TLS_PSK_WITH_RC4_128_SHA
TLS_DHE_PSK_WITH_RC4_128_SHA
TLS_RSA_PSK_WITH_RC4_128_SHA
TLS_ECDH_ECDSA_WITH_RC4_128_SHA
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
TLS_ECDH_RSA_WITH_RC4_128_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_ECDH_anon_WITH_RC4_128_SHA
TLS_ECDHE_PSK_WITH_RC4_128_SHA
This document was inspired by discussions with Magnus Nystrom, Eric
Rescorla, Joseph Salowey, Yaron Sheffer, Nagendra Modadugu, and others
on the TLS mailing list.