Re: [TLS] Prohibiting RC4 Cipher Suites

Andrei Popov <> Thu, 22 August 2013 22:31 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 26F5011E8122 for <>; Thu, 22 Aug 2013 15:31:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.265
X-Spam-Status: No, score=-4.265 tagged_above=-999 required=5 tests=[AWL=-0.666, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id kvlHis9FZEb9 for <>; Thu, 22 Aug 2013 15:31:10 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 2E65911E8153 for <>; Thu, 22 Aug 2013 15:31:06 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.745.25; Thu, 22 Aug 2013 22:15:58 +0000
Received: from ([]) by ([]) with mapi id 15.00.0745.000; Thu, 22 Aug 2013 22:15:58 +0000
From: Andrei Popov <>
To: "Paterson, Kenny" <>, "" <>
Thread-Topic: [TLS] Prohibiting RC4 Cipher Suites
Thread-Index: Ac6esIChBWliS7Z2TPWoD9XjLTgjuf//kBKA//3o8CA=
Date: Thu, 22 Aug 2013 22:15:57 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: [2001:4898:80e0:ed43::3]
x-forefront-prvs: 0946DC87A1
x-forefront-antispam-report: SFV:NSPM; SFS:(26614003)(13464003)(189002)(199002)(51704005)(24454002)(479174003)(53754006)(377454003)(65816001)(59766001)(77982001)(80022001)(51856001)(47976001)(46102001)(74366001)(33646001)(19580395003)(19580405001)(76796001)(83322001)(81816001)(76786001)(81686001)(63696002)(53806001)(76576001)(83072001)(49866001)(74316001)(31966008)(81542001)(4396001)(69226001)(15974865002)(74876001)(56776001)(47736001)(56816003)(74706001)(50986001)(79102001)(80976001)(47446002)(76482001)(54316002)(77096001)(54356001)(81342001)(74662001)(74502001)(557034004)(3826001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BL2PR03MB195;; CLIP:2001:4898:80e0:ed43::3; RD:InfoNoRecords; MX:1; A:1; LANG:en;
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [TLS] Prohibiting RC4 Cipher Suites
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 22 Aug 2013 22:31:14 -0000

Hi Kenny,

Thanks for your comments; I will update the attack description and the link in the next revision of the draft.



-----Original Message-----
From: Paterson, Kenny [] 
Sent: Wednesday, August 21, 2013 2:13 PM
To: Andrei Popov;
Subject: Re: [TLS] Prohibiting RC4 Cipher Suites


Your intro says:

"Recent cryptanalysis results [ALF] exploit biases in the RC4 keystream to recover early portions of plaintexts."

The attacks can recover repeated plaintext from ANYWHERE in the plaintext stream, so they are more flexible in application than your text suggests.

Another (better?) link for the attacks by AlFardan et al. is The "official" USENIX link, which should be long-lasting, is:

Best wishes


On 21/08/2013 13:59, "Andrei Popov" <> wrote:

>Hello All,
>RC4 is a widely deployed cipher, which is commonly preferred by TLS
>servers: our tests show ~40% of the high-traffic HTTPS sites pick RC4 
>if IE offers this cipher. A significant percentage of web sites and 
>e-mail servers have only RC4 enabled,  so a client cannot altogether 
>disable RC4 without breaking interoperability. At the same time, 
>attacks on RC4 are improving (e.g.
>, to the point that practical exploits 
>are possible.
>I have posted a new Internet-Draft ³Prohibiting RC4 Cipher Suites²
><>) to 
>deprecate the use of RC4 cipher suites in TLS.
>Looking forward to comments and feedback on the draft,
>Andrei Popov