Posted by: Eric Hansen
After reading an interesting article on posing the question of why we are still using RC4 it got me thinking, why not?
Now, the article itself states that while its not gone the route of XOR encryption just yet, its rapidly getting close to that point. A big aspect of using RC4 is its portability and no need of CPU extensions. RC4 was invented in 1987, made public (well, as public as it can be) in 1994, since then all hell has broken lose.
While there are no official documents by RSA on how the algorithm works, many people have been able to replicate it pretty easily, and have even wrote variants of it to improve some of its downfalls (i.e.: RC4+ and ARC). While the article imposes that RC4 be extinct soon, we are after all still using WEP in some of our networks as well (which I believe also uses RC4 for the encryption stream).
Are there better options when we’re talking about SSL/TLS? Always. You can use encryption that requires hardware (fobs), use asymmetric block-stream ciphers like AES, or even write your own (which will most likely not be a better option in practice but is fun to devise regardless personally).
When it comes to IT, everything will be broken. Everything is meant to fail, or else we’d still be content with using bit-shifting to hide our secret love letters (even rot13 is a wiser choice in that regard).