Microsoft said it has worked tirelessly over the past decade to remove RC4, but the task was not easy.
No salt, no repetition? In fact?
Steve Siefuhs, who runs Microsoft’s Windows authentication team, wrote on BlueSky, “The problem, however, is that it is difficult to eliminate the cryptographic algorithm that has been present in every OS shipped for the last 25 years and was the default algorithm for so long. “See,” he added, “the problem is not that the algorithm exists. The problem is how the algorithms are chosen, and the rules governing the code change over the course of 20 years.
Over those two decades, developers discovered several critical RC4 vulnerabilities that required “surgical” fixes. Microsoft considered discontinuing RC4 by this year, but ultimately “battered” after discovering vulnerabilities that still required more fixes. During that time Microsoft introduced some “minor improvements” that encouraged the use of AES and, as a result, usage declined by “orders of magnitude”.
“Within a year we saw RC4 usage go to basically zero. That’s not a bad thing and actually gave us a lot more flexibility to eliminate it completely because we knew it wasn’t really going to break people, because people weren’t using it.”
Syfuhs documented additional challenges Microsoft faced and the approach it took to solve them.
While RC4 has known cipher weaknesses that make it insecure, Kerberoasting exploits a different weakness. As implemented in Active Directory authentication, it uses no cryptographic salt and one round of the MD4 hashing function. Salt is a technique that adds random input to each password before hashing it. Hackers have to invest a lot of time and resources to crack the hash. Meanwhile, MD4 is a fast algorithm that requires modest resources. Microsoft’s implementation of AES-SHA1 is very slow and iterates hashes to further slow down cracking attempts. Overall, cracking an AES-Sha1-hashed password requires approximately 1,000 times the time and resources.
Windows administrators would do well to audit their networks for any use of RC4. Given its widespread adoption and continued use throughout the industry, it may still be active, which is a matter of surprise and dismay for those charged with defending against hackers.
<a href