Rivest Cipher 4 (RC4)

January 11, 2021 by Nitesh Malviya

Encryption and Decryption

Encryption is the process of converting plaintext to encrypted text. Since encrypted text cannot be read by anyone, encrypted text hides the original data from unauthorized users. Decryption is the process of converting encrypted data to plaintext. Basically, it is the reverse of encryption. It is used to decrypt the encrypted data so that only an authorized user can access and read the data. The process entailing encryption and decryption together is called cryptography.

Private and Public Keys in Cryptography

A key is a bit valued string which is used to convert the plaintext into cipher text and vice-versa. A key can be a word, number or phrase. Cryptography makes use of public and private keys. A public key is issued publicly by the organization and it is used by the end user to encrypt the data. The encrypted data, once received by the organization, is decrypted by using a private key and the data is converted to plaintext.

Encryption Types

Cryptography uses symmetric and asymmetric encryption for encryption and decryption of data. If the sender and the recipient of the data use the same key to encrypt and decrypt the data, it’s called symmetric encryption and if the keys are different for encryption and decryption then its asymmetric encryption. 

Now the basics are clear, let’s focus on the RC4 Cipher algorithm in this post.


RC4 stands for Rivest Cipher 4. RC4 is a stream cipher and was invented by Ron Rivest in 1987. Since RC4 is a stream cipher, it encrypts the stream of data byte by byte. Of all the stream ciphers, RC4 is the widely used stream cipher due to its speed of operations and simplicity.

RC4 Variants

RC4 has 4 variants to it. They are – 

  1. SPRITZ – Spritz is used to build – 
  1. a) Cryptographic hash function
  2. b) Deterministic random bit generator (DRBG)
  3. c) Encryption algorithm which supports Authenticated Encryption with Associated Data (AEAD).
  1. RC4A – This is a stronger variant than RC4.
  2. VMPC – It stands for Variably Modified Permutation Composition.
  3. RC4A+ – RC4A+ as the name suggests is a modified version of RC4 with a more complex three-phase key schedule and takes 1.7 times as long as basic RC4.

Working of RC4

RC4 makes use of KSA and PRGA Algorithms. Explanation and working of these algo is out of scope. Let’s understand how encryption and decryption takes place in RC4 – 


  1. User inputs a plain text and a secret key.
  2. Encryption engine generates the keystream by using KSA and PRGA Algorithms for the secret key entered.
  3. The generated keystream is XORed with the plain text. Since RC4 is a stream cipher, XORing is done byte by byte and encrypted text is produced.
  4. This encrypted text is now sent to the intended receiver in encrypted form.


Plain Text : 10011001

Keystream  : 11000011


Cipher Text : 01011010



  1. For decryption, cipher text and the same keystream is required which was used for encryption.
  2. The cipher text and the keystream produce plain text using XOR Operation.
  3. Ciphertext is XOR’ed with keystream bit by bit to produce PlainText.


Cipher Text : 01011010

Keystream   : 11000011


Plain Text  : 10011001

Advantages of RC4

  1. RC4 is simple to use.
  2. Speed of operation is fast as compared to other cipher suites.
  3. RC4 cipher is easy to implement.
  4. RC4  does not consume more memory.
  5. For large streams of data, RC4 is the preferred choice.

Disadvantages of RC4

  1. If a strong MAC is not used, RC4 is vulnerable to a bit-flipping attack.
  2. RC4 does not support authentication.
  3. RC4 is not feasible to be implemented on small streams of data.

Attacks on RC4

RC4 is vulnerable to following attacks – 

  1. Fluhrer, Mantin and Shamir attack
  2. Klein’s attack
  3. Combinatorial Problem
  4. Royal Holloway Attack
  5. Bar-mitzvah Attack
  6. NOMORE Attack

RC4 Applications

RC4 application has been found in – 

  • WPA 
  • BitTorrent protocol encryption
  • WEP
  • Microsoft Office XP 
  • Microsoft Point-to-Point Encryption
  • Transport Layer Security / Secure Sockets Layer
  • Secure Shell (optionally)
  • Remote Desktop Protocol
  • Kerberos
  • SASL Mechanism Digest-MD5
  • PDF
  • Skype



Posted: January 11, 2021
Articles Author
Nitesh Malviya
View Profile

Nitesh Malviya is a Security Consultant. He has prior experience in Web Appsec, Mobile Appsec and VAPT. At present he works on IoT, Radio and Cloud Security and open to explore various domains of CyberSecurity. He can be reached on his personal blog – and Linkedin –