Microsoft to Retire Obsolete Cipher - Ending Decades of Security Issues - News Directory 3

Microsoft to Retire Obsolete Cipher – Ending Decades of Security Issues

December 16, 2025 Lisa Park Tech
News Context
At a glance
  • After decades of security vulnerabilities and recent criticism, Microsoft will‌ finally discontinue‍ support for the RC4 encryption cipher in Windows.
  • Microsoft ⁤is retiring the‍ rivist Cipher 4 (RC4) encryption cipher, a component of Windows that has been⁤ supported by default​ for 26 years.
  • RC4,‍ short for Rivist ‌Cipher 4,⁢ was created in⁤ 1987 by Ron Rivest of RSA ⁣Security.
Original source: it.slashdot.org

“`html

Microsoft to Retire Vulnerable RC4 Cipher After 26 Years

Table of Contents

After decades of security vulnerabilities and recent criticism, Microsoft will‌ finally discontinue‍ support for the RC4 encryption cipher in Windows. The move ⁢addresses a long-standing security risk stemming from its default use in Active ⁣Directory since 2000.

Last updated: December 16, 2025, 06:24:13 UTC

What ⁣Happened?

Microsoft ⁤is retiring the‍ rivist Cipher 4 (RC4) encryption cipher, a component of Windows that has been⁤ supported by default​ for 26 years. This decision follows‍ over a decade of meaningful‍ security breaches exploiting RC4’s weaknesses and recent public pressure, including criticism from a US​ Senator. The cipher was initially implemented as ⁤the sole means‌ of securing Active directory ⁢in 2000, a critical component ​for managing user and administrator accounts​ in large ​organizations.

The History ‌of‌ RC4

RC4,‍ short for Rivist ‌Cipher 4,⁢ was created in⁤ 1987 by Ron Rivest of RSA ⁣Security. It’s a stream cipher, meaning it‌ encrypts data one byte at a time. However, the algorithm was leaked in 1994, just days after being protected as a trade secret. This early exposure led to the revelation of numerous vulnerabilities over time.

Despite these known weaknesses, Microsoft chose RC4 ​as the default encryption method⁣ for Active Directory when it launched in 2000. As Steve Syfuhs,‌ who runs Microsoft’s Windows authentication ⁢team, ‍noted on Bluesky, the problem isn’t the algorithm ‍itself, but rather the​ prolonged ​reliance on it and the​ lack of ⁢timely updates to ‌address its shortcomings. He stated ⁤the issue lies in “how the algorithm is chosen, and the rules governing that spanned 20‍ years of code changes.”

Why is ​RC4 Vulnerable?

RC4 has⁣ been shown to‌ be ‍susceptible to various attacks, including:

  • Bias in Key Streams: ‍ RC4’s output isn’t truly random, leading to statistical biases that attackers can exploit.
  • Related-Key Attacks: Attackers can leverage relationships ​between different keys to break the encryption.
  • Timing Attacks: Variations in the⁣ time it ​takes to decrypt data can reveal data about⁢ the key.

These⁣ vulnerabilities have been ​exploited in numerous high-profile⁢ hacks over the past decade, prompting security researchers and government officials to call for its removal.

Impact and Mitigation

Organizations using Active Directory are ⁤urged to migrate away ‌from RC4 to more secure encryption​ protocols, such as AES (Advanced ​Encryption Standard). Microsoft has provided guidance⁣ on how to⁢ disable ⁢RC4 and enable stronger ciphers. ‍ Failure to do so ‍leaves systems vulnerable to attack.

The retirement of RC4 is a significant step towards improving