← All tools
// Security

RC4 Encrypt & Decrypt online

RC4 (Rivest Cipher 4) stream cipher — for testing legacy systems — runs in your browser

Chunky Munster mascot
by
CHUNKY
MUNSTER
// Encrypted Output
Output will appear here...
// WARNING: RC4 is cryptographically broken and banned from TLS (RFC 7465). Do not use for security. For learning and legacy testing only.

RC4 (Rivest Cipher 4, also known as ARC4 or ARCFOUR) was one of the most widely used stream ciphers in the world for two decades, found in WEP/WPA Wi-Fi security, SSL/TLS, and many other protocols. Its simplicity made it fast and easy to implement, but multiple security weaknesses have been discovered that make it unsuitable for any modern use.

How RC4 Works

RC4 has two phases: key scheduling (KSA) and pseudo-random generation (PRGA). The key is used to initialise a permutation of 256 bytes, which is then used to generate a keystream. This keystream is XOR'd with the plaintext to produce ciphertext. As XOR is symmetric, the same operation decrypts ciphertext.

Where RC4 Was Used

Frequently Asked Questions

Can RC4 be cracked?

Yes. RC4 has known biases in its first bytes of keystream, and the BEAST, CRIME, and POODLE attacks can recover plaintext from RC4-encrypted TLS sessions. With sufficient captured ciphertext, statistical attacks can recover the key.

What should I use instead of RC4?

For symmetric encryption, use AES-256-GCM or ChaCha20-Poly1305. Both are secure, fast, and provide authenticated encryption (AEAD) which protects against tampering as well as eavesdropping.