SWEET32 Attack: 3DES and Blowfish Ciphers Considered Insecure

Share this…

HTTPS and VPN traffic broken with new semi-practical attack. Two scientists from the French Institute for Research in Computer Science and Automation (INRIA) have published new research that details an attack that recovers data from TLS (HTTPS) traffic that was encrypted with 64-bit ciphers, more precisely with Triple DES (3DES) and Blowfish algorithms.

Encryption is a complicated subject, and not everyone understands what happens when someone breaks some of its smaller parts.

Encryption schemes don’t work by encrypting each bit at a time, but encrypt data in blocks. The bigger the block, the better the encryption.

A block cipher algorithm (ciphersuite) takes an encryption key (randomly generated strings) and the user’s text (in this case a 64-bit block) and converts it to ciphertext (the encrypted data).

Two of the algorithms created to work with 64-bit block ciphers are 3DES and Blowfish. 3DES is mostly used for TLS/SSL to encrypt HTTPS and SSH traffic, while Blowfish is used more with VPN clients.


Improperly setup HTTPS and VPN connections in danger

Two French researchers, Karthikeyan Bhargavan and Gaëtan Leurent, have created a practical attack on 64-bit ciphers that can allow the attacker to retrieve the plaintext data the user feeds the algorithm, without knowing the encryption key.

These types of attacks are known as collision attacks and have been known for decades. For 64-bit ciphers, they were only detailed at the theoretical level, while on weaker ciphers they have been seen in live attacks.

The INRIA researchers have now published a relatively fast and practical attack on 64-bit ciphers, which they said they successfully tested in a laboratory environment.

1-2% of all Internet traffic might be vulnerable to SWEET32 attacks

The attack, dubbed SWEET32, needs some special conditions, like servers using the 3DES and Blowfish ciphers in CBC (Cipher Block Chaining) mode, and the attacker managing to obtain a position to sniff traffic between the two parties.

Additionally, the servers to which clients connect must support long-lived TLS sessions without forcing an encryption key renegotiation in the middle of the SWEET32 attack.

According to the researchers between 1 percent and 2 percent of the entire Internet traffic may be susceptible to SWEET32 attacks due to how webmasters configured their servers.

SWEET32 attack needs 30-38 hours to perform

If the attacker is able to monitor long-lived TLS and HTTPS connections negotiated via the vulnerable ciphersuites, he can use malicious JavaScript files inserted on the client-side (via ads or malware) to ping the server with a high number of requests.

These requests are usually accompanied with HTTP cookie files, embedded in the HTTPS data stream, used to authenticate the client.

Researchers say that after sending constant server requests for between 30 and 38 hours, and collecting around 785 GB of traffic, they’ll be able to spot a collision attack, which will allow them to recover the contents of the cookie file, containing authentication and user session details.

These details can then be used to log into the user’s account. Some of the sites the researchers found vulnerable to SWEET32 attacks include eBay, Walmart, NASDAQ, and a series of banks from around the world.

Researchers also demonstrated a similar attack on VPNs, more precisely on OpenVPN, where long-lived Blowfish connections are established by default.

3DES and Blowfish need to follow RC4’s path

Researchers recommend that software makers, browser vendors, and server administrators move away from insecure 64-bit block ciphers to more advanced encryption algorithms. They propose a similar deprecation plan used for RC4.

Last year in July, a research paper detailed a new attack on RC4, and now, a year later, almost all browser vendors except Apple have announced deprecation plans.

The OpenSSL project has already removed 3DES support from the default build of OpenSSL 1.1.0, set to be officially released in the upcoming months. OpenVPN 2.3.12 will also feature a warning about using Blowfish to encrypt traffic, but nothing more.

“While these are not the easiest attacks to run, it’s a big problem that there even exist semi-practical attacks that succeed against the encryption used in standard encryption protocols,” cryptographer Matthew Green explains. “This is a problem that we should address, and papers like this one can make a big difference in doing that.”