New Sweet32 Attack Hits Blowfish, 3DES

Researchers have developed a practical, relatively fast attack on 64-bit block ciphers that can allow attackers to recover authentication cookies as well as other credentials from some HTTPS-protected sessions.

The attack, known as SWEET32, specifically affected TripleDES and Blowfish, two of the more popular such ciphers, and their implementations in TLS and the OpenVPN protocols. OpenSSL also is affected by the attack, although the maintainers of that software say that the attack doesn’t constitute a critical weakness. Developed by a pair of French researchers, the SWEET32 attack further illustrates the need for sites to upgrade to modern, more secure ciphers.

“We show that a network attacker who can monitor a long-lived Triple-DES HTTPS connection between a web browser and a website can recover secure HTTP cookies by capturing around 785 GB of traffic. In our proof-of-concept demo, this attack currently takes less than two days, using malicious Javascript to generate traffic,” the researchers, Karthikeyan Bhargavan and Gaëtan Leurent of INRIA in France, said.

“This attack is comparable to the recent attacks on RC4.”

“Keeping a web connection alive for two days may not seem very practical, but it worked easily in the lab. In terms of computational complexity, this attack is comparable to the recent attacks on RC4. We also demonstrate a similar attack on VPNs that use 64-bit ciphers, such as OpenVPN, where long-lived Blowfish connections are the norm.”

The kind of attack that Bhargavan and Leurent have demonstrated has been known in the cryptographic community previously, but the researchers were able to reduce the complexity and time needed to execute it. In practical terms, the SWEET32 attack makes some long-term HTTPS connections more susceptible to attack, and especially OpenVPN connections. The researchers estimated that the majority of OpenVPN connections would be affected by the attack, along with about 0.6 percent of HTTPS connections.

“An important requirement for the attack is to send a large number of requests in the same TLS connection. Therefore, we need to find client and servers that not only negotiate the use of Triple-DES, but also exchange a large number of HTTP request in the same TLS connection (without rekeying). This is possible using a persistent HTTP connection, as defined in HTTP/1.1 (Keep-Alive). On the client side, all browsers that we tested (Firefox, Chrome, Opera) will reuse a TLS connection as long as the server keeps it open,” the researchers said.

Bhargavan and Leurent reported their findings to the affected vendors, including the major browser makers and OpenSSL and OpenVPN. The vendors all are making changes to their software to address the issue.

“For 1.0.2 and 1.0.1, we removed the triple-DES ciphers from the ‘HIGH’ keyword and put them into “MEDIUM.” Note that we did not remove them from the ‘DEFAULT’ keyword. For the 1.1.0 release, which we expect to release tomorrow, we will treat triple-DES just like we are treating RC4. It is not compiled by default; you have to use ‘enable-weak-ssl-ciphers’ as a config option. Even when those ciphers are compiled, triple-DES is only in the ‘MEDIUM’ keyword. In addition, because this is a new release, we also removed it from the ‘DEFAULT’ keyword,” the OpenSSL team said.

Webinar: Call Center Fraud Vectors & Fraudsters Analyzed