Big data busts crypto: 'Sweet32' captures collisions in old ciphers

Boffins blow up Blowfish and double down on triple DES

22 Reg comments Got Tips?

Researchers with France's INRIA are warning that 64-bit ciphers – which endure in TLS configurations and OpenVPN – need to go for the walk behind the shed.

The research institute's Karthikeyan Bhargavan and Gaëtan Leurent have demonstrated that a man-in-the-middle on a long-lived encrypted session can gather enough data for a “birthday attack” on Blowfish and triple DES encryption. They dubbed the attack “Sweet32”.

Sophos' Paul Ducklin has a handy explanation of why it matters here.

The trick to Sweet32, the Duck writes, is the attackers worked out that with a big enough traffic sample, any repeated crypto block gives them a start towards breaking the encryption – and collisions are manageably common with a 64-bit block cipher like Blowfish or Triple-DES.

They call it a “birthday attack” because it works on a similar principle to what's known as the “birthday paradox” – the counter-intuitive statistic that with 23 random people in a room, there's a 50 per cent chance that two of them will share a birthday.

In the case of Sweet32 (the 32 being 50 per cent of the 64 bits in a cipher), the “magic number” is pretty big: the authors write that 785 GB of captured traffic will, under the right conditions, yield up the encrypted HTTP cookie and let them decrypt Blowfish- or Triple-DES-encrypted traffic.

If you do it right, and here begins the TL;dr part.

To launch the attack, you need to:

  • Get a victim to visit a malicious site (site A) – one that they have to log into. The victim's login sets an HTTP cookie the browser uses for future requests;
  • Pass the victim on to Site B, which generates millions of JavaScript requests to Site A, using the login cookie given to the victim;
  • Keep the connection alive long enough to store 785 GB of encrypted data blocks, and look for a collision;
  • Decrypt the login cookie.

Decryption is still the hard part: the researchers note that it's far from an instant process:

On Firefox Developer Edition 47.0a2, with a few dozen workers running in parallel, we can send up to 2,000 requests per second in a single TLS connection. In our experiment, we were lucky to detect the first collision after only 25 minutes (220.1 requests), and we verified that the collision revealed [the plaintext we were after …The full attack should require 236.6 blocks (785 GB) to recover a two-block cookie, which should take 38 hours in our setting. Experimentally, we have recovered a two-block cookie from an HTTPS trace of only 610 GB, captured in 30.5 hours.

As they note, however, long-lived encrypted connections exist in at least one real-world setting: VPN sessions.

“Our attacks impact a majority of OpenVPN connections and an estimated 0.6% of HTTPS connections to popular websites. We expect that our attacks also impact a number of SSH and IPsec connections, but we do not have concrete measurements for these protocols” (emphasis added).

For users, that means switching from 64-bit ciphers to 128-bit ciphers; or if you can't get the server to switch, set up your client to force frequent re-keying.

Browser makers, TLS library authors and OpenVPN have been notified and are working on patches. ®

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Keep Reading

Citrix denies dark web claim of network compromise and ransomware attack

Says third party holding some business contact information has had trouble but its own infrastructure remains safe

Microsoft Defender casts a jaundiced eye over Citrix, slams services in quarantine on suspicion of being malware

You say broker, I say trojan, let's call the whole thing off

After three leisurely years, Citrix releases second long-term-service hypervisor

Version 8.2 supports bigger hosts, improves network security and bins old Windows versions as guests

FYI: Someone's scanning gateways, looking for those security holes Citrix told you not to worry too much about

VIdeo Hackers hit honeypots hours after CISO downplays risk, proof-of-concept exploit code emerges

Citrix tells everyone not to worry too much about its latest security patches. NSA's former top hacker disagrees

Eleven flaws cleaned up including one that may be exploited to sling malware downloads

'Work is an activity not a place' got tired on LinkedIn about three months ago, but Citrix just based its new logo on the idea

Logowatch Dot over an X instead of an I ‘illustrates our commitment to empowering every individual’

Citrix warns of patch-ASAP-grade bugs in its working-from-home products, just as we're all working from home

Expect Citrix Endpoint Management gear to come under attack soon

As miscreants prey on thousands of vulnerable boxes, Citrix finally emits patches to fill in hijacking holes in Gateway and ADC

SD-WAN WANOP will have to wait a few days, though

Biting the hand that feeds IT © 1998–2020