Sweet32 is the name of an attack released by a pair of researchers at the French National Research Institute for Computer Science (INRIA). The research findings were assigned CVE-2016–2183 and CVE-2016–6329. The attack takes advantage of design weaknesses in some ciphers. These ciphers are used in common protocols such as TLS, SSH, IPsec, and OpenVPN. While the vulnerability at the core of the research has been known by cryptographers for a long time, the feasibility of such attacks is putting new emphasis on the need for software developers and product vendors to phase out deprecated ciphers in their products. The Sweet32 attack allows an attacker to recover small portions of plaintext when encrypted with 64-bit block ciphers (such as Triple-DES and Blowfish), under certain (limited) circumstances.

Block ciphers are a type of symmetric algorithm that encrypts plaintext in blocks, as the name implies, rather than bit-by-bit. One of the defining characteristics of such ciphers is the block length; this determines the size of the chunks into which the plaintext is split and then encrypted. Importantly, the block length of the cipher is independent of the length of the key. So even if you choose a large key size for your encryption, the block length of the cipher can impose its own limitations, and in this case, vulnerabilities.

The researchers demonstrated that an attacker with the ability to monitor a victim’s traffic and execute JavaScript in the victim’s browser can successfully recover HTTP session cookies sent over a TLS-encrypted or OpenVPN-encrypted channel in one to two days’ time. This is possible due to the fact that block ciphers in certain modes (CBC, CTR, GCM, OCB, etc.) can only encrypt a limited number of plaintext blocks before they are likely to produce a collision, or an identical ciphertext. For 64-bit block ciphers, this limit is around 32 GB of data. Using JavaScript to send a high-speed data stream from the victim’s browser to a vulnerable server, the researchers were able to generate enough data to produce collisions, which allowed them to recover the HTTP session cookies. Check out the Sweet32 website for more details on the attack.

Who is affected?

As the researchers point out, the vulnerable ciphers (Triple-DES and Blowfish) are used in common Internet protocols. Particularly worrisome is the fact that OpenVPN uses Blowfish as the default symmetric cipher, meaning a large number of VPN users are potentially vulnerable to this attack. Additionally, while nearly all HTTPS web servers support nothing stronger than Triple-DES-based ciphersuites, most will preferentially choose a stronger ciphersuite when initiating sessions with modern browsers. The researchers found that 1–2% of all HTTPS web servers use Triple-DES, and even less (0.6%) are configured such that they are vulnerable to this attack. This is admittedly a very small portion of web servers, but some high-profile sites do remain vulnerable:

Sample list of vulnerable sites from https://sweet32.info

Should I be worried?

Fortunately, successfully carrying out the TLS variant of the Sweet32 attack requires a very particular set of capabilities on the part of the attacker. First, the attacker must be able to execute JavaScript in the victim’s browser. This is so that the attacker can generate data to be sent to the server. The most likely means to do this is by luring the victim to a malicious website controlled by the attacker.

Second, the attacker needs to keep the victim on the page hosting the malicious JavaScript for one to two days, in order to generate enough ciphertext blocks to find a collision. Remember, the use of a 64-bit block cipher is likely to produce a collision after 32 GB of data, but for a practical attack the researchers found that up to 785 GB of data is required.

Finally, the attacker needs to be in a privileged network position such that they are able to monitor the victim’s encrypted traffic to the web server. This could be accomplished if the attacker has control over a router or switch on the user’s local area network (LAN), if the victim is on an insecure WiFi access point, or if the attacker is in control of Internet infrastructure (so-called global adversary).

Given this list of requirements, combined with the fact that only an estimated 0.6% of HTTPS web servers are vulnerable, this attack remains unlikely to affect most casual Internet users.

What should I do?

For the most part, regular users don’t need to make any changes to their normal habits or software. The only exception to this is OpenVPN users, who can mitigate the attack by configuring more frequent rekeying (using the reneg-bytes configuration directive), or if they control the VPN server configuration, changing the default cipher from Blowfish to something more secure like AES-128-CBC. Software vendors have been notified of the vulnerability and are working on creating and pushing out patches.

Server administrators will want to check the configuration of their web and VPN servers to disable weak and deprecated ciphersuites such as Triple-DES and Blowfish. Services exist for evaluating your servers’ TLS configurations [1], and TLS configuration best practice guides can be found for common servers such as Apache, Nginx, and IIS [2][3].

[1] https://www.ssllabs.com/ssltest/

[2] https://cipherli.st/

[3] https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices

Resources:

https://sweet32.info/

https://www.openssl.org/blog/blog/2016/08/24/sweet32/

http://blog.cryptographyengineering.com/2016/08/attack-of-week-64-bit-ciphers-in-tls.html

https://access.redhat.com/articles/2548661

https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet