SWEET32 attack: Researchers have discovered a new way to crack the 3DES and Blowfish ciphers

Information security researchers Karthikeyan Bhargavan and Gaëtan Leuren developed an attack on the 3DES and Blowfish ciphers. For example, it can be used to authenticate cookies from encrypted 3DES HTTPS traffic, as well as recover user names and passwords from Blowfish-encrypted traffic transmitted via VPN.

The attack, called SWEET32, is dedicated to a separate website , the researchers plan to present its details and a demo video at the ACM Conference on Computer and Communications Security, which will be held next month in Austria. We have collected the currently known information in our material.
')

What is the problem

Cryptographic protocols like TLS, SSH, IPsec and OpenVPN use block encryption algorithms (AES, Triple-DES, Blowfish). Thus, the data transmitted between the client and the server is encrypted. The data is divided into blocks of fixed length, each of which is encrypted separately. Older ciphers like Triple-DES and Blowfish use a block size of 64 bits, and AES uses a block size of 128 bits.

The short block length makes the cipher vulnerable to " birthday attacks ". Researchers claim that such attacks are found for 64-bit ciphers of the TLS and OpenVPN protocols. Such encryption algorithms are used by a huge amount of resources on the Internet.

SWEET32 is a collision search attack in block-coupling mode using CBC feedback. For example, an attacker who can monitor long-existing Triple-DES HTTPS connections between the browser and the site has the ability to restore HTTP cookies — you will need to save 785 gigabytes of traffic.


Interception of secure traffic

In practice, this allows decrypting HTTPS connections - provided that the authentication token is transmitted in each request. Due to the fact that it is possible to predict the contents of the message headers (or the possibility of their control), an attacker can generate a large number of requests with some predictive data in the answers and, as a result, try to decrypt the necessary sessions and find out the token.

During the PoC attack, the researchers managed to do it in less than two days using a special JavaScript code to generate traffic.

In terms of computational complexity, the SWEET32 attack is comparable to the recent attacks on the RC4 cipher. In addition, the researchers were able to carry out similar attacks on VPN-sessions using 64-bit ciphers - for example, in practice this situation can occur in the case of the use of OpenVPN, which is configured to use Blowfish.

How serious is all

An important requirement for an attack is the need to send a large number of requests using the same TLS connection - this is a serious deterrent to the practical implementation of such attacks. Thus, an attacker must find a client and server that not only communicate, for example, using Triple-DES, but also exchange a large number of HTTP requests within a single TLS connection without releasing new keys.

This situation is possible - it all depends on the server, since all the tested browsers (Firefox, Chrome, Opera) use the TLS connection as long as the server keeps it open. In turn, many HTTP servers close a TLS connection when a certain limit of transmitted traffic is reached, even if it remains active. For example, Apache and Nginx limit the number of requests that can be sent within a single connection, the number 100. But, for example, IIS does not have such limits when using the standard settings.

As a result, the total number of servers that accept a large number of requests over a single connection remains large, the researchers write. The researchers scanned the web servers from the Alexa directory - the cipherscan tool was used for this. It turned out that 86% supporting TLS include Triple-DES as one of the used ciphers.

11483 different HTTPS severs were identified, 226 (1.9%) of which are communicating with clients using Triple-DES. 72 of these servers (0.6% of the total) kept the connection open for at least 800 thousand requests. This means that the duration of the test attack does not indicate its unrealizability - about 0.6% of HTTPS connections on the Internet are vulnerable to it.

Poc attack

Below is the SWEET32 attack code. For its implementation, web workers generating XmlHttpRequests are used.

Content of attack.html file:

<html> <body> <script> var W = new Array; for (var i=0; i<8; i++) { var x = new Worker("worker.js"); W.push(x); } </script> </body> </html> 

Worker.js file:

 var url = "https://10.0.0.1/index.html"; var xhr = new XMLHttpRequest; // Expand URL to ~4kB using a query string // Alternatively, force a large cookie url += "?"; var x = 10000000; for (var i=0; i<=500; i++) { url += x++; } while(true) { xhr.open("HEAD", url, false); xhr.withCredentials = true; xhr.send(); xhr.abort(); } 

During the experiment, the "capture" of encrypted packets was performed using tcpdump, and a C ++ program using libpcap was used to extract the ciphertext blocks.

In cases of attacks on HTTPS and VPN, each request is sent in a separate encrypted entry containing plain text in a fixed position. This allows an attacker to know which ciphertext block a ciphertext block belongs to (and, for example, assign a cookie appropriately before the blocking limit). After saving the required amount of traffic, the C ++ program sorts the ciphertext blocks to detect collisions. It took about four hours for the decryption of the saved traffic from the researchers.

How to protect

The researchers recommend not using the 64-bit “legacy-cipher” block encryption. If for some reason this is not possible, then the probability of its success can be reduced as follows:

Web servers and VPNs should be configured with a preference for 128-bit ciphers. According to researchers, about 1.1% percent of the 100,000 most popular Alexa sites and 0.5% of the million most popular support AES, but prefer to use 3DES.

Web browsers should use 3DES as a “fallback-only” cipher to avoid a situation in which it is used to communicate with servers that support AES.

TLS-libraries and applications should limit the length of TLS-sessions for 64-bit ciphers. This can be done with the help of the re-connection mechanism.

OpenVPN users can change the cipher used from the “default” Blowfish to AES. If this cannot be done, then it is necessary to force the re-release of keys using the reneg-bytes 64000000 function.