Researchers from the French State Institute for Informatics and Automation Research (INRIA) have published a detailed report on new bugs , work-related 64 -bit cipher Triple DES (3DES) and Blowfish. Operation of the detected problems , researchers have called the attack "Sweet32". This method allows to recover the small portion of the secure TLS (HTTPS) traffic in the "man-in-the-middle" attack. For example , it may be cookie, which are used for authentication.
More recently, various companies and browser makers stopped using the RC4 stream cipher , which was hacked . It seems that now the 3DES cipher ( used when using TLS / SSL, encrypts traffic HTTPS / TLS) and Blowfish ( mainly used by VPN- solutions ) can wait for the same fate.
The researchers write that the attack "Sweet32" - is a classic collision attack, the existence of which has been known for several decades. However, in the context of the 64 -bit ciphers such attacks always discussed only in theory, although weaker ciphers they have already applied in practice. In fact , a group of INRIA has developed a practical method of collision attacks for 64-bit encryption, which has been tested in the laboratory, and then described in the report.
To carry out the attack , in practice, you will need a number of conditions . First, the attacker must be able to listen to the traffic exchanged between the victim and the server, that is required in advance to implement MitM - attack. Second, the server running with 3DES and Blowfish should function in CBC mode (Cipher Block Chaining). Third, the server must support the TLS - long session and allow the transfer of a large number of requests.
As a result, the researchers concluded that the attacks "Sweet32" vulnerable only 1-2 % of the traffic . Deceptively small value , but we are talking about all the global traffic in general, so that the danger of "Sweet32" should not be underestimated.
To better evaluate the scale of the problem, the researchers tested the first 10,000 sites from top Alexa. It was possible to detect 11,483 different HTTPS- server, and only 226 of them ( 1.9 % ) worked with 3DES, and maintain a long connection, allows for more 800 million queries, the server could only 72 ( 0.6 % ).
If all conditions are met, suitable and vulnerable server is found, it is to implement the client side of the malicious JavaScript files that will fill a huge number of server requests needed to attack. Implement files can, for example, through malicious advertising or malware. Request that triggers JavaScript, standard accompanied by a HTTP cookie files that HTTPS- connections are often used for client authentication . If you send them long enough ( say the researchers of 30-38 hours , and 785 GB of traffic for 3DES ), sooner or later, you can "catch" the collision, which will extract the cookie- file. With VPN and Blowfish situation is much the same way: the attack on the OpenVPN required 18 hours and 705 GB of bandwidth to restore the 16-bit authentication token.
As in the case of RC4, the researchers recommend that companies and developers to abandon the use of insecure ciphers. OpenSSL Project has already announced that the build of OpenSSL 1.1.0 , which is preparing to release , support for 3DES will be deleted. In the OpenVPN version 2.3.12 will be integrated warning unreliability Blowfish. branch code has also been updated OpenSSL 1.0.2 and 1.0.1 , 3DES left here , but " dropped in rank " - translated from the group high in the medium.
The report INRIA researchers are available here (PDF). The band is going to make this research at ACM CCS Conference , to be held in October 2016 in Austria.
ultratech