There is now a practical, relatively fast attack on 64-bit block ciphers that lets attackers recover authentication cookies and other credentials from HTTPS-protected sessions, a pair of French researchers said. Legacy ciphers Triple-DES and Blowfish need to go the way of the broken RC4 cipher: Deprecated and disabled everywhere.
Dubbed Sweet32, researchers were able to take authentication cookies from HTTPS-protected traffic using triple-DES (3DES) and Blowfish and recover login credentials to be able to access victim accounts, said the researchers, Karthikeyan Bhargavan and Gaëtan Leurent of INRIA in France. The attack highlights why it is necessary for sites to stop using legacy ciphers and upgrade to modern, more secure ciphers.
The researchers found that if the attackers send at least 232 queries and capture all the requests, they will eventually see a collision and be able to recover the contents of the cookie.
"An important requirement for the attack is to send a large number of requests in the same TLS connection. Therefore, we need to find client and servers that not only negotiate the use of Triple-DES, but also exchange a large number of HTTP request in the same TLS connection (without rekeying). This is possible using a persistent HTTP connection, as defined in HTTP/1.1 (Keep-Alive). On the client side, all browsers that we tested (Firefox, Chrome, Opera) will reuse a TLS connection as long as the server keeps it open," the researchers said.
Blowfish and 3DES are still supported in TLS, IPsec, SSH, and other protocols and well-known sites such as Nasdaq.com and Walmart.com still support these legacy ciphers. The majority of OpenVPN connections and between 1 percent and 2 percent of the Internet's traffic may be susceptible to Sweet32, the researchers estimated. The implementation used in OpenSSL is also affected, although the OpenSSL maintainers claimed the attack did not expose a critical weakness.
OpenVPN 2.3.12 comes with a warning about Blowfish weaknesses and secure configuration advice for dealing with Sweet32. OpenSSL 1.0.2 and 1.0.1 will move 3DES from the "HIGH" keyword to "MEDIUM" keyword and support it by default, the newer OpenSSL 1.1.0 will no longer compile the cipher as part of the default build. Administrators wanting to use the legacy cipher in OpenSSL 1.1.0 will need to use the ‘enable-weak-ssl-ciphers' configuration option, and even then, the cipher is allowed only in the ‘MEDIUM' keyword. Major browsers makers are making changes which would prioritize more secure ciphers over 3DES.
The techniques and principles used to craft the attack are well-understood in cryptographic circles. The researchers reduced the complexity and time needed to execute the attack.
"While the principles behind this attack are well known, there's always a difference between attacks in principle and attacks in practice. What this paper shows is that we really need to start paying attention to the practice," wrote Matthew Green, cryptography expert and professor at Johns Hopkins University.
Enterprises and developers should treat 3DES and Blowfish in the same way they treat RC4: stop using it. The complexity of Sweet32 is comparable to recently developed attacks against RC4, the researchers said. Researchers developing more ways to attack RC4 sped up its deprecation. Major web browsers no longer support RC4, and major websites such as Gmail have also entirely deprecated the cipher.
Developers should stop using legacy 64-bit block-ciphers altogether. In the case of Sweet32, that means disabling the Triple DES symmetric key cipher in TLS and retiring Blowfish in OpenVPN. Ciphers with larger block sizes, such as AES, are immune from Sweet32. Server administrators can also disable shorter ciphers entirely. This would affect a small number of users who are still relying on older hardware and software.
There is no need to wait till the attackers are easy and cheap to execute to get rid of weak and vulnerable cryptographic ciphers. Just as there is a concerted effort to ditch RC4, other 64-bit ciphers also need to go.