The SWEET32 attack is a cybersecurity vulnerability that exploits block cipher collisions. Attackers can use 64-bit block ciphers to compromise HTTPS connections.
While block cipher algorithms like Triple-DES and Blowfish have been widely used as a mode of encryption for popular security protocols, the probability of SWEET32 vulnerability is rather low because it entails ensuring several other conditions to execute a successful attack.
Below is a review of what the SWEET32 attack constitutes and how related security issues can be prevented.
What Is the SWEET32 Attack?
The SWEET32 attack is based on a security weakness in the block ciphers used in cryptographic protocols. It’s similar to the RC4 attacks in terms of computational complexity.
At the same time, block ciphers are used on many occasions. OpenVPN has as the default cipher Blowfish. Almost all HTTPS web servers support the Triple-DES algorithm.
How Does It Work?
Protocols like TLS, SSH, and OpenVPN often use block cipher algorithms for encrypting the data that travels between web servers and clients. The most common algorithms include Triple-DES, Blowfish, and AES. The transferred data is chopped into chunks of a certain length — blocks — instead of encrypting the plaintext bit-by-bit. The blocks are then encrypted in a specific mode of operation.
The block length of the cipher algorithm differs from the key’s length. The algorithm sets the block size, so even if you opt-in for a large key size, it may still be limited by the cipher.
In the Triple-DES and Blowfish algorithms, the block size is 64 bits, while for AES, they are 128. The shorter a block size is, the more vulnerable it is to a birthday attack — a type of vulnerability based on the birthday problem in probability theory. This makes 128-bit ciphers like AES more secure.
Short block sizes make web servers vulnerable to hitting the same hash for multiple inputs. By observing data exchange between a web server and a website for longer, remote attackers can recover secure HTTP cookies.
In a nutshell, how secure a block cipher is based on the key size (k). When an exhaustive key search attack has a complexity of 2k, it can effectively reveal secure data. For CBC (3DES-CBC ciphers) and similar modes of encryption (CTR, GCM, OCB, and others), when block ciphers encrypt large data volumes, the block size (n) is also a security factor. Such block ciphers can encrypt only a fixed number of blocks — after 2n/2 blocks of data are encrypted with the same key — before causing a collision between two cipher blocks in the output, producing an identical ciphertext. This would lead to the same input, which can make it possible to obtain the plaintext blocks of the secure data.
In the case of 64-bit block cipher algorithms, a collision attack can happen after about 32 GB of data. If an attacker generates a sufficient amount of data by using JavaScript that sends a high-speed stream from the browser to the web server, they can get access to HTTP session cookies. Still, experiments showed that as much as 785 GB of data might be needed for a practical collision attack. This made an attack scenario not so easy to execute.
Discovery of the Vulnerability
Karthikeyan Bhargavanand Gaëtan Leurent, researchers at INRIA, the French national research institute for computer science, discovered the vulnerability in 2016. Their trials showed that an HTTP session cookie could recover in under two days using the long observation method.
The categorizations include CVE-2016-2183 for DES and Triple-DES ciphers and CVE-2016-6329 for Blowfish cipher vulnerability in CBC mode.
Cryptographers had previously known about this potential vulnerability, but the extent and speed with which it can be exploited were revealed only by the INRIA researchers.
SWEET32 Vulnerability Impact
The DES, Triple-DES, and Blowfish algorithms have been widely used to encrypt block ciphers for major protocols like TLS, SSH, and OpenVPN. This means a malicious user can obtain access to HTTP session cookies under the right conditions. The conditions include prolonged monitoring of traffic and executing JavaScript in the vulnerable browser that entails persuading a user to open an attacker-control website.
Since OpenVPN was using the Blowfish algorithm, which made most VPN users vulnerable to the SWEET32 attack.
The Triple-DES ciphers were quite popular with HTTPS web servers. However, these servers would still have a cipher preference for stronger encryption for sessions with modern browsers. The INRIA researchers discovered that only 1-2% of HTTPS web servers rely on a weak cipher like Triple-DES. Of them, only 0.6% have the wrong configuration, which puts them at risk of SWEET32 attacks. Most servers are configured to give preference to stronger cipher suites. This makes the Triple-DES vulnerability not that common.
Still, some high-profile websites that accept a minimum of one million requests in the same connection — such as eBay, NASDAQ, Walmart, Amadeus, banking websites, and more — were at risk when the SWEET32 attack vulnerability was discovered.
Prevention Guide
Learn how to detect and prevent different kinds of SSL/TLS vulnerabilities.
Post-Discovery Actions
When the SWEET32 vulnerability was discovered and publicly announced by security experts, major web browsers, OpenSSL, and OpenVPN had to take measures to address the security risk. This put pressure on software vendors and developers to replace vulnerable versions and introduce strong ciphers.
As a whole, no specific action was recommended for regular users. OpenVPN users could change their settings to more regular rekeying through the reneg-bytes configuration directive.
SSL SWEET32 Security Assessment
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
How to Prevent SSL SWEET32 Attack
To prevent SWEET32 attacks, you must ensure your systems use only strong ciphers with large block sizes. A modern block cipher would rely on a higher number of blocks.
You can refer to Secure TLS Configuration for more information on configuring good cipher suites and minimizing the chance of block cipher collisions.
Want to verify the level of security of your web app or API? You can use Crashtest Security’s SSL Vulnerability Scanner to discover vulnerabilities quickly.
