New SWEET32 Crypto Attacks Speed Up Deprecation of 3DES, Blowfish

Researchers "have devised a new way to decrypt secret cookies which could leave your passwords vulnerable to theft," reports Digital Trends. Slashdot reader msm1267 writes: New attacks revealed today against 64-bit block ciphers push cryptographic ciphers such as Triple-DES (3DES) and Blowfish closer to extinction. The attacks, known as SWEET32, allow for the recovery of authentication cookies from HTTPS traffic protected by 3DES, and BasicAUTH credentials from OpenVPN traffic protected by default by Blowfish.

In response, OpenSSL is expected to remove 3DES from its default bulid in 1.1.0, and lower its designation from High to Medium 1.0.2 and 1.0.1. OpenVPN, meanwhile, is expected to release a new version as well with a warning about Blowfish and new configuration advice protecting against the SWEET32 attacks. The researchers behind SWEET32 said this is a practical attack because collisions begin after a relatively short amount of data is introduced. By luring a victim to a malicious site, the attacker can inject JavaScript into the browser that forces the victim to connect over and over to a site they're authenticated to. The attacker can then collect enough of that traffic -- from a connection that is kept alive for a long period of time -- to recover the session cookie.

What? No 64 bit?

Wake me up when SWEET64 is available.

Re: What? No 64 bit?

They had to upgrade from the SWEET16 honeypot attack where-- "Why don't you have a seat right there." Oh, good you brought stuff too.

Re: What? No 64 bit?

It is, but you have to load it from tape.

AES

Use this.

This is one of only two ciphers that are public that hasn't been breached. Also, it wasn't invented by NSA, who's mandate is to backdoor and weaken US crypto at all costs. The authors of AES are Belgian. The NSA protested the adoption of AES as a US standard vehemently.

Make up your own mind.

Re:AES

[bmo]

AES is symetrically keyed.

How do you propose the key be sent out-of-band for web browsers?

--
BMO

Re:AES

It doesn't actually matter worth a fuck. Each of them are fine, this story is concocted by the US Government.

They want to force everybody to re-do their passwords and change to "NEW AND SECURE" encryption, which is the bait. This story is the latter. Other stories here on FBI Slashdot are the former.

The odds of being hacked by anybody other than US state sponsored by capturing session cookies are 0%.

You should have javascript disabled anyway with NoScript (or similar). Cookies are also useless (disable them) unless it is a financial transaction or to log into an account like store or gaming, then you disable it again. If Ubisoft or Steam or similar are compromised you will just not use that site any more.

You do not need to do everything in a web browser, any updates to browsers of late are suspect. They are already fine. Adding some neat feature that connects your iPad to Chrome or something similarly goofy is ridiculous.

Use Firefox, and no Firefox later than 45.0. 44.0.2 is even better. See this comment:
https://tech.slashdot.org/comments.pl?sid=9579917&cid=52781677

Re:AES

[Barefoot+Monkey]

Wait... are you saying that AES can't be used in place of 3DES and Blowfish because it's a symmetric-key algorithm, or am I misunderstanding you? Because 3DES and Blowfish are also symmetric-key ciphers.

Re:AES

You sound a little alarmist. Specifically, I have no faith that browsers are inherently secure, given the unending series of flaws against them, so I find the idea that browsers must be updated to be pretty compelling. That being said, what do you think of Pale Moon? And do any of the chromium forks strike you as secure? Those strip out most of the botnet behavior of Chrome and Chromium.

I find the claims that open source is deliberately compromised to be not-very-compelling. My reasoning is thus: A systematic effort to compromise open source might be discovered, or it might be leaked, and either of those things would be really big and devastating news.

That being said, with recent leaks, we've seen a carnival of long unpatched zero days. I think you are overly paranoid, but a few years ago I would have thought you were totally nuts, and time would not have been kind to my position from then.

Re:AES

[AchilleTalon]

You are full of shit, NSA has adopted AES in its Suite B and recommend it for top secret communications with the government since 2005. It upgraded the recommendation recently for top secret communications making a key size larger or equal to 384 mandatory.

Re:AES

If Ubisoft or Steam or similar are compromised you will just not use that site any more.

The whole point is to protect yourself from compromised sites, when you don't know they're compromised. If nobody went to cormpromised sites anyway, security wouldn't be the big deal it has to be today. These announcements are not being made to protect "l33t gamer in mom's basement", they are being made to discuss with software vendors of web clients and servers how to make *mom* safer. And grandma. And all the other people you won't talk to because they're just so stupid.

Re:AES

[jonwil]

The point is not to replace everything with AES but to use AES instead of weak ciphers like 3DES and RC4.

Re:AES

[bmo]

I thought the whole point of asymmetric keys is that you can send the "encode" key in band and keep the secret "decode" key yourself.

If you're exchanging symmetric keys over IP wouldn't someone in the middle be able to sniff it out?

>if 3DES and Blowfish are symmetric, and they are used over the Internet, someone must have figured out how to exchange the key that I don't know about.

>off to quick research
>find out about diffie-hellman key exchange of symmetric keys

I know far too little about cryptography but this sent me in a good direction.

Thanks.

--
BMO

Re:AES

[jrumney]

How do you propose the key be sent out-of-band for web browsers?

The same way that 3DES and Blowfish keys are sent currrently.

Re:AES

[jrumney]

I thought the whole point of asymmetric keys is that you can send the "encode" key in band and keep the secret "decode" key yourself.

Yes, but assymetric encryption is slow, because you need about 5 - 10 times the key size to get the same level of security, and the algorithms are more complex. So in practice you only use it to encrypt a symmetric key, which you will use for the rest of the session.

Re:AES

[lsatenstein]

I do not shop online with an unlimited credit card. I put money into the card account in order to make that purchase. I also live about 1/2 kilometer (just under a half mile) to a local bank branch, in which I withdraw my weekly need of cash.

There is a negative aspect to my way of doing things. I have no credit history to speak of, except for my bank which knows me. I was able to get a very low cost mortgage, when I needed it, but it took some work to get the credit rating companies to do their work and look at my non-indebtedness. Watch out for the errors that these parasite companies make, and boy, do they make many. They can ruin your reputation and your credit worthiness with a simple error such as mistaking someone else for you.

 

FBI HORSE SHIT AGAIN === SOCIAL ENGINEERING

They want to link all of your accounts. Only a state sponsored group would do all of this bullshit to any given person or company or entity.

to wit: US Government

3DES and Blowfish are fine.

>By luring a victim to a malicious site, the attacker can inject JavaScript into the browser that forces the victim to connect over and over to a site they're authenticated to. The attacker can then collect enough of that traffic -- from a connection that is kept alive for a long period of time -- to recover the session cookie.

Use Firefox less than or equal to 45.0 only. Disable all Javascript with the NoScript add-on. In the settings of NoScript remove all default permissions (google, twitter, etc) from the XSS menu and in the ABE menu uncheck all boxes.

https://sourceforge.net/projects/portableapps/files/Mozilla%20Firefox%2C%20Portable%20Ed./

^Use those if you are on any version of 64 bit Windows. Firefox 44.0.2 is your best bet right now. 45.0 removed time spoofing ability. Simply extract to anywhere you want to store the folder and create a shortcut to the executable. Don't update it, so disable all automatic updates. To associate and make as default browser use the stupid ass Windows file association wizard.

https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections

^ perform all steps. Import your bookmarks from other browsers etc.

Also you should install Adblock Plus. Import this custom rule set in addition to your Easylist or whichever ones you choose.
http://pasted.co/6aeed3e0

^ simply save as a .txt file and import under Custom filters. It is additional and self explanatory. You can disable/enable on the fly whenever you need google and facebook to track you etc. You *will* need to toggle the dialog box to Custom to import, it is easily overlooked.

Any huge changes of encryption or protocol right now are all social engineering. The US Gov also tried to push for a change to TCP/IP recently.

two words: Fuck. You.

(you should also always keep your PC clock set to fucked up at home unless you need accurate for outgoing email timestamps. Send your email and mess it back up to WAY OFF. It hoses US Government default tracking which is time logging.)

Re:FBI HORSE SHIT AGAIN === SOCIAL ENGINEERING

If you are using Linux or BSD you already know how to do this.

Also: Debian is FBI and so are it's derivatives (like Ubuntu). Do not update any device such as NAS that is running on Debian.

FBI killed Ian Murdock of Debian because he wouldn't cooperate.

Re:FBI HORSE SHIT AGAIN === SOCIAL ENGINEERING

ALSO, CUNTS..

Disable cookies unless you need them on a known site.

Like cookie decryption is supposed to be the massive hacker news yeah?

Forget that Microsoft, Google, Facebook, Twitter, Markmonitor, Cloudflare, and others are already tracking you. Cloudflare captchas also have the ability to send you to an unintended look-a-like site. This is why you see thepiratebay.org asking for captchas on TOR.

dor org? Like seriously yeah?

See this FBI-Slashdot post.
https://yro.slashdot.org/story/16/08/05/0329246/popular-bittorrent-search-engine-site-torrentzeu-mysteriously-disappears

Ask FBI-Slashdot: Gee, where do you get YOUR torrents from friend :-) ;-) :) ?

Re:FBI HORSE SHIT AGAIN === SOCIAL ENGINEERING

Notice how comments now only show Re:

This was FBI hide-and-seek too. Every comment should be expanded with the sliders (2x click load comments), then ctrl-F for FBI.

Then read FBIdot.

Re:FBI HORSE SHIT AGAIN === SOCIAL ENGINEERING

FBI horse shit.... this made my day dude.

Re:FBI HORSE SHIT AGAIN === SOCIAL ENGINEERING

[TroII]

Your suggestion to keep an incorrect clock is complete bullshit and achieves the opposite of what you claim. Most peoples' clocks are accurate within a few seconds of one another. If your clock is reasonably true, your timestamp gets lost in the noise among millions of other users who have the same timestamp. An accurate system clock is one less unique data point that can be used against you. If you intentionally skew your clock way off, you're much easier to track across different services because your computer is the only one claiming that timestamp.

I don't know what your motivation is in recommending this nonsense, but frankly it sounds like the only FBI on Slashdot is you, trying to trick people into being easily tracked.

"practical" if victim is stupid

[sittingnut]

from what i read here, this seems 'practical' only if victim is very stupid and has no common sense practical ability, committing several silly mistakes in succession, from being lured to a fake sites to having full tracking and scripting enabled for all sites etc.

of course, with people like hillary clinton around, who fit that description, this is useful.
too bad being stupid and incompetent seems not to stop the careers( or have any consequence) of establishment elites no matter how many times they are exposed as easy penetrations for hacking or corruption. .

Re:"practical" if victim is stupid

There might be a bit of a misunderstanding here. In cryptography, 'practical' just means an attack that could be mounted in practice, as opposed to a 'merely theoretical' attack. It doesn't mean 'effective'.

Re:"practical" if victim is stupid

In this case it seems practical in both senses, if as GP says victim is a Hillary Clinton.

Re:"practical" if victim is stupid

Hillary used BleachBit to hide her email from FOIA requests. That doesn't sound nontechnical to me.

Re:"practical" if victim is stupid

Hillary(or advisors bought in later) "used BleachBit to hide her email from FOIA requests", after she got hacked by at least 2 hackers(perhaps Russians), and FBI and others started asking questions and making FOIA requests. That is incompetent stupidity trying to hide itself from law.

NOTHING SWEET EXCEPT TO FBI SOCIAL ENGINEERS

They gave it a name using psychology. What would make the world go OH SWEET I WILL INSTALL THIS?

Re:NOTHING SWEET EXCEPT TO FBI SOCIAL ENGINEERS

Exactly. Pretend nobody can count hops to 100 connections @ a.fsdn.com:443

Pretend nobody has read comments the past several months and noticed the day Slashdot's CA authority switched to Let's Encrypt.

Pretend nobody could relate it to the current comments at that time.

Slashdot is FBI.

Re:NOTHING SWEET EXCEPT TO FBI SOCIAL ENGINEERS

Slashdot's CA authority switched to Let's Encrypt.

Is there some evidence that Let's Encrypt is compromised? I switched to them too because I don't see a reason to spend $300 a year on a cert when I can get one for free.

Prior art

[Tablizer]

attacker can inject JavaScript into the browser that forces the victim to connect over and over to a site they're authenticated to

Mass disconnecting has already been invented, it's called Comcast.

I sort of wonder

[Sax+Russell+5449D29A]

How will this affect bcrypt? Will the algo need to be redesigned?

3DES? Blowfish?

[110010001000]

What is this, 2004?

Re:3DES? Blowfish?

[caseih]

As far as I know 128-bit blowfish is the default cipher in openvpn, which is widely used. I'm trying to determine how to harden my openvpn network and change ciphers, probably to AES I suppose.

Re:3DES? Blowfish?

[david_bonn]

I've actually distrusted 3DES since the first Bush administration...

Re:3DES? Blowfish?

[AchilleTalon]

More like 1993.

Re:3DES? Blowfish?

[ve3oat]

If I read this correctly, there is still nothing wrong with using BLOWFISH to encrypt files on your computer, etc. Just don't use it to secure a VPN. Have I missed something?

Re:3DES? Blowfish?

[GerbilSoft]

2007 and 2012 if you're Microsoft.

Better explaination here..

http://blog.cryptographyengine...

Both of the links in the post are useless hot takes, otherwise.

Blame those who are to blame

this seems 'practical' only if victim is very stupid and has no common sense practical ability

So by your described metric, all of our non-technical families and friends are very stupid and have no common sense practical ability and it's their fault. Who cares, because as techies we know better, and "We're all right Jack." Correct?

Well no, obviously that is not correct, because the Internet is for everybody and not just for techies, and non-technical users should not be placed at risk this way for the "crime" of being non-technical. The blame for this does not lie with them, it lies with the blinkered techies who made this kind of attack possible in the first place.

And that means the morons who added Javascript to HTML. A decade or two ago, the technically competent used to advise everyone never to download and execute untrusted 3rd party programs to their machines, because you'd get exploited in nothing flat. And then the technically competent suffered complete brain death and turned the web into a system where everybody is required to download and execute untrusted 3rd party code on their machines, different untrusted code for every page.

It makes you want to cry for the profession, totally riddled with blindness and incompetence. The blame doesn't lie with anyone else.

Re:Blame those who are to blame

[sittingnut]

this seems 'practical' only if victim is very stupid and has no common sense practical ability

So by your described metric, all of our non-technical families and friends are very stupid and have no common sense practical ability and it's their fault

no, your logic is faulty.
one or more of common sense actions like avoiding fake sites pretending to be others, and having widely used no tracking and no scripting extensions would prevent this 'attack' . all that does not require technical knowledge.

common sense competence and caution, which people like hillary clearly lacks, is all that is required.

Re:Blame those who are to blame

[serviscope_minor]

one or more of common sense actions like avoiding fake sites pretending to be others, and having widely used no tracking and no scripting extensions would prevent this 'attack' . all that does not require technical knowledge.

No, you're mistaken. Much of the web doesn't work without some amount of scripting and cookies. Now, I run those scripting and tracking blockers. However, it's quite a game to get some sites working, knowing which scripts I have to enable. That is far beyond the expertise of plenty of smart people who don't happen to be experts in computer related things.

Re:Blame those who are to blame

one or more of common sense actions like avoiding fake sites pretending to be others, and having widely used no tracking and no scripting extensions would prevent this 'attack' . all that does not require technical knowledge.

Those things you mention are far outside of the competence of those who have no technical background and just click pages without understanding how the web is implemented. Fake sites can deceive even technical experts who have never seen the original. And script blocking isn't even a concept for those who have no idea what a script is or that web pages have them.

You clearly have no actual non-technical family and friends by which to judge. And your defense of a technical mechanism which unavoidably puts them ar risk makes you part of the problem.

Re:Blame those who are to blame

[sittingnut]

you are free to dig yourself into a hole by using faulty logic.
it is irrational to claim that exercise basic common sense and caution, require technical knowhow.

as usage stats indicate, billions of people have what is required use no tracking and no scripting extensions. same with being not lured in to fake sites and easy to use white listing of authentic sites when needed .
all it takes to be safe from this 'attack' is common sense and caution at any point of its requirements for success .

as i said from first there are incompetent idiots, like hillary, who lack those. don't slander everyone else by dragging them to her level of non competence.

Re:Blame those who are to blame

[sittingnut]

since you have made the same point as another please refer to my reply to that in sibling thread.

Microsoft Windows strikes again ..

[khz6955]

"The exploit, dubbed ‘Sweet32’, isn’t easy to carry out, however. It involves mining hundreds of gigabytes of data, and targeting specific users who have accessed a malicious website which saddled them with a bit of malware" ref

A few obvious corrections

[jd]

First, DES is 56 bit (near enough 60). Triple DES as per first mode (the authorised standard) is 168 bits. The article fails to distinguish, implying the authors are just a little bit naff. 3DES seems to be quite safe, as long as not used in DES emulation mode. And who the hell emulates a mode that was broken in the 80s?

Second, Blowfish was replaced by TwoFish, ThreeFish and Speck. Skein, an entrant to the DES3 challenge, makes use of ThreeFish.

Third, the Wikipedia page states it has been known for a long time that weak keys are bad. This particular attack, though, is a birthday attack. You can find all the ciphers vulnerable or free that you should be using. Anything not on the list is something you are solely responsible for.

http://csrc.nist.gov/archive/a...

In other words, this information is about as useful as telling up that Model T Fords weren't good at cornering at highway speeds. Below are some links, I can't be buggered to HTML-ify them.

https://en.m.wikipedia.org/wik...
http://www.skein-hash.info/
https://en.m.wikipedia.org/wik...
https://en.m.wikipedia.org/wik...

I do not trust most encryption software these days, but that's because programmers these days are sloppy and arrogant.

Re:A few obvious corrections

Triple DES as per first mode (the authorised [sic] standard) is 168 bits

No, it's not equivalent to 168 bits. You need to go read up on 3DES operations. The end result is a 112 bit strong cipher.

Re:A few obvious corrections

Please review this: Triple DES Security. Quoting from it:

In general, Triple DES with three independent keys (keying option 1) has a key length of 168 bits (three 56-bit DES keys), but due to the meet-in-the-middle attack, the effective security it provides is only 112 bits.

This illustrates a rather important tenet of cryptographic security analysis: one should never assume that key length directly correlates to effective algorithmic strength. Hope this helps. -PCP

Re:A few obvious corrections

> This illustrates a rather important tenet of cryptographic security analysis:
> one should never assume that key length directly correlates to effective algorithmic strength.

As the WW2 Germans found out the very hard way...

Re:A few obvious corrections

Those are not the bit-numbers that are relevant to Sweet32. It's not about the size of the key(s), which are: 56-bit for DES, 168-bit in theory for 3DES (but actually 112-bit effectively, due to the ancient meet-in-the-middle attacks on 3DES). The problem here is the block size of the cipher in CBC mode. All DES-variants and Blowfish use a 64-bit block size, whereas all AES variants (even AES256) use a 128-bit block size. It's the smaller 64-bit block size that subjects a symmetric cipher to a birthday attack on the order of 2^32 blocks.

That birthday attack possibility has been a known issue among cryptographers for years. However, in the past we generally didn't consider a 2^32-scale birthday attack feasible, given the norms of TLS connection behaviors, user behaviors, connection speeds, computer speeds, etc. The news that the SWEET32 demonstration brings to the discussion is that, on the modern internet, 2^32-scale birthday attacks are now actually-feasible, if difficult.

Most used = MOST attacked

See subject: The exact opposite of "security by obscurity" of lesser used OS - malware makers etc. are like pickpockets & don't operate on "crowds of 1 member only" but instead go where the masses are (Windows or on smartphones, ANDROID) for a better "return on investment" of their time & efforts as well as a MORE than potentially better "catch".

* That IS how it is & reality...

(... & not all your attempts @ creating "FUD" can change it...)

APK

P.S.=> It amazes me with the "anti-windows/anti-microsoft" fanboys around here STILL trying that line of bullshit you did - it doesn't work & never really did for anyone w/ an ounce of common-sense... apk

Re:Most used = MOST attacked

Yes, but, in this case it's not modern/all Windows that's the problem. It's the fact that Windows XP still has a significant deployment despite being massively outdated in security terms. MS stopped releasing security patches for it over two years ago, after a long campaign of pre-announcement and attempting to move users away from it. Even Windows 7 (or even Vista!) don't suffer from having to use 3DES. Even if you use Firefox on XP, you don't have the SWEET32 problem. Only Windows XP + IE users, who rightly shouldn't exist on the Internet anymore, but continue to persistent in numbers that are too big for major sites to completely ignore.

XP % of users = extremely small, &? apk

See subject: ~2% only & that's a "social problem" w/ end users (probably pirated too & unpatched) but it's one on android too (due to handset makers not patching from what I've read here & elsewhere online) - how do you stop that?

* Again - it STILL shows you that "most used = MOST attacked" (Windows as a whole, android as well considering it's a LINUX variant no questions asked (as it surely isn't MacOS X/iOS or Windows kernel based)) - which you agreed with no less.

The encryption methods I agree w/ for the MOST part, but what I don't like about secure sockets & encryption is that it ALWAYS gets broken & backward compatibility often doesn't get looked into + passed on for older applications that use it (which breaks them).

APK

P.S.=> Eventually that will pass as far as XP is concerned since it, like DOS/Win3x or even for the most part 9x will be dropped by end users, but what "hits it" as you seem to think (& I do NOT agree with MOSTLY since I've been a professional dev since 1994 & long before it in academia + on my own as well as a network admin & security tech professionally in my time since then) doesn't affect "modern Windows"?

I must differ (Win32/64 code is still often usable from Win9x-most NT series OS for MOST types of wares by virtue of the API itself being MUCH the same (yes, some 'security changes' but not the majority))... apk