Slashdot Mirror

← Back to Stories (view on slashdot.org)

New SWEET32 Crypto Attacks Speed Up Deprecation of 3DES, Blowfish (threatpost.com)

Posted by EditorDavid on from the cracking-encryption dept.

Researchers "have devised a new way to decrypt secret cookies which could leave your passwords vulnerable to theft," reports Digital Trends. Slashdot reader msm1267 writes: New attacks revealed today against 64-bit block ciphers push cryptographic ciphers such as Triple-DES (3DES) and Blowfish closer to extinction. The attacks, known as SWEET32, allow for the recovery of authentication cookies from HTTPS traffic protected by 3DES, and BasicAUTH credentials from OpenVPN traffic protected by default by Blowfish.

In response, OpenSSL is expected to remove 3DES from its default bulid in 1.1.0, and lower its designation from High to Medium 1.0.2 and 1.0.1. OpenVPN, meanwhile, is expected to release a new version as well with a warning about Blowfish and new configuration advice protecting against the SWEET32 attacks. The researchers behind SWEET32 said this is a practical attack because collisions begin after a relatively short amount of data is introduced. By luring a victim to a malicious site, the attacker can inject JavaScript into the browser that forces the victim to connect over and over to a site they're authenticated to. The attacker can then collect enough of that traffic -- from a connection that is kept alive for a long period of time -- to recover the session cookie.

28 of 53 comments (clear)

  1. What? No 64 bit? by Anonymous Coward · · Score: 1

    Wake me up when SWEET64 is available.

  2. "practical" if victim is stupid by sittingnut · · Score: 1

    from what i read here, this seems 'practical' only if victim is very stupid and has no common sense practical ability, committing several silly mistakes in succession, from being lured to a fake sites to having full tracking and scripting enabled for all sites etc.

    of course, with people like hillary clinton around, who fit that description, this is useful.
    too bad being stupid and incompetent seems not to stop the careers( or have any consequence) of establishment elites no matter how many times they are exposed as easy penetrations for hacking or corruption. .

  3. Re:AES by bmo · · Score: 1

    AES is symetrically keyed.

    How do you propose the key be sent out-of-band for web browsers?

    --
    BMO

  4. Prior art by Tablizer · · Score: 1

    attacker can inject JavaScript into the browser that forces the victim to connect over and over to a site they're authenticated to

    Mass disconnecting has already been invented, it's called Comcast.

    --
    Table-ized A.I.
  5. I sort of wonder by Sax+Russell+5449D29A · · Score: 1

    How will this affect bcrypt? Will the algo need to be redesigned?

    --
    -SR
  6. Re:AES by Barefoot+Monkey · · Score: 1

    Wait... are you saying that AES can't be used in place of 3DES and Blowfish because it's a symmetric-key algorithm, or am I misunderstanding you? Because 3DES and Blowfish are also symmetric-key ciphers.

  7. Re:AES by Anonymous Coward · · Score: 1

    You sound a little alarmist. Specifically, I have no faith that browsers are inherently secure, given the unending series of flaws against them, so I find the idea that browsers must be updated to be pretty compelling. That being said, what do you think of Pale Moon? And do any of the chromium forks strike you as secure? Those strip out most of the botnet behavior of Chrome and Chromium.

    I find the claims that open source is deliberately compromised to be not-very-compelling. My reasoning is thus: A systematic effort to compromise open source might be discovered, or it might be leaked, and either of those things would be really big and devastating news.

    That being said, with recent leaks, we've seen a carnival of long unpatched zero days. I think you are overly paranoid, but a few years ago I would have thought you were totally nuts, and time would not have been kind to my position from then.

  8. 3DES? Blowfish? by 110010001000 · · Score: 1

    What is this, 2004?

    1. Re:3DES? Blowfish? by caseih · · Score: 1

      As far as I know 128-bit blowfish is the default cipher in openvpn, which is widely used. I'm trying to determine how to harden my openvpn network and change ciphers, probably to AES I suppose.

    2. Re:3DES? Blowfish? by david_bonn · · Score: 1

      I've actually distrusted 3DES since the first Bush administration...

    3. Re:3DES? Blowfish? by AchilleTalon · · Score: 1

      More like 1993.

      --
      Achille Talon
      Hop!
    4. Re:3DES? Blowfish? by ve3oat · · Score: 1

      If I read this correctly, there is still nothing wrong with using BLOWFISH to encrypt files on your computer, etc. Just don't use it to secure a VPN. Have I missed something?

    5. Re:3DES? Blowfish? by GerbilSoft · · Score: 1

      2007 and 2012 if you're Microsoft.

  9. Re:FBI HORSE SHIT AGAIN === SOCIAL ENGINEERING by TroII · · Score: 1

    Your suggestion to keep an incorrect clock is complete bullshit and achieves the opposite of what you claim. Most peoples' clocks are accurate within a few seconds of one another. If your clock is reasonably true, your timestamp gets lost in the noise among millions of other users who have the same timestamp. An accurate system clock is one less unique data point that can be used against you. If you intentionally skew your clock way off, you're much easier to track across different services because your computer is the only one claiming that timestamp.

    I don't know what your motivation is in recommending this nonsense, but frankly it sounds like the only FBI on Slashdot is you, trying to trick people into being easily tracked.

    --
    "If there was a gay Afro-Puertorican Linux distribution, I'd give it a try" ~lucm
  10. Re:AES by AchilleTalon · · Score: 2

    You are full of shit, NSA has adopted AES in its Suite B and recommend it for top secret communications with the government since 2005. It upgraded the recommendation recently for top secret communications making a key size larger or equal to 384 mandatory.

    --
    Achille Talon
    Hop!
  11. Re:AES by Anonymous Coward · · Score: 1

    If Ubisoft or Steam or similar are compromised you will just not use that site any more.

    The whole point is to protect yourself from compromised sites, when you don't know they're compromised. If nobody went to cormpromised sites anyway, security wouldn't be the big deal it has to be today. These announcements are not being made to protect "l33t gamer in mom's basement", they are being made to discuss with software vendors of web clients and servers how to make *mom* safer. And grandma. And all the other people you won't talk to because they're just so stupid.

  12. Re:AES by jonwil · · Score: 1

    The point is not to replace everything with AES but to use AES instead of weak ciphers like 3DES and RC4.

  13. Re:AES by bmo · · Score: 1

    I thought the whole point of asymmetric keys is that you can send the "encode" key in band and keep the secret "decode" key yourself.

    If you're exchanging symmetric keys over IP wouldn't someone in the middle be able to sniff it out?

    >if 3DES and Blowfish are symmetric, and they are used over the Internet, someone must have figured out how to exchange the key that I don't know about.

    >off to quick research
    >find out about diffie-hellman key exchange of symmetric keys

    I know far too little about cryptography but this sent me in a good direction.

    Thanks.

    --
    BMO

  14. Microsoft Windows strikes again .. by khz6955 · · Score: 1

    "The exploit, dubbed ‘Sweet32’, isn’t easy to carry out, however. It involves mining hundreds of gigabytes of data, and targeting specific users who have accessed a malicious website which saddled them with a bit of malware" ref

  15. A few obvious corrections by jd · · Score: 1

    First, DES is 56 bit (near enough 60). Triple DES as per first mode (the authorised standard) is 168 bits. The article fails to distinguish, implying the authors are just a little bit naff. 3DES seems to be quite safe, as long as not used in DES emulation mode. And who the hell emulates a mode that was broken in the 80s?

    Second, Blowfish was replaced by TwoFish, ThreeFish and Speck. Skein, an entrant to the DES3 challenge, makes use of ThreeFish.

    Third, the Wikipedia page states it has been known for a long time that weak keys are bad. This particular attack, though, is a birthday attack. You can find all the ciphers vulnerable or free that you should be using. Anything not on the list is something you are solely responsible for.

    http://csrc.nist.gov/archive/a...

    In other words, this information is about as useful as telling up that Model T Fords weren't good at cornering at highway speeds. Below are some links, I can't be buggered to HTML-ify them.

    https://en.m.wikipedia.org/wik...
    http://www.skein-hash.info/
    https://en.m.wikipedia.org/wik...
    https://en.m.wikipedia.org/wik...

    I do not trust most encryption software these days, but that's because programmers these days are sloppy and arrogant.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    1. Re:A few obvious corrections by Anonymous Coward · · Score: 1

      Those are not the bit-numbers that are relevant to Sweet32. It's not about the size of the key(s), which are: 56-bit for DES, 168-bit in theory for 3DES (but actually 112-bit effectively, due to the ancient meet-in-the-middle attacks on 3DES). The problem here is the block size of the cipher in CBC mode. All DES-variants and Blowfish use a 64-bit block size, whereas all AES variants (even AES256) use a 128-bit block size. It's the smaller 64-bit block size that subjects a symmetric cipher to a birthday attack on the order of 2^32 blocks.

      That birthday attack possibility has been a known issue among cryptographers for years. However, in the past we generally didn't consider a 2^32-scale birthday attack feasible, given the norms of TLS connection behaviors, user behaviors, connection speeds, computer speeds, etc. The news that the SWEET32 demonstration brings to the discussion is that, on the modern internet, 2^32-scale birthday attacks are now actually-feasible, if difficult.

  16. Re:AES by jrumney · · Score: 1

    How do you propose the key be sent out-of-band for web browsers?

    The same way that 3DES and Blowfish keys are sent currrently.

  17. Re:AES by jrumney · · Score: 1

    I thought the whole point of asymmetric keys is that you can send the "encode" key in band and keep the secret "decode" key yourself.

    Yes, but assymetric encryption is slow, because you need about 5 - 10 times the key size to get the same level of security, and the algorithms are more complex. So in practice you only use it to encrypt a symmetric key, which you will use for the rest of the session.

  18. Re:Blame those who are to blame by sittingnut · · Score: 1

    this seems 'practical' only if victim is very stupid and has no common sense practical ability

    So by your described metric, all of our non-technical families and friends are very stupid and have no common sense practical ability and it's their fault

    no, your logic is faulty.
    one or more of common sense actions like avoiding fake sites pretending to be others, and having widely used no tracking and no scripting extensions would prevent this 'attack' . all that does not require technical knowledge.

    common sense competence and caution, which people like hillary clearly lacks, is all that is required.

  19. Re:Blame those who are to blame by serviscope_minor · · Score: 1

    one or more of common sense actions like avoiding fake sites pretending to be others, and having widely used no tracking and no scripting extensions would prevent this 'attack' . all that does not require technical knowledge.

    No, you're mistaken. Much of the web doesn't work without some amount of scripting and cookies. Now, I run those scripting and tracking blockers. However, it's quite a game to get some sites working, knowing which scripts I have to enable. That is far beyond the expertise of plenty of smart people who don't happen to be experts in computer related things.

    --
    SJW n. One who posts facts.
  20. Re:Blame those who are to blame by sittingnut · · Score: 1

    you are free to dig yourself into a hole by using faulty logic.
    it is irrational to claim that exercise basic common sense and caution, require technical knowhow.

    as usage stats indicate, billions of people have what is required use no tracking and no scripting extensions. same with being not lured in to fake sites and easy to use white listing of authentic sites when needed .
    all it takes to be safe from this 'attack' is common sense and caution at any point of its requirements for success .

    as i said from first there are incompetent idiots, like hillary, who lack those. don't slander everyone else by dragging them to her level of non competence.

  21. Re:Blame those who are to blame by sittingnut · · Score: 1

    since you have made the same point as another please refer to my reply to that in sibling thread.

  22. Re:AES by lsatenstein · · Score: 1

    I do not shop online with an unlimited credit card. I put money into the card account in order to make that purchase. I also live about 1/2 kilometer (just under a half mile) to a local bank branch, in which I withdraw my weekly need of cash.

    There is a negative aspect to my way of doing things. I have no credit history to speak of, except for my bank which knows me. I was able to get a very low cost mortgage, when I needed it, but it took some work to get the credit rating companies to do their work and look at my non-indebtedness. Watch out for the errors that these parasite companies make, and boy, do they make many. They can ruin your reputation and your credit worthiness with a simple error such as mistaking someone else for you.

     

    --
    Leslie Satenstein Montreal Quebec Canada