SWEET32: Birthday attacks against TLS ciphers with 64bit block size (CVE-2016-2183) – Red Hat Customer Portal

Overview

red Hat Product Security has been made mindful of an offspring with auction block ciphers within the SSL/TLS protocols that under certain configurations could allow a collision attack. This return has been rated as Moderate and is assigned CVE-2016-2183. This write out requires no updates or action for users of Red Hat products at this time. Please see the Resolution section below for more details .

Background

Legacy block ciphers having engine block size of 64 bits are vulnerable to a practical collision attack when used in CBC manner. All versions of SSL/TLS protocol support calculate suites which use 3DES as the symmetrical encoding cipher are affected ( for example ECDHE-RSA-DES-CBC3-SHA ). In the versions of OpenSSL shipped with Red Hat Enterprise Linux 6 and 7, DES-based ciphersuites are listed below the ones which support AES-128 ( with PFS ciphersuite ) and AES-256. This means that DES cipher will be chosen lone when the server explicitly disables AES-128 and AES-256. In the interpretation of OpenSSL shipped with Red Hat Enterprise Linux 5, DES-based ciphersuites are listed below AES-256, but above AES-128. In such cases DES will be chosen only when the server explicitly disables AES-256 based ciphersuite .
The Security of a freeze code depends on the key size ( kelvin ). Therefore the best attack against a freeze code is the exhaustive identify search attack which has a complexity of 2k. however when blocking ciphers are used to encrypt large amounts of data using modes of encoding such as CBC, the jam size ( nitrogen ) besides plays a bit part in determining its security .
When CBC mood of encoding is used, there is simpleton birthday attack in which after 2n/2 blocks of data are encrypted with the lapp key, a collision between two ciphers blocks are expected. A collision in the output would mean that the remark is lapp. This data combined with respective conditions ( discussed below ) can be used to extract knit text of the encrypted data.

Practicality of the attack

1. first DES/3DES is the only cipher used in SSL/TLS which has a blocking size of 64 bits. As discussed in the summary, ciphersuites containing 3DES are prioritized below early ciphersuites ( AES-128 for case ) .
2. To run the attack on 64 bite block ciphers, at least 32GB of data needs to be captured on the wire. In case of SSL/TLS this would mean from a single SSL/TLS seance. ( For all new sessions, SSL/TLS renegotiates the symmetrical key ). consequently long lived hypertext transfer protocol connections could be vulnerable .
3. In many contexts, recovering only the xor between two plain text blocks is not sufficient for an attack with a practical impingement. however, an attack can be mounted when the succeed conditions are fulfilled :
   • A cook clandestine is sent repeatedly ;

     Read more: What is the “Random Oracle Model” and why is it controversial?

   • Some fraction of the knit text is known .
4. The proof of concept attack mentioned in the research paper, assumes some authentication token is passed between the server and customer for all of its communications ( token could be a cookie of credentials used in basic authentication ). The attacker then runs a malicious JavaScript in the origin of the web site which is being attacked. A BEAST kind of attack can then be used to extract the cookie .

Mitigations

1. SSL/TLS configurations should prefer AES over DES. Versions of OpenSSL shipped with Red Hat Enterprise Linux 6 and 7 already do so.
2. In the version of OpenSSL shipped with Red Hat Enterprise Linux 5, 3DES is listed below the AES-256 cipher and above the AES-128 cipher, therefore AES-256 based ciphersuites should not be disabled on the server.
3. Servers using OpenSSL, should not disable AES-128 and AES-256 ciphersuites. Versions of Apache shipped with Red Hat Enterprise Linux use the default cipher string, in which AES is preferred over DES/3DES-based ciphersuites.
4. Disable 3DES. This can be achieved for Apache httpd by setting: SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES

Resolution

1. This flaw is related to the design of the DES/3DES cipher and is not an implementation flaw.
2. This flaw does not directly affect any cryptographic libraries (OpenSSL, NSS and GnuTLS) in Red Hat Enterprise Linux 5, 6 and 7, since there are several stronger ciphersuites, which are placed higher than 3DES in the default cipher list configurations.
3. For Red Hat Enterprise Linux 5, do not disable AES-256-based ciphersuites on the server. For Red Hat Enterprise Linux 6 and 7, do not disable AES-128 or AES-256-based ciphersuites on the server.
4. It is advised to completely disable DES/3DES ciphers to avoid scenarios in which malicious clients can only offer vulnerable ciphers during TLS handshake.

Upstream Security fixes:

OpenSSL:

OpenSSL have rated this as a ‘low ‘ asperity security issue. They have moved 3DES ciphersuites from the HIGH category to MEDIUM in the 1.0.2 branch, and will disable it by default in an approaching release.

NSS:

Mozilla is implementing data limits for all ciphersuites .

Related Issues

Upstream OpenVPN is besides susceptible to the Sweet32 attack and is being tracked by CVE-2016-6329. Red Hat ‘s execution of OpenVPN is not affected by this defect .

References

hypertext transfer protocol : //coinselected.com/security/cve/CVE-2016-2183
hypertext transfer protocol : //sweet32.info/