Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SWEET32 : triple-DES should now be considered as “bad” as RC4. #387

Closed
tdelmas opened this issue Aug 24, 2016 · 9 comments

Comments

@tdelmas
Copy link

commented Aug 24, 2016

https://www.openssl.org/blog/blog/2016/08/24/sweet32/

I think 3DES should be flagged INSECURE, as RC4 are.

@RobTho

This comment has been minimized.

Copy link

commented Aug 24, 2016

@adamcaudill

This comment has been minimized.

Copy link

commented Aug 25, 2016

The situation with 3DES is a bit different though, as it requires a substantial amount of data encrypted with the same key - so it can be effectively mitigated by disabling Keep-Alive, or setting the maximum number of requests to something conservative (Apache and Nginx default to 100). So it can be used safely, assuming other changes are made to limit the amount of traffic that is encrypted with the same kay.

@RobTho

This comment has been minimized.

Copy link

commented Aug 25, 2016

yeah currently, till the attack is improved...

@adamcaudill

This comment has been minimized.

Copy link

commented Aug 25, 2016

@RobTho There's a limit to how much the attack can be improved though, as it relies on collisions - if you disable Keep-Alive in HTTP/1.1, you eliminate the attack model. If your TLS stack can limit the number of blocks using the same key, eliminated (I believe CloudFlare is going this route).

I'd love to see 3DES die, but it's not as clear when it's dangerous as it is with RC4.

@RobTho

This comment has been minimized.

Copy link

commented Aug 25, 2016

Hi,
i know the limit. But this does not mean that someone found an easier / faster way to break 3DES, soon.
RC4 break was also improved later on afaik.

@andersk

This comment has been minimized.

Copy link

commented Aug 25, 2016

Every cipher is potentially subject to the discovery of easier and faster attacks. When evaluating which attacks are likely to be improved, it’s important to take into account the nature of the attacks. The RC4 attacks exploit subtle statistical patterns in the cipher output, and could be improved by finding stronger patterns. The SWEET32 attacks do not break the internals of the block cipher at all. They are a generic observation about the number of blocks that can be safely encoded with the same key using any 64-bit block cipher in CBC mode—whether it’s triple-DES, Blowfish, or even an ideal random permutation oracle—before there is a significant risk of collisions. We know everything there is to know about this risk; it is not mathematically possible for a new attack to increase the generic probability of collisions for a given number of blocks. So to find a better attack on triple-DES, one would have to discover some weakness in the block cipher itself. Again, that could happen, but it would be an entirely new attack path, and we have no evidence that it’s particularly likely. DES seems to have stood the test of time remarkably well.

@ivanr ivanr added the enhancement label Aug 30, 2016

@vaitguy

This comment has been minimized.

Copy link

commented Oct 27, 2016

Is there a way to mitigate this using IISCrypto?

@bhushan5640

This comment has been minimized.

Copy link
Collaborator

commented Feb 10, 2017

SWEET32 detection is now available via "Future grade" feature.
https://blog.qualys.com/ssllabs/2017/01/18/ssl-labs-grading-changes-january-2017

@darkhacknet

This comment has been minimized.

Copy link

commented Dec 12, 2018

so how can I exploit this vulnerability ? please help bros, i cant find really good info .. =/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
8 participants
You can’t perform that action at this time.