Stories
Slash Boxes
Comments

SoylentNews is people

Submission Preview

Link to Story

Big Data Busts Crypto: 'Sweet32' Captures Collisions In Old Ciphers

Accepted submission by Arthur T Knackerbracket at 2016-08-29 14:14:40
Security

Arthur T Knackerbracket [soylentnews.org] writes:

Story automatically generated by StoryBot Version 0.2.0a (Development).
Storybot ('Arthur T Knackerbracket') has been converted to Python3

Note: This is the complete story and will need further editing. It may also be covered by Copyright and thus should be acknowledged and quoted rather than printed in its entirety.

FeedSource: [TheRegister] collected from rss-bot logs

Time: 2016-08-29 07:11:50 UTC

Original URL: http://www.theregister.co.uk/2016/08/29/big_data_busts_crypto_sweet32_captures_collisions_in_old_ciphers/ [theregister.co.uk] using UTF-8 encoding.

Title: Big Data Busts Crypto: 'Sweet32' Captures Collisions In Old Ciphers

--- --- --- --- --- --- --- Entire Story Below --- --- --- --- --- --- ---

Big Data Busts Crypto: 'Sweet32' Captures Collisions In Old Ciphers

Arthur T Knackerbracket has found the following story [theregister.co.uk]:

Researchers with France's INRIA are warning that 64-bit ciphers – which endure in TLS configurations and OpenVPN – need to go for the walk behind the shed.

The research institute's Karthikeyan Bhargavan and Gaëtan Leurent have demonstrated that a man-in-the-middle on a long-lived encrypted session can gather enough data for a "birthday attack" on Blowfish and triple DES encryption. They dubbed the attack "Sweet32" [sweet32.info].

Sophos' Paul Ducklin has a handy explanation of why it matters here [sophos.com].

The trick to Sweet32, the Duck writes, is the attackers worked out that with a big enough traffic sample, any repeated crypto block gives them a start towards breaking the encryption – and collisions are manageably common with a 64-bit block cipher like Blowfish or Triple-DES.

They call it a "birthday attack" because it works on a similar principle to what's known as the "birthday paradox" – the counter-intuitive statistic that with 23 random people in a room, there's a 50 per cent chance that two of them will share a birthday.

In the case of Sweet32 (the 32 being 50 per cent of the 64 bits in a cipher), the "magic number" is pretty big: the authors write that 785 GB of captured traffic will, under the right conditions, yield up the encrypted HTTP cookie and let them decrypt Blowfish- or Triple-DES-encrypted traffic.

If you do it right, and here begins the TL;dr part.

To launch the attack, you need to:

  • Get a victim to visit a malicious site (site A) – one that they have to log into. The victim's login sets an HTTP cookie the browser uses for future requests;
  • Pass the victim on to Site B, which generates millions of JavaScript requests to Site A, using the login cookie given to the victim;
  • Keep the connection alive long enough to store 785 GB of encrypted data blocks, and look for a collision;
  • Decrypt the login cookie.

Decryption is still the hard part: the researchers note that it's far from an instant process:

On Firefox Developer Edition 47.0a2, with a few dozen workers running in parallel, we can send up to 2,000 requests per second in a single TLS connection. In our experiment, we were lucky to detect the first collision after only 25 minutes (220.1 requests), and we verified that the collision revealed [the plaintext we were after ...The full attack should require 236.6 blocks (785 GB) to recover a two-block cookie, which should take 38 hours in our setting. Experimentally, we have recovered a two-block cookie from an HTTPS trace of only 610 GB, captured in 30.5 hours.

As they note, however, long-lived encrypted connections exist in at least one real-world setting: VPN sessions.

"Our attacks impact a majority of OpenVPN connections and an estimated 0.6% of HTTPS connections to popular websites. We expect that our attacks also impact a number of SSH and IPsec connections, but we do not have concrete measurements for these protocols" (emphasis added).

For users, that means switching from 64-bit ciphers to 128-bit ciphers; or if you can't get the server to switch, set up your client to force frequent re-keying.

Browser makers, TLS library authors and OpenVPN have been notified and are working on patches. ®

Original Submission