9/26/2016

Sweet32:Birthdayattackson64bitblockciphersinTLSandOpenVPN

Sweet32:Birthdayattackson64bitblock
ciphersinTLSandOpenVPN
CVE20162183,CVE20166329
Cryptographicprotocolslike TLS, SSH, IPsec, and OpenVPN commonly use block cipher algorithms,
such as AES, TripleDES, and Blowfish, to encrypt data between clients and servers. To use such
algorithms, the data is broken into fixedlength chunks, called blocks, and each block is encrypted
separatelyaccordingtoamodeofoperation.Olderblockciphers,suchasTripleDESandBlowfishusea
blocksizeof64bits,whereasAESusesablocksizeof128bits.
Itiswellknowninthecryptographiccommunitythatashortblocksizemakesablockciphervulnerableto
birthdayattacks,eveniftherearenocryptographicattacksagainsttheblockcipheritself.Weobservethat
suchattackshavenowbecomepracticalforthecommonusageof64bitblockciphersinpopularprotocols
likeTLSandOpenVPN.Still,suchciphersarewidelyenabledontheInternet.Blowfishiscurrentlythe
defaultcipherinOpenVPN,andTripleDESissupportedbynearlyallHTTPSwebservers,andcurrently
usedforroughly12%ofHTTPSconnectionsbetweenmainstreambrowsersandwebservers.
WeshowthatanetworkattackerwhocanmonitoralonglivedTripleDESHTTPSconnectionbetweena
webbrowserandawebsitecanrecoversecureHTTPcookiesbycapturingaround785GBoftraffic. In
our proofofconcept demo, this attack currently takes less than two days, using malicious Javascript to
generatetraffic.Keepingawebconnectionalivefortwodaysmaynotseemverypractical,butitworked
easilyinthelab.Intermsofcomputationalcomplexity,thisattackiscomparabletotherecent attackson
RC4.We also demonstrate a similar attack on VPNs that use 64bit ciphers, such as OpenVPN, where
longlivedBlowfishconnectionsarethenorm.
Countermeasures are currently being implemented by browser vendors, OpenSSL, and the OpenVPN
team,andweadviseuserstoupdatetothelatestavailableversions.
OurresultswillappearinthefollowingtechnicalpaperatACMCCS2016:
OnthePractical(In)Securityof64bitBlockCiphersCollisionAttackson
HTTPoverTLSandOpenVPN
KarthikeyanBhargavan,GatanLeurent

BlockCiphersandtheBirthdayBound
Thesecurityofablockcipherisoftenreducedtothekeysizek:thebestattackshouldbetheexhaustive
searchofthekey,withcomplexity2k.However,theblocksizenisalsoanimportantsecurityparameter,
definingtheamountofdatathatcanbeencryptedunderthesamekey.Thisisparticularlyimportantwhen
usingcommonmodesofoperation:werequireblockcipherstobesecurewithupto2nqueries,butmost
modesofoperation(e.g.CBC,CTR,GCM,OCB,etc.)areunsafewithmorethan2n/2blocksofmessage
(thebirthdaybound).
Withamodernblockcipherwith128bitblockssuchasAES,thebirthdayboundcorrespondsto256EB.
However,forablockcipherwith64bitblocks,thebirthdayboundcorrespondstoonly32GB,whichis
easilyreachedinpractice.Whentheamountofdataencryptedunderafixedkeyapproachesthislimit,the
security guarantees of the mode of operation start to crumble. This problem is wellknown by
cryptographers, who always require keys to be changed well before 2n/2 blocks. However it is often
minimizedbypractitionersbecausetheattacksrequireknownplaintext,andrevealonlylittleinformation.
https://sweet32.info/

1/9

9/26/2016

Sweet32:Birthdayattackson64bitblockciphersinTLSandOpenVPN

Indeed, standard bodies only recommend to change the key just before 2n/2 blocks, and many
implementationsdon'tenforceanylimitontheuseofakey.
In particular, there are many uses of block ciphers with 64bit blocks where large amount of data are
potentiallyencryptedunderthesamekey,suchas:
3Gtelephony(UMTS),encryptedwithKASUMI
OpenVPN,whichusesBlowfishasthedefaultcipher
manyInternetprotocols,suchasTLS,IPSecandSSH,supportTripleDESasalegacycipher.
Inallthesescenarios,32GBofdatacanbetransferredinlessthanonehourwithafastconnection.

ExploitingBlockCipherCollisions
Inpractice,blockciphersareusedwithamodeof
operation in order to deal with messages of
arbitrary length. The CBC mode is one of the
oldest encryption modes, and still widely used.
The message M is divided into blocks mi and is
encryptedas:
ci=Ek(mici1),
wherec1isaninitializationvalueusuallydenoted
asIV.Wenowexplaintheimpactofcollisionson
theCBCmode.
CBC has been proven secure up to $2^{n/2}$
blocks of messages. On the other hand there is a
TheCBCmode
simple birthday attack against CBC: after 2n/2
message blocks encrypted with the same key (in
thesamemessageorindifferentmessages),acollisionbetweentwociphertextblocksci=cjisexpected.
SinceEkisapermutation,acollisionintheoutputmeansthattheinputsarethesame(mici1=mj
cj1)whichrevealsthexoroftwoplaintextblocks:
mimj=ci1cj1.
With 2d blocks of data the expected number of collisions is roughly 22dn1 (following the birthday
paradox).
Practicalimpact
Inmanycontexts,recoveringonlythexorbetweentwoplaintextblocksisnotsufficientforanattackwith
apracticalimpact.However,anattackcanbemountedwhenthefollowingconditionsarefulfilled:
afixedsecretissentrepeatedly
somefractionoftheplaintextisknown.
In this case, there is a chance that a collision leaks the xor between the fixed secret and the known
plaintextthiswouldimmediatelyrevealthesecret.Moreprecisely,thisattackisexpectedtosucceedwith
highprobabilityassoonas2scopiesofthesecretand2tknownblocksareencrypted,withs+tn.
In particular, this is applicable to the security of encrypted HTTP connections, when an authentication
tokenissendwitheveryrequest.Amaninthebrowserattackercangeneratealargenumberofrequests,
andrecovertheauthenticationtoken,usingthefactthatmostheadersintherequestarepredictableoreven
controlledbytheattacker.

64bitBlockCipherUsageontheInternet
https://sweet32.info/

2/9

9/26/2016

Sweet32:Birthdayattackson64bitblockciphersinTLSandOpenVPN

ManyofthemostinfluentialInternetsecurityprotocols,suchasTLS,SSH,andIPsecwerestandardizedat
a time when 64bit block ciphers, such as TripleDES and Blowfish, were still considered strong. For
example, in TLS 1.0 and 1.1, TripleDES is the mandatory encryption algorithm, so all TLS libraries
implementitandavastmajorityofwebserverssupportit.Inaddition,untilwedisclosedtheattacksin
thispaper,OpenSSLincludedTripleDESciphersuitesinitsHIGHsecuritylist(ithasnowbeenmovedto
MEDIUM).
TripleDESandBlowfishusageinVPNs.
IPSec. Most IPSecbased VPN clients support TripleDES for interoperability. In particular, some
versionsofMicrosoft'sL2TPVPNclientuseTripleDESbydefault.
OpenVPN. OpenVPN is a popular opensource VPN solution originally written by James Yonan. The
defaultencryptionforthetransportprotocolofOpenVPNisBlowfisha64bitcipherwiththeCBC
mode.OpenVPNsupportstwodifferentmodestogeneratesessionkeystoencryptthemessages:
Inpresharedkeymode,statickeysareusedforallthetraffic.Inparticular,thereisnolimittothe
lifetimeofthosekeys.
InTLSmode,sessionkeysaregeneratedwithaTLShandshake,usingcertificatestoauthenticate
thepeers.Thesessionkeysareupdatedperiodically,withlimitsonthenumberofpackets,the
numberofbytes,orasessiontime.Thedefaultconfigurationrekeysthetunneleveryhour.
TripleDESusageinHTTPS.
TripleDESisthesecondmostwidelysupportedcipher(afterAES)inHTTPSservers,withabout87%of
servers supporting it. Furthermore, all popular web browsers support TripleDES. The cipher that is
actuallynegotiatedforaTLSconnectionischosenbytheserver,basedonitslocalpreferenceorderandon
the order in which the client advertises its ciphersuites. Since most modern browsers and servers prefer
AESoverTripleDESonemayexpectonlyanegligiblenumberofconnectionstonegotiateTripleDES.
However, we find evidence that 12% of all TLS connections likely use TripleDES in CBC mode, as
describedbelow.
FirefoxTelemetry. TelemetrydatafromMozillaFirefoxshowthatTripleDESisusedforcloseto1%
ofHTTPSconnectionsfromFirefoxbrowsers(0.76%withbeta49).TheuseofTripleDESwithFirefoxis
slowlydecreasing,andpeakedwiththeremovalofRC4fromthelistofsupportedciphersinversion36.
Indeedanumberofserversareconfiguredtouse,inorderofpreference,firstRC4,thenTripleDES,and
now use TripleDES with Firefox. Since all modern browsers have deprecated RC4 between 2013 and
2015(followingRFC7465),theywillalsouseaTripleDESciphersuiteinthissituation.
ScanningtheTop1MWebsites.Weperformedascanofthetop1millionserversaslistedbyAlexa
usingthecipherscantool.Wefoundthat86%oftheserversthatsupportTLSincludeTripleDESasone
of the supported ciphers. Moreover, 1.2% of these servers are configured in such a way that they will
actuallypickaTripleDESbasedciphersuitewithamodernbrowser,eventhoughbetteralternativesare
available.(InparticularmanyoftheseserverssupportAESbasedciphersuites,butuseTripleDESorRC4
preferentially.)
Windows XP Clients and Windows 2003 Servers. The Windows Server 2003 operating system
does not support AESbased ciphersuites in its default configuration, although support for AES can be
added with an optional hotfix. The Windows XP operating system with security update MS10049
supportsAESbasedciphersuites.IfAESbasedciphersuiteshavenotbeenadded,theseoperatingsystems
supportonlyRC4,TripleDES,DES,andRC240.WhiletheyarenotsupportedanymorebyMicrosoft,
theystillhavesomeusers,andthiscreatessituationswherethebestavailablecipherisTripleDES.
LonglivedHTTPSconnection
AnimportantrequirementfortheattackistosendalargenumberofrequestsinthesameTLSconnection.
Therefore, we need to find client and servers that not only negotiate the use of TripleDES, but also
exchange a large number of HTTP request in the same TLS connection (without rekeying). This is
possibleusingapersistentHTTPconnection,asdefinedinHTTP/1.1(KeepAlive).Ontheclientside,all
https://sweet32.info/

3/9

9/26/2016

Sweet32:Birthdayattackson64bitblockciphersinTLSandOpenVPN

browsersthatwetested(Firefox,Chrome,Opera)willreuseaTLSconnectionaslongastheserverkeeps
itopen.
Ontheserverside,wefoundthatanumberofHTTPserverswillclosetheTLSconnectionevenwhenitis
stillactive.Inparticular,ApacheandNginxlimitthenumberofrequestssentinthesameconnection,with
amaximumof100inthedefaultconfiguration.Ontheotherhand,IISdoesnotseemtohavesuchalimit.
Inpractice,manyhighprofileserversacceptaverylargenumberofrequestsinasingleTLSconnection.
VulnerableWebsites.Forabetterestimateofthenumberofvulnerableservers,wetestedserversfrom
Alexa's top 10k that negotiate TripleDES with a modern client. We identified 11483 different HTTPS
servers,andfoundthat226ofthem(1.9%)negotiateTripleDESwithamodernclient.Moreover,72of
these(0.6%ofthetotal)alsoaccepttokeepaconnectionopenforatleast800krequests.Consequently,
thedurationoftheattackisnotunrealistic,atleastfromtheviewpointofbrowsersandservers,andwe
estimatethatatleast0.6%ofHTTPSconnectionsarevulnerabletoourattacks.
Foradviceabouthowtocheckawebsite'sconfigurationandconfigureitproperly,seetheFAQ.

AttackingAuthenticatedHTTPoverTLSandOpenVPN
WenowdemonstrateconcreteattacksagainstauthenticatedHTTPsessionsevenwhentheyaresecuredby
TLS or OpenVPN. First, we identify a few examples of secret authentication credentials that are
repeatedlysentbythebrowseroneveryrequest.Wethenshow how we can recover these secrets using
blockciphercollisions.
HTTPBearerTokens
CookiebasedSessions.ModernHTTPSwebsitesuseavarietyofmethodstomanageauthenticated
sessionswiththeirclients.ThemostpopularmechanismissecurecookiesasspecifiedinRFC6265.Once
auserhasloggedin,theserversetsacookiecontainingasecretvalueontheuser'sbrowser.Thebrowser
willthensendthecookieonallsubsequentrequeststothewebsite,implicitlyauthenticatingtheuser.
Cookiesaresensitive,becauseanattackerwhoobtainsasessioncookiecanthenloginastheuserfroma
differentbrowser.Thecookieactsasabearertokenthatcarriestheuser'sdelegatedcredential.
A cookie for a website is normally included in all requests to that website whether that request was
initiatedbytheuser,orascriptonthewebsite,orevenbyadifferentwebsite.Browserssometimesimpose
stricterrulesforthislastcategoryofrequests,calledcrossoriginorcrossdomainrequests.Forexample,
XmlHttpRequests sent from one domain to another may not have cookies attached. However, cross
domainrequestsforimagesoriframeswillstillsendcookies.
HTTPBasicAuth.Apartfromcookies,thereareothermechanismsforawebsitetoauthenticatetheuser.
IntheHTTPBasicAuthenticationmechanismspecifiedinRFC7617,thebrowseraskstheusertoentera
username and password into a special dialog and then sends this information (in plaintext) as an HTTP
headeroftheform:
Authorization:BasicdGVzdDoxMjPCow=

Onceauserhasenteredhislogininformationonce,thebrowserwilltypicallycachethisinformationand
useitonallsubsequentrequeststotheserver.Notably,evenifadifferentwebsitecreatesacrossdomain
request to the authenticated server, the BasicAuth credentials will be automatically sent by the browser.
BasicAuthcredentialscontaintheuser'spasswordandarehencesecuritycritical.Oneshouldonlyusethis
authentication mechanism over HTTPS but a number of corporate websites use BasicAuth over HTTP,
under the assumption that their users can only access the website over a VPN or some other secure
connection.
TheBeastlyAttackScenario

https://sweet32.info/

4/9

9/26/2016

Sweet32:Birthdayattackson64bitblockciphersinTLSandOpenVPN

Ourattackscenario,issimilartothesetupusedin
recentattacksonRC4.Theattackerwantstosteal
somebearertokenthatisbeingrepeatedlysentby
abrowsertoawebsitesecuredwithHTTPS,oran
HTTP website accessed through a VPN. We
assume that the attacker can control some
JavaScript on a web page loaded by the user's
browser, either by actively tampering with an
HTTP response on the wire, or by hosting a
malicious website that the user is fooled into
visiting. We also assume that the attacker can
observealltheencryptedtrafficbetweenthetarget
browserandthesecurewebsite.
Wefurtherassumethatthedataisencryptedwitha
64bit block cipher in CBC mode (either an
HTTPS connection where the client and server
have negotiated TripleDES, or an HTTP
connectionthoughaVPNencryptedwithBlowfish
or TripleDES). Suppose the victim is already
logged in to a website and has a session cookie.
TheBeastlyattacker
TheattackerrunsmaliciousJavaScriptcodeonthe
victim's browser that repeatedly sends HTTP queries to the target website server, each containing the
session cookie. If he sends close to 232 queries, a collision is expected between a ciphertext block
corresponding to the cookie (ci), and a known block (cj), containing a known part of the query. The
collisionattackagainstCBCrevealsthesessioncookie:
pi=pjci1cj1.
Note that most of the traffic generated by the attacker is known or predictable. The requested URL is
chosenbytheattacker,andalltheheadersexceptedthecookiearepredictableandcanbeobservedinany
HTTPtraffic.
ProofofConceptAttackDemo
The attacker code consists of two parts: a
JavaScript program that sends a large number of
HTTP requests, and a network adversary who
processestheresultingciphertexttorecoversa16
bytesecret.
Maninthebrowsercode.Theattackercodeis
shown on the right: it uses Web workers to issue
XmlHttpRequests, using the withCredentials
property to make sure that cookies are send in the
crossoriginrequest.Weexperimentedwithseveral
browsers, and we obtained the best results with
FirefoxDeveloperEdition47.0a2.
Recovering collisions. We captured the
encrypted packets with tcpdump and used a C++
program to extract the ciphertext blocks (using
libpcap). In both the HTTPS attack and the
OpenVPN attack, each HTTP query is sent in a
separate encrypted record, which contain the
plaintextatafixedposition,aswellassomeextra
information (packet number, padding, MAC, ...).
Therefore, it is easy to know to which plaintext
block corresponds each ciphertext block, and to
https://sweet32.info/

<html>
<body>
<script>
varW=newArray;
for(vari=0;i<8;i++){
varx=newWorker("worker.js");
W.push(x);
}
</script>
</body>
</html>

attack.html
varurl="https://10.0.0.1/index.html";
varxhr=newXMLHttpRequest;
//ExpandURLto~4kBusingaquerystring
//Alternatively,forcealargecookie
url+="?";
varx=10000000;
for(vari=0;i<=500;i++){
url+=x++;
}
while(true){
xhr.open("HEAD",url,false);
xhr.withCredentials=true;
5/9

9/26/2016

Sweet32:Birthdayattackson64bitblockciphersinTLSandOpenVPN

alignthecookietoablocklimit.Aftercapturingall xhr.send();
the traffic, the C++ program sorts the ciphertext xhr.abort();
}
blocks in order to locate collisions. Since the
worker.js
amount of data is quite large (hundreds of
gigabytes),weusetheexternalsortimplementation
ofthestxxllibrary.WithaNASstorage,sortingthedatatookaroundfourhours.
AttackingBasicAuthoverOpenVPN
To demonstrate the attack against OpenVPN, we use a presharedkey tunnel between two physical
machinesrunningLinux,withFirefoxDeveloperEdition47.0a2ononeside,andannginxserveronthe
otherside.AccesstotheserverisprotectedbyBasicAuth,andtheuserhasenteredhiscredentials.Using
thedefaultOpenVPNsettings,thetunnelisencryptedwithBlowfishinCBCmode.
We use the Javascript code described in the previous section to send a large number of requests to the
serverthoughthetunnel.Wefoundthatincreasingthesizeoftherequestto4~kBdoesnotsignificantly
reducethequeryrate,butreducesthenumberofqueriesrequiredfortheattack.Inoursetting,thebrowser
generates about 2900 requests per second, using several web Worker running in parallel. We expect the
firstcollisionafterroughly232.3blocks(40GB),i.e.onehour.Inpractice,wedetectedthefirstcollision
early,afteronly30minutes(231.3blocks)asexpected,thepredictedxordifferencewascorrect.Thefull
attackneedsabout236.6blocks(785GB)torecoveratwoblocksecretoutof4kBmessagesthisshould
takeabout19hoursinthissetting.Inourdemo,ittook18.6hoursand705GB,andwesuccessfully
recoveredthe16byteauthenticationtoken.
AttackingSecureCookiesoverHTTPS
TheattackagainstHTTPSconnectionisverysimilartotheattackagainstOpenVPN,aslongaswehavea
clientandserverthatnegotiateTripleDES,andthatkeepaconnectionopenforalongtime.
VulnerableWebsites.Asdetailedabove,about0.6%ofthetopAlexa100KwebsitessupportTriple
DES and allow longlived HTTPS connections. This list contains many highprofile ecommerce and
bankingwebsites.
We use the Javascript code described above, but we note that with several Workers running in parallel,
modern browsers open a few parallel connections to the server and split the requests over these
connections. For our attack, we need to maximize the throughput over a singleconnection.This can be
achievedbydisturbingsomeoftheconnectionssothatmostofrequestaresendinasingle.Inoursetup,
weused iptablesrulestolimittherateofallconnectionsexceptone.Inarealattack,thiswouldbedone
byanactivemaninthemiddle,butapassivemaninthemiddlecanalsomounttheattackitwilljust
takemoretimetocollectthedata.
ProofofConceptAttackDemo. In our setup we use Firefox Developer Edition 47.0a2 running on
LinuxandanIIS6.0serverinaWindowsServer2003R2SP2Virtualmachine.Thedefaultconfiguration
of IIS 6.0 with all recommended updates offers only RC4 and TripleDES ciphers, and will use Triple
DESwithFirefoxandotherrecentbrowserswhereRC4isdisabled.Moreover,IIS6.0supportsHTTP/1.1
andkeepsanactiveconnectionopenforanarbitrarylongtime.
On Firefox Developer Edition 47.0a2, with a few dozen Workers running in parallel, we can send up to
2000requestspersecondinasingleTLSconnection.Inourexperiment,wewereluckytodetectthefirst
collisionafteronly25minutes(220.1requests),andweverifiedthatthecollisionrevealedthexoroftwo
plaintextsblocks.As seen previously, the full attack should require 236.6 blocks (785 GB) to recover a
twoblockcookie,whichshouldtake38hoursinoursetting.Experimentally,wehaverecoveredatwo
blockcookiefromanHTTPStraceofonly610GB,capturedin30.5hours.

ImpactandMitigation
https://sweet32.info/

6/9

9/26/2016

Sweet32:Birthdayattackson64bitblockciphersinTLSandOpenVPN

WehavedemonstratedthefirstconcreteattacksonmainstreamInternetprotocolsthatexploitblockcipher
collisions. Our attacks can recover valuable secrets such as HTTP cookies and passwords in under 40
hours. Our attacks impact a majority of OpenVPN connections and an estimated 0.6% of HTTPS
connections to popular websites. We expect that our attacks also impact a number of SSH and IPsec
connections,butwedonothaveconcretemeasurementsfortheseprotocols.Likemanyrecentattackson
TLS,suchaBEASTandRC4NOMORE,theunderlyingprinciplesbehindourattackswerewellknownto
cryptographers.Ourgoalistoraiseawarenessamongpractitionersaboutthevulnerabilitiesofshortblock
ciphersandonsafewaysofusingthem.
ComparisonwithRC4attacks
OurattackscenarioisverysimilartothesetupoftherecentattacksontheuseofRC4inHTTPS.Weuse
the same maninthebrowser setting to generate a large number of HTTP requests, and the data
complexityoftheattackiscomparable.Ourattackrequiresonly229.1shortqueriesof512bytes(280GB
intotal),whichcanbereducedto227.6longerqueriesof4kB(785GBintotal).However,thesenumbers
areforthecasewhenallthedataisencryptedwithinthesamesession.Eveniftheamountofdatasenton
a single connection is limited, as long as the limit is close enough to the birthday bound, we can still
mount our attacks across multiple parallel and sequential sessions, albeit with a higher data and time
complexity.
Mitigation
The obvious way to avoid these attacks is to stop using legacy 64bit block ciphers. Alternatively, the
attackcanbemitigatedbyrekeyingthesessionfrequently.
Concretely,werecommendthefollowingmeasurestopreventourattack:
WebserversandVPNsshouldbeconfiguredtoprefer128bitciphers.Accordingtoourscans,about
1.1%ofthetop100kwebserverfromAlexa,and0.5%ofthetop1million,supportAESbutprefer
touse3DES.
Webbrowsersshouldoffer3DESasafallbackonlycipher,toavoidusingitwithserversthat
supportAESbutprefer3DES.
TLSlibrariesandapplicationsshouldlimitthelengthofTLSsessionswitha64bitcipher.This
couldbedonewithTLSrenegotiation,orinsomecasesbyclosingtheconnectionandstartinganew
one(i.e.limitingHTTP/1.1KeepAlive,SPDY,andHTTP/2with3DESciphersuites).
OpenVPNuserscanchangethecipherfromthedefaultBlowfishtoAES,usingforinstancecipher
AES128CBContheclientandserverconfiguration.Iftheydon'tcontroltheserverconfiguration,
theycanmitigatetheattackbyforcingfrequentrekeyingwithrenegbytes64000000.
Responsibledisclosure
WehavecommunicatedourresultsandconcernstotheOpenVPNteam,andtovariouswebsiteowners,
browservendors,andTLSlibraries.Theyallacknowledgedtheissue,andareworkingonimplementing
countermeasures. The TLS vulnerability received CVE number CVE20162183, and the OpenVPN
vulnerabilityistrackedasCVE20166329.
OpenVPN2.3.12willdisplayawarningtouserswhochoosetouse64bitciphersandencouragethemto
transitiontoAES(ciphernegotiationisalsobeingimplementedinthe2.4branch).Itwillalsoimplementa
defaultrenegotiationlimitof64MBwhenusedinTLSmodeinafutureversion.A wiki entry provides
furtherdetails.
OpenSSL has moved 3DES ciphersuites from the HIGH category to MEDIUM in the 1.0.1 and 1.0.2
branches,andwilldisableitbydefaultintheupcoming1.1.0release.Theyhaveablogentrywithfurther
details.
Akamaiwillofferanoptionforwebserveradministratorstodrop3DESfromtheofferedciphers.

https://sweet32.info/

7/9

9/26/2016

Sweet32:Birthdayattackson64bitblockciphersinTLSandOpenVPN

Applehasdisabled3DESonicloud.comandisrecommendingthatallitscustomersdisable3DESontheir
websites.
Currently, most browsers see about 1% of their connections using 3DES, and vendors consider this
numbertoohightosimplydisable3DESontheclientside,sincetoomanywebsiteswouldbebroken.So,
theyareinsteadconsideringimplementingdatalimitsperconnectiontoforcerekeying,oroffering3DES
ciphersuitesonlyinafallbacknegotiationifnoAESciphersuiteisacceptabletotheserver.
Mozillaisimplementingdatalimitsforallciphersuites.
Microsofthasremoved3DESfromtheFalseStartwhitelist.
Moredetailsaboutimplementedcountermeasureswillbeaddedtothiswebpageastheybecomeavailable.
OntheWeb
The attack has been mentionned on Threatpost, Ars Technica, Matthew Green's blog, Tom's hardware,
Softpedia,NakedSecurity,TheRegister,inira.fr,andZDnet.fr,amongothers....

FAQ
Whyis3DESstillusedwithamodernbrowser?
Becausemorethan1%ofthewebserversarepoorlyconfigured,andpreferusing3DESratherthanAES.
HowcanIcheckifmyserveriswellconfigured?
YoucanusethescanningtoolformQualysSSLLabs.Inthe"HandshakeSimulation"section,youshould
see3DESorRC4onlywithbrowsersthatdon'tsupportstrongerciphersuites,likeIE6/XPandIE8/XP.If
youhave3DESciphersuitesatthebottomofthe"CipherSuites"section,youcantrytoremovethem,but
it'snotanimmediatesecurityissue.Removing3DESwillprotectyouagainstpotentialdowngradeattack,
butitwillalsobreakconnectionsfromolderclients.
HowcanIfixmyserver'sconfiguration
YoucanfollowtheadvicefromMozilla,andtheirConfigurationgenerator.
I'musingBlowfish256,isitsafe?
No,theattackisindependentofthekeylength.ItworkonBlowfishwithanykeylength,andTripleDES
with3independentkeys(168bitsintotal).
WhySweet32?
It'sastupidpun,basedonthesweetsixteenbirthdaycelebration.Ourattackisabirthdayattack(takingits
namefromthebirthdayparadox)withcomplexity232.Youcouldalsosaythat232isthesweetspotwhere
attacksbecomepractical.

Aboutus
https://sweet32.info/

8/9

9/26/2016

Sweet32:Birthdayattackson64bitblockciphersinTLSandOpenVPN

WeareapairofresearchersfromINRIA,theFrenchnationalresearchinstituteforcomputerscience.You
can contact us at our email addresses: [FirstName].[LastName]@inria.fr (use our names without any
accents.)
KarthikeyanBhargavan
GatanLeurent

https://sweet32.info/

9/9