On the Practical (In-)Security of 64-bit Block Ciphers: Collision Attacks on HTTP over TLS and OpenVPN

Abstract : While modern block ciphers, such as AES, have a block size of at least 128 bits, there are many 64-bit block ciphers, such as 3DES and Blowfish, that are still widely supported in Internet security protocols such as TLS, SSH, and IPsec. When used in CBC mode, these ciphers are known to be susceptible to collision attacks when they are used to encrypt around 2^32 blocks of data (the so-called birthday bound). This threat has traditionally been dismissed as impractical since it requires some prior knowledge of the plaintext and even then, it only leaks a few secret bits per gigabyte. Indeed, practical collision attacks have never been demonstrated against any mainstream security protocol, leading to the continued use of 64-bit ciphers on the Internet. In this work, we demonstrate two concrete attacks that exploit collisions on short block ciphers. First, we present an attack on the use of 3DES in HTTPS that can be used to recover a secret session cookie. Second, we show how a similar attack on Blowfish can be used to recover HTTP BasicAuth credentials sent over OpenVPN connections. In our proof-of-concept demos, the attacker needs to capture about 785GB of data, which takes between 19-38 hours in our setting. This complexity is comparable to the recent RC4 attacks on TLS: the only fully implemented attack takes 75 hours. We evaluate the impact of our attacks by measuring the use of 64-bit block ciphers in real-world protocols. We discuss mitigations, such as disabling all 64-bit block ciphers, and report on the response of various software vendors to our responsible disclosure of these attacks.
Type de document :
Communication dans un congrès
ACM CCS 2016 - 23rd ACM Conference on Computer and Communications Security, Oct 2016, Vienna, Austria. ACM, 〈https://www.sigsac.org/ccs/CCS2016/〉. 〈10.1145/2976749.2978423〉
Liste complète des métadonnées

Littérature citée [31 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/hal-01404208
Contributeur : Gaëtan Leurent <>
Soumis le : lundi 28 novembre 2016 - 14:56:36
Dernière modification le : jeudi 26 avril 2018 - 10:27:56
Document(s) archivé(s) le : mardi 21 mars 2017 - 04:26:15

Fichier

SWEET32_CCS16.pdf
Fichiers produits par l'(les) auteur(s)

Identifiants

Collections

Citation

Karthikeyan Bhargavan, Gaëtan Leurent. On the Practical (In-)Security of 64-bit Block Ciphers: Collision Attacks on HTTP over TLS and OpenVPN. ACM CCS 2016 - 23rd ACM Conference on Computer and Communications Security, Oct 2016, Vienna, Austria. ACM, 〈https://www.sigsac.org/ccs/CCS2016/〉. 〈10.1145/2976749.2978423〉. 〈hal-01404208〉

Partager

Métriques

Consultations de la notice

216

Téléchargements de fichiers

293