SWEET32: Birthday attacks against TLS ciphers with 64bit block size (CVE-2016-2183)

Updated -

Overview

Red Hat Product Security has been made aware of an issue with block ciphers within the SSL/TLS protocols that under certain configurations could allow a collision attack. This issue has been rated as Moderate and is assigned CVE-2016-2183. This issue requires no updates or action for users of Red Hat products at this time. Please see the Resolution section below for more details.

Background

Legacy block ciphers having block size of 64 bits are vulnerable to a practical collision attack when used in CBC mode. All versions of SSL/TLS protocol support cipher suites which use 3DES as the symmetric encryption cipher are affected (for example ECDHE-RSA-DES-CBC3-SHA). In the versions of OpenSSL shipped with Red Hat Enterprise Linux 6 and 7, DES-based ciphersuites are listed below the ones which support AES-128 (with PFS ciphersuite) and AES-256. This means that DES cipher will be chosen only when the server explicitly disables AES-128 and AES-256. In the version of OpenSSL shipped with Red Hat Enterprise Linux 5, DES-based ciphersuites are listed below AES-256, but above AES-128. In such cases DES will be chosen only when the server explicitly disables AES-256 based ciphersuite.

The Security of a block cipher depends on the key size (k). Therefore the best attack against a block cipher is the exhaustive key search attack which has a complexity of 2k. However when block ciphers are used to encrypt large amounts of data using modes of encryption such as CBC, the block size (n) also plays a bit part in determining its security.

When CBC mode of encryption is used, there is simple birthday attack in which after 2n/2 blocks of data are encrypted with the same key, a collision between two ciphers blocks are expected. A collision in the output would mean that the input is same. This data combined with several conditions (discussed below) can be used to extract plain text of the encrypted data.

Practicality of the attack

  1. Firstly DES/3DES is the only cipher used in SSL/TLS which has a block size of 64 bits. As discussed in the summary, ciphersuites containing 3DES are prioritized below other ciphersuites (AES-128 for example).

  2. To run the attack on 64 bit block ciphers, at least 32GB of data needs to be captured on the wire. In case of SSL/TLS this would mean from a single SSL/TLS session. (For all new sessions, SSL/TLS renegotiates the symmetric keys). Therefore long lived https connections could be vulnerable.

  3. In many contexts, recovering only the xor between two plain text blocks is not sufficient for an attack with a practical impact. However, an attack can be mounted when the following conditions are fulfilled:

    • A fixed secret is sent repeatedly;

    • Some fraction of the plain text is known.

  4. The proof of concept attack mentioned in the research paper, assumes some authentication token is passed between the server and client for all of its communications (token could be a cookie of credentials used in basic authentication). The attacker then runs a malicious JavaScript in the origin of the website which is being attacked. A BEAST kind of attack can then be used to extract the cookie.

Mitigations

  1. SSL/TLS configurations should prefer AES over DES. Versions of OpenSSL shipped with Red Hat Enterprise Linux 6 and 7 already do so.
  2. In the version of OpenSSL shipped with Red Hat Enterprise Linux 5, 3DES is listed below the AES-256 cipher and above the AES-128 cipher, therefore AES-256 based ciphersuites should not be disabled on the server.
  3. Servers using OpenSSL, should not disable AES-128 and AES-256 ciphersuites. Versions of Apache shipped with Red Hat Enterprise Linux use the default cipher string, in which AES is preferred over DES/3DES-based ciphersuites.
  4. Disable 3DES. This can be achieved for Apache httpd by setting: SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES

Resolution

  1. This flaw is related to the design of the DES/3DES cipher and is not an implementation flaw.
  2. This flaw does not directly affect any cryptographic libraries (OpenSSL, NSS and GnuTLS) in Red Hat Enterprise Linux 5, 6 and 7, since there are several stronger ciphersuites, which are placed higher than 3DES in the default cipher list configurations.
  3. For Red Hat Enterprise Linux 5, do not disable AES-256-based ciphersuites on the server. For Red Hat Enterprise Linux 6 and 7, do not disable AES-128 or AES-256-based ciphersuites on the server.
  4. It is advised to completely disable DES/3DES ciphers to avoid scenarios in which malicious clients can only offer vulnerable ciphers during TLS handshake.

Upstream Security fixes:

OpenSSL:

OpenSSL have rated this as a 'low' severity security issue. They have moved 3DES ciphersuites from the HIGH category to MEDIUM in the 1.0.2 branch, and will disable it by default in an upcoming release.

NSS:

Mozilla is implementing data limits for all ciphersuites.

Related Issues

Upstream OpenVPN is also susceptible to the Sweet32 attack and is being tracked by CVE-2016-6329. Red Hat's implementation of OpenVPN is not affected by this flaw.

References

https://access.redhat.com/security/cve/CVE-2016-2183
https://sweet32.info/

Comments