In this section:

Overview

The Sweet32 attack is a birthday attack on 64-bit block ciphers in TLS and OpenVPN. The cryptographic protocol like TLS commonly uses block cipher algorithms, such as Advanced Encryption System (AES), to encrypt data between clients and servers. These algorithms are implemented by dividing the data into fixed-length chunks called blocks. Each block is encrypted separately according to the mode of operation.

It is proved that most modes of operations are secure up to 2n/2 blocks of plain text (here n is the block size), a limit commonly called the birthday bound. In Cipher Block Chaining (CBC) mode, the probability of collisions becomes significant after 2n/2 blocks because of the birthday paradox. A short block size makes a block cipher vulnerable to birthday attacks, even if there are no cryptographic attacks against the block cipher.

A collision between two ciphertext blocks is expected in a simple birthday attack against CBC after 2n/2 message blocks are encrypted with the same key (in the same message or different messages). A collision in the output means the inputs are the same, divulging secret information.

Precaution Against Sweet32 Attack

To secure confidential information from this critical SWEET32 birthday attack vulnerability, it is crucial to stop using the legacy 64-bit block ciphers. It is highly recommended that the Web servers must be configured to the preferred 128-bit ciphers. Thus, these weak ciphers, such as RC4, DES, and so on must be disabled in the SSL configuration, and strong ciphers such as AES must be enabled for security. Refer to TLS for Signaling for additional information about ciphers.


  • No labels