In this section:

Overview

The Sweet32 attack is a birthday attack on 64-bit block ciphers in TLS and OpenVPN. The cryptographic protocol like TLS commonly uses block cipher algorithms, such as Advanced Encryption System (AES) or Triple Data Encryption Algorithm (Triple-DES), to encrypt data between clients and servers. These algorithms are implemented by dividing the data into fixed-length chunks, called blocks. Each block is encrypted separately according to a mode of operation.

It is proved that most modes of operations are secure up to 2n/2 blocks of plain text (here n is the block size), a limit that is commonly called the birthday bound. In Cipher Block Chaining (CBC) mode, the probability of collisions becomes significant after 2n/2 blocks because of the birthday paradox. A short block size makes a block cipher vulnerable to birthday attacks, even if there are no cryptographic attacks against the block cipher.

In a simple birthday attack against CBC: after 2n/2 message blocks encrypted with the same key (in the same message or in different messages), a collision between two ciphertext blocks is expected. A collision in the output means that the inputs are the same divulging secret information.

Using malicious Javascript, a network attacker can monitor a long-lived Triple-DES HTTPS connection between a web browser and a website. The attacker can recover the secure HTTP cookies by capturing around 785 GB of traffic in less than two days.

Precaution Against Sweet32 Attack

To secure the confidential information from this critical SWEET32 birthday attack vulnerability, it is crucial to stop using the legacy 64-bit block ciphers and is highly recommended that the Web servers must be configured to the preferred 128-bit ciphers. Thus, these weak ciphers such as RC4, DES, 3DES, and so on must be disabled in the SSL configuration and strong ciphers such as AES must be enabled for security.

Note

Sonus has completely removed DES-CBC3-SHA from the list of ciphers accepted for TLS1.0, TLS1.1, and TLS1.2. Selecting any of these profile for EmaTlsProfile from CLI or EMA will not enable the DES-CBC3-SHA cipher. If there are any connection issues it is recommended to upgrade the browsers.