Researchers present new attack on encryption algorithms 3DES and Blowfish

Spread the love

Two researchers from the French government agency Inria have found an attack called ‘Sweet32’ on the encryption algorithms 3DES and Blowfish. This makes it possible, for example, to find out authentication cookies for https connections.

The scientists tell Threatpost that it is not a massive attack that affects the entire internet, but that it is a signal to get rid of 3DES and Blowfish, as happened earlier with RC4. Researchers Gaëtan Leurent and Karthikeyan Bhargavan say the attack is related to the fact that sometimes collisions occur when using cbc in encryption. This is a mode in which a block of unencrypted data performs an xor operation on the preceding block of encrypted data. These collisions can eventually lead to the discovery of the clear text of an encrypted message. Until now, however, these types of attacks have not been practical, the researchers write.

3DES and Blowfish, whose block size is 64bit, are used to secure https traffic and OpenVPN connections, respectively. They also occur in tls, ssh and ipsec. In addition, 3DES is found in about one to two percent of the most popular Alexa sites. According to the researchers, this is still a large number. An attack on such a secure connection could be carried out by luring a victim to a malicious site and injecting javascript into the browser. As a result, a large number of requests are sent to a site, where the victim is logged in with an authentication cookie. After sending and receiving 232 requests, the attacker can retrieve the authentication cookie with a man-in-the-middle position.

To actually retrieve a cookie, the amount of traffic needed would be about 785GB. The scientists in the test set-up were able to cope with this within 19 to 38 hours. The researchers argue that getting rid of Blowfish and 3DES is the best way to defend against such an attack. For example, there are better encryption algorithms that can be used for the same purposes, for example AES that uses a block size of 128bit. According to Threatpost, OpenSSL and OpenVPN will move away from 3DES and Blowfish, respectively, in the coming days, in response to the investigation. For example, 3DES is given a security rating of ‘average’ and the algorithm has to be switched on manually.

The scientists plan to present their research at the ACM computer and communications security conference in Vienna in October.

Man-in-the-middle position, image via sweet32.info

You might also like
Exit mobile version