OpenVPN 2.3.12 comes with a warning about Blowfish weaknesses and secure configuration advice for dealing with Sweet32. OpenSSL 1.0.2 and 1.0.1 will move 3DES from the
HIGH keyword to
MEDIUM keyword and support it by default, the newer OpenSSL 1.1.0 will no longer compile the cipher as part of the default build. Administrators wanting to use the legacy cipher in OpenSSL 1.1.0 will need to use the enable-weak-ssl-ciphers configuration option, and even then, the cipher is allowed only in the
MEDIUM keyword. Major browsers makers are making changes that would prioritize more secure ciphers over 3DES.
The techniques and principles used to craft the attack are well-understood in cryptographic circles. The researchers reduced the complexity and time needed to execute the attack.
"While the principles behind this attack are well known, there's always a difference between attacks in principle and attacks in practice. What this paper shows is that we really need to start paying attention to the practice," wrote Matthew Green, cryptography expert and professor at Johns Hopkins University.
Enterprises and developers should treat 3DES and Blowfish in the same way they treat RC4: stop using it. The complexity of Sweet32 is comparable to recently developed attacks against RC4, the researchers said. Researchers developing more ways to attack RC4 sped up its deprecation. Major web browsers no longer support RC4, and major websites such as Gmail have entirely deprecated the cipher.
Developers should stop using legacy 64-bit block-ciphers altogether. In the case of Sweet32, that means disabling the Triple DES symmetric key cipher in TLS and retiring Blowfish in OpenVPN. Ciphers with larger block sizes, such as AES, are immune from Sweet32. Server administrators can also disable shorter ciphers entirely. This would affect a small number of users who are still relying on older hardware and software.
There is no need to wait till the attackers are easy and cheap to execute to get rid of weak and vulnerable cryptographic ciphers. Just as there is a concerted effort to ditch RC4, other 64-bit ciphers also need to go.
Sign up for CIO Asia eNewsletters.