Introduction
SWEET32 is a cryptanalysis attack on block ciphers using 64-bit block sizes. The attack was discovered in 2016 by a team of researchers from INRIA, Microsoft Research, University College London and the University of Michigan. It affects many TLS implementations including OpenSSL and GnuTLS.
The principle of the attack: Drowning in a flood.
The most straightforward way to explain the attack is that it’s based on the fact that the CBC mode used by TLS 1.0 and TLS 1.1 is vulnerable to a padding oracle attack.
That means an attacker can cause the server to leak information about the plaintext of the encrypted data by sending it messages with invalid padding bytes (the same type of message that one would send in an HTTP request).
Attack Overview
What is the Sweet32 attack?
The SWEET32 attack is a side-channel attack that exploits a vulnerability in the CBC cipher mode, which is commonly used with TLS (HTTP over SSL). The SWEET32 attack demonstrates that 32 bits of every 64-bit block are predictable, thereby allowing an attacker to deduce the value of the remaining 32 bits. By exploiting this weakness, a malicious actor could decrypt information protected by SSL/TLS encryption protocols such as HTTPS.
How does it work?
The Sweet32 vulnerability works by predicting how many times an initialization vector (IV) — a random number generated by a client — will repeat itself before moving onto another IV. This allows an adversary to mount an effective brute force attack against encrypted connections. Take note that this type of brute-force approach cannot be prevented by increasing key lengths or cipher strength. However, there are mitigations available to help prevent these kinds of attacks from succeeding in today’s environment: Stronger key exchanges and perfect forward secrecy (PFS).
Reproducing the attack?
Simply put, SWEET32 is an attack that takes advantage of a vulnerability in the way 64-bit operating systems handle password hashing. In the past, this bug was not exploitable because it required an attacker to brute force every possible combination of 8 bytes.
However, as computers get faster and more powerful, it becomes easier for hackers to use GPUs (Graphics Processing Units) in consumer grade laptops in order to crack passwords using a technique known as “rainbow tables.” This method enables a hacker to precompute all possible hashes by scanning through all possible combinations of 8 characters instead of having to guess them one at a time.
Here is an example of decrypting encrypted data on a 2GB VM with a single processor.
When you learn about this vulnerability, you may assume it could be remediated by changing some settings and making sure the website is secure. But that’s not the case. This particular vulnerability requires a lot more work than that.
What level of impact is expected?
The CBC cipher suite is an encryption algorithm used by many websites today to ensure their security and keep people from accessing information they shouldn’t have access to—like passwords or banking information. Attackers can also recover authentication data from traffic, and usernames and passwords from VPN traffic, which is secured by Blowfish.
This issue has been actively exploited in-the-wild since 2016.
Implement long-term countermeasures by disabling CBC cipher suites and upgrading the algorithm
- Disable CBC cipher suites
- Upgrade to TLS 1.2 or higher
Your managed security provider or Atumcell can provide further guidance.
Conclusion
The attack is not a new method but rather an advanced approach that combines several existing methods. This attack technique can be used in many other attacks, because it does not require any special tools or hardware, and does not require a high level of knowledge about encryption algorithms.
About Atumcell
(Something about the company, its offerings, how to contact)
Additional Resources:
- https://sweet32.info/
- https://threatpost.com/openssl-patches-high-severity-ocsp-bug-mitigates-sweet32-attack/120845/
