Sweet32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN

To put this in context: You should have been avoiding 64-bit block ciphers to begin with.<p><a href="https:&#x2F;&#x2F;gist.github.com&#x2F;tqbf&#x2F;be58d2d39690c3b366ad" rel="nofollow">https:&#x2F;&#x2F;gist.github.com&#x2F;tqbf&#x2F;be58d2d39690c3b366ad</a><p>Furthermore, as the article says from the getgo, birthday attacks are not <i>new</i>. They are a known problem.<p>What&#x27;s new is someone wrote a paper describing a practical attack, and actually bothered to generate enough traffic to exploit the birthday bound of a 64-bit block cipher.<p>Your takeaway from this should be:<p><pre><code> - If it&#x27;s not AES or CHACHA20, disable it. - If it&#x27;s not AES_GCM or CHACHA20_POLY1305, consider disabling it.</code></pre>

From the article: &quot;But the take-away is this: triple-DES should now be considered as “bad” as RC4.&quot;<p>OpenSSL developer Mark Cox says: &quot;tldr: &quot;Low&quot;, Don&#x27;t Panic!&quot; <a href="https:&#x2F;&#x2F;twitter.com&#x2F;iamamoose&#x2F;status&#x2F;768431734547484672" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;iamamoose&#x2F;status&#x2F;768431734547484672</a><p>The researcher site is <a href="https:&#x2F;&#x2F;sweet32.info&#x2F;" rel="nofollow">https:&#x2F;&#x2F;sweet32.info&#x2F;</a><p>And RedHat has a nice writeup as well: <a href="https:&#x2F;&#x2F;access.redhat.com&#x2F;articles&#x2F;2548661" rel="nofollow">https:&#x2F;&#x2F;access.redhat.com&#x2F;articles&#x2F;2548661</a>

Who&#x27;s still using 3DES? That should already be a shooting offense anywhere where security matters.

TLDR: ~800GB sniffed in one session to perform the attack. Only practical if you never log off your torrent VPN.

At what point does using TLS become malpractice? At what point does any software that links to OpenSSL become immediately suspect?<p>And TLS as deployed isn&#x27;t secure <i>even when it works</i> whenever you don&#x27;t trust the certificate authorities. Which is always.<p>Yes, I get that these are mega standards&#x2F;libraries with a gazillion knobs, some of which are secure. But maybe kitchen sink crypto isn&#x27;t the way to go? When will we say enough is enough and do something about it? For my part, I switched to using NaCl with public key pinning a few years ago and haven&#x27;t looked back.<p>&#x2F;sigh

Yet another example of key size not being the only thing to consider.<p>Also: OpenVPN&#x27;s default cipher is blowfish? That would have been a great choice <i>20 years ago</i>, but not now. It shouldn&#x27;t even be supported in 2016.

Why did Openssl only disable TDES and not Blowfish?

We changed the URL from <a href="https:&#x2F;&#x2F;www.openssl.org&#x2F;blog&#x2F;blog&#x2F;2016&#x2F;08&#x2F;24&#x2F;sweet32&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.openssl.org&#x2F;blog&#x2F;blog&#x2F;2016&#x2F;08&#x2F;24&#x2F;sweet32&#x2F;</a> to this post because it seems more explanatory.<p>There&#x27;s also <a href="http:&#x2F;&#x2F;blog.cryptographyengineering.com&#x2F;2016&#x2F;08&#x2F;attack-of-week-64-bit-ciphers-in-tls.html" rel="nofollow">http:&#x2F;&#x2F;blog.cryptographyengineering.com&#x2F;2016&#x2F;08&#x2F;attack-of-we...</a>, via <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=12353314" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=12353314</a>.