Paper 2016/798

On the Practical (In-)Security of 64-bit Block Ciphers: Collision Attacks on HTTP over TLS and OpenVPN

Karthikeyan Bhargavan and Gaëtan Leurent

Abstract

While modern block ciphers, such as AES, have a block size of at least 128 bits, there are many 64-bit block ciphers, such as 3DES and Blowfish, that are still widely supported in Internet security protocols such as TLS, SSH, and IPsec. When used in CBC mode, these ciphers are known to be susceptible to collision attacks when they are used to encrypt around $2^{32}$ blocks of data (the so-called birthday bound). This threat has traditionally been dismissed as impractical since it requires some prior knowledge of the plaintext and even then, it only leaks a few secret bits per gigabyte. Indeed, practical collision attacks have never been demonstrated against any mainstream security protocol, leading to the continued use of 64-bit ciphers on the Internet. In this work, we demonstrate two concrete attacks that exploit collisions on short block ciphers. First, we present an attack on the use of 3DES in HTTPS that can be used to recover a secret session cookie. Second, we show how a similar attack on Blowfish can be used to recover HTTP BasicAuth credentials sent over OpenVPN connections. In our proof-of-concept demos, the attacker needs to capture about 785GB of data, which takes between 19-38 hours in our setting. This complexity is comparable to the recent RC4 attacks on TLS: the only fully implemented attack takes 75 hours. We evaluate the impact of our attacks by measuring the use of 64-bit block ciphers in real-world protocols. We discuss mitigations, such as disabling all 64-bit block ciphers, and report on the response of various software vendors to our responsible disclosure of these attacks.

Metadata
Available format(s)
PDF
Category
Applications
Publication info
Published elsewhere. ACM CCS 2016
DOI
10.1145/2976749.2978423
Keywords
OpenVPNTLSHTTPSCBCcollision attack
Contact author(s)
gaetan leurent @ gmail com
History
2018-12-08: revised
2016-08-24: received
See all versions
Short URL
https://ia.cr/2016/798
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2016/798,
      author = {Karthikeyan Bhargavan and Gaëtan Leurent},
      title = {On the Practical (In-)Security of 64-bit Block Ciphers: Collision Attacks on HTTP over TLS and OpenVPN},
      howpublished = {Cryptology ePrint Archive, Paper 2016/798},
      year = {2016},
      doi = {10.1145/2976749.2978423},
      note = {\url{https://eprint.iacr.org/2016/798}},
      url = {https://eprint.iacr.org/2016/798}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.