Sweet32 – Attacks on the TLS Record Protocol

08/08/202308/08/2023| Vera NeelSweet32 – Attacks on the TLS Record Protocol| 0 Comment| 03:54
Categories :

21.4 Sweet32

SWEET32 [30] is a generic attack against block ciphers with a block size of 64 bits in CBC mode, such as DES or 3DES. However, it has special relevance for TLS because until TLS 1.1, 3DES was mandatory to implement for a TLS library, and TLS 1.2 still contains corresponding cipher suites.

21.4.1 The attack

Recall that in the CBC mode of some block cipher Fk, the i-th plaintext block Pi is encrypted as

If a large amount of plaintext is encrypted, there might be another plaintext block Pj that generates the same cipher block. Such an occurrence is called a collision. In this case, we have

This means the input block to Fk must be the same:

or finally,

As the right-hand side is known, the attacker learns Pi ⊕Pj. This knowledge can be useful in these cases:

  • If some secret information Pi, for example, an authentication cookie, is repeatedly sent by the victim
  • If some portion Pj of the plaintext is known

These two conditions are usually fulfilled in HTTP requests. As we have learned in Chapter 11, Hash Functions and Message Authentication Codes, collisions for a 64-bit block will occur after encrypting about 232 blocks. However, because not all plaintext blocks carry valuable information, according to [30] a practical attack on cookies requires about 235 blocks, which corresponds to 256 GB of data. In order to generate the required large number of HTTPS requests to some target server, Mallory injects some corresponding JavaScript into the victim’s browser and captures the encrypted traffic. In their proof-of-concept attack demo, the authors of [30] were able to recover a two-block cookie from 610 GB of HTTPS traffic, captured over 30.5 hours.

21.4.2 Countermeasures in TLS 1.3

In TLS 1.3, all DES-based cipher suites are deprecated. Moreover, the CBC mode is not used anymore; instead, the Galois Counter Mode (GCM) is used for encryption and message authentication (see Chapter 16, The Galois Counter Mode).

21.5 Compression-based attacks

Earlier in this chapter, we learned how error messages or timing behavior of Alice’s TLS implementation create a side channel providing information about the inner workings of the decryption process. Eve can, in turn, use this information to construct an oracle allowing her to compromise TLS security.

It turns out that lossless compression can also create a similar side channel. In a nutshell, lossless compression allows Eve to extract plaintext from an encrypted communication if she knows or can guess certain characteristics of the plaintext (for example, if she correctly guesses that some string s is present in the plaintext).

Between 2012 and 2016, security researchers published four attacks on TLS – CRIME, TIME, BREACH, and HEIST – that exploit the compression side channel. To understand these attacks in depth, let’s first look at how some common lossless compression algorithms work.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Post

POODLE – Attacks on the TLS Record Protocol

12/12/202312/12/2023 Vera NeelPOODLE – Attacks on the TLS Record Protocol
21.2 POODLE POODLE stands for Padding Oracle On Downgraded Legacy Encryption and was discovered in [...]
Read MoreRead More

Brief history of compression in TLS – Attacks on the TLS Record Protocol

02/02/202302/02/2023 Vera NeelBrief history of compression in TLS – Attacks on the TLS Record Protocol
21.5.3 Brief history of compression in TLS Both TLS version 1.0 released in 1999 [47] [...]
Read MoreRead More

The bugfix – Attacks on TLS Implementations

10/02/202110/02/2021 Vera NeelThe bugfix – Attacks on TLS Implementations
22.4.3 The bugfix The bugfix for the Heartbleed bug is shown in Listing 22.3. It [...]
Read MoreRead More