SWEET32 Attack on 3DES Ciphers

A collision attack against 3DES called SWEET32 has been published [1]. The researchers were able to decrypt a session cookie by sending large amount of data (785 GB) over a single SSL/TLS session. The requirements to conduct the attacks are:

• Client and server must establish a SSL/TLS connection using a 64-bit block cipher in CBC mode (e.g. 3DES)
• Attacker must be able to passively monitor the encrypted traffic
• Attacker must be able to generate many requests and large amount of data on the SSL/TLS session. This can be done with Javascript running in the same browser instance by tricking the user into visiting a malicious website.
• The SSL/TLS session must be long-living (no rekeying).

We consider practical attacks on Airlock WAF based on SWEET32 as not feasible.

Airlock WAF offers 3DES ciphers with the lowest priority. Therefore only very old clients like IE8 on Windows XP negotiate a 3DES cipher with Airlock WAF. Further Airlock WAF limits the amount of request on the same TCP connection to 500 as well as the maximum lifetime for a cached SSL session for SSL resumption to 2 hours by default. These restrictions limit the possibility to send large number of requests and large amount of data on the same SSL/TLS connection. We consider these restrictions as effective to prevent practical attacks based on SWEET32.

3DES ciphers are removed from the default cipher suite of Airlock WAF 6.1. This cipher suite does no longer contain block ciphers with a block size smaller than 128 bit. This makes attacks like SWEET32 further impractical because the amount of data would be far too high to find a collision.