Reference Guide
4 SSL/TLS Communications
RSA BSAFE SSL-J 6.2.6 Security Best Practices Guide
Sweet32: Birthday Attack
The Sweet32:Birthday attack is a vulnerability that affects cipher suites which use
DES or Triple-DES as the symmetric encryption cipher.
A block cipher’s security primarily depends on the key size where a larger key,
k,
provides a higher security strength. However, the block size,
n, must also be
considered when encrypting a large amount of data with the same key and using a
mode of encryption such as CBC.
Under certain conditions, legacy block ciphers that have a block size of 64 bits are
vulnerable to a practical collision attack when used in CBC mode. All versions of the
SSL/TLS protocol that support cipher suites which use DES or Triple-DES as the
symmetric encryption cipher are affected, for example
ECDHE-RSA-DES-CBC3-SHA.
When CBC mode of encryption is used, there is simple birthday attack in which, after
2
n/2
blocks or 32 GB of data are encrypted with the same key, a collision between two
ciphers blocks is expected. This collision in the output means that the input is the
same. When this is considered from a TLS point of view, it means long-lived HTTPS
connections using DES or Triple-DES cipher suites might be vulnerable to this type of
attack. To exploit this birthday attack collision, it must be combined with the
following conditions. It can then be used to extract plain text of the encrypted data.
• The 32 GB of data that required must be read from the same session, because
SSL/TLS renegotiates the symmetric keys when creating a new session.
• One of the following:
– A fixed secret is sent repeatedly
– Some fraction of the plain text is already known.
How to Help Prevent the Attack
To help prevent the Sweet32:Birthday attack, complete one or more of the following:
• Ensure SSL/TLS configurations only use AES as the symmetric encryption
algorithm in the cipher. Do not use DES or Triple-DES.
• Implement data limits for the DES and Triple-DES cipher suites so the session is
terminated before the 32 GB requirement is reached.
How to prevent the attack in SSL-J
SSL-J includes a patch to remove Triple-DES cipher suites from the default list. DES
cipher suites have already been removed. This means that by default only the AES
cipher suites will be available.
Do not update the enabled cipher suites to include any of the DES or Triple-DES
cipher suites. If the application selects cipher suites, instead of using the default list,
ensure DES and Triple-DES are not selected.
For instructions to select non-default list cipher suites, see “How to Use a Cipher Suite
That is Not in the Default List” in the RSA BSAFE SSL-J Troubleshooting Guide.