Vigil@nce - Blowfish, Triple-DES: algorithms too weak, SWEET32
September 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can create a TLS/VPN session with a
Blowfish/Triple-DES algorithm, and perform a two days attack, in
order to decrypt data.
Impacted products: Fedora, OpenSSL, openSUSE Leap, SSL protocol.
Severity: 1/4.
Creation date: 25/08/2016.
DESCRIPTION OF THE VULNERABILITY
The Blowfish and Triple-DES symetric encryption algorithms use 64
bit blocks.
However, if they are used in CBC mode, a collision occurs after
785 GB transferred, and it is then possible to decrypt blocks with
an attack lasting two days.
An attacker can therefore create a TLS/VPN session with a
Blowfish/Triple-DES algorithm, and perform a two days attack, in
order to decrypt data.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/Blowfish-Triple-DES-algorithms-too-weak-SWEET32-20473