Cryptography researchers have demonstrated successful collision attacks against the 3DES (Triple-DES) and Blowfish 64-bit block ciphers. A lot of consumer products and services still support them today.
3DES and Blowfish Ciphers Are Not Safe and Should Not Be Used
Cryptography researchers Karthikeyan Bhargavan and Gaetan Leurent from Inria, France, have created a report that showcases weaknesses in the 3DES and Blowfish ciphers. Their collision attack titled “Sweet32” utilizes cipher block chaining of the two ciphers, which are still used in popular VPN protocols such as TLS, SSH, and IPSec. The attack relies on a weakness that is exploited in the way these methods work.
Block ciphers that operate with 64-bit blocks become unsafe when exhibited with more than 32 GB of block messages, also known as “the birthday bound.” The collision attacks rely on the malicious manipulation of the query activity. Malicious users can lower the security of the ciphers by injecting JavaScript code that repeatedly sends queries to the logged site. Each request includes authentication site for the target site. If the criminal can capture all the necessary amount of dat, then he can gain access to the collision and eventually recover the session cookie. This ultimately defeats the protection that 3DES and Blowfish offer. Nowadays fast connections allow quick transfer of data, so that is a possible scenario.
OpenVPN uses a 64-bit Blowfish cipher in CBC mode by default. 3DES is used in about 1% of all HTTPS connections from Firefox browsers. And some legacy operating systems use 3DES and other legacy ciphers for remote operation. These are just a few examples of vulnerable protocols and software that utilize 3DES and Blowfish. The security researchers suggest all users stop 64-bit block ciphers to ensure maximum protection.
For more information check out their website that discusses the problem in more detail.
