Citrix sours on Sweet32 birthday attack, calls threat 'low-severity issue'
Citrix says the recently disclosed birthday attack Sweet32 is difficult for attackers to pull off against 64-bit ciphers. Still, the company recommends customers switch to 128-bit encryption.
Citrix Systems is advising customers not to fret over recent research stating that 64-bit block ciphers in cryptographic protocols are susceptible to a so-called birthday attack – noting that multiple conditions must be met for such a technique to be effective.
Last August, researchers Karthikeyan Bhargavan and Gaetan Leurent with the French Institute for Research in Computer Science and Automation (INRIA), published an online report warning that algorithms in such protocols as TLS and OpenVPS are vulnerable to cracking if a network attacker is able to monitor a network connection long enough to gather a critical mass of data. The researchers named this particular kind of birthday attack (a specific breed of collision attack) Sweet32 because it would take about 32 GB of data to begin encountering repeated crypto blocks, which would in turn help decipher the encryption.
Further extrapolating these principles, the researchers stated in their report that a “network attacker who can monitor a long-lived Triple-DES HTTPS connection between a web browser and a website can recover secure HTTP cookies by capturing around 785 GB of traffic.”
However, in its own blog post, Citrix noted that a successful attack requires large amounts of data to be sent one way, as well as four other notable conditions:
- A desired fixed secret is sent repeatedly
- A fraction of the plaintext is known by the hacker
- The attacker has access to the session ciphertext
- The encryption keys are not refreshed during the session
In practice, “it would be very hard to fulfill all the conditions above, rendering this a hard attack and low-severity issue,” reads the blog post, authored by Citrix security engineer Abhijith Chandrashekar.
Citrix did recommend however, that customers switch from 64-bit ciphers such as DES, 3DES and Blowfish, to AES encryption with 128-bit block sizes.