Collision Attacks Against 64-Bit Block Ciphers
We’ve long known that 64 bits is too small for a block cipher these days. That’s why new block ciphers like AES have 128-bit, or larger, block sizes. The insecurity of the smaller block is nicely illustrated by a new attack called “Sweet32.” It exploits the ability to find block collisions in Internet protocols to decrypt some traffic, even though the attackers never learn the key.
Paper here. Matthew Green has a nice explanation of the attack. And some news articles. Hacker News thread.
Lisa • August 26, 2016 5:04 PM
It is clear that this attack requires a huge number of blocks (~2^(n/2)) to work, which is a concern for high bandwidth data transfers such as video streaming.
But I do not see how this attack would not be practical for a banking website using TLS with session generated 3DES (3TDEA) keys, with lightweight webpages of mostly textual content with bits of small static images, and a session timeout.
Dicussion in the IETF-CFRG mailing list has many avocating to remove 3DES cipher suites from TLS 1.3, but this seems like overkill, when it appears that it can still be used safely with low bandwidth websites.