When discussing pentests, I continue to see “weak cipher” issues that go on to say anything < 128 bits is insecure, however 3DES has to date been the exception to this. In turns of cryptographic strength, 3-key 3DES uses three unique 56 bit keys, providing 168 bits of strength before factoring in known attacks that reduce the amount work to break it to that of exhausting a 112 bit key. Now, 112 bits is less than 128 bits yet NIST who of course factor in the weakness, still state this year that 112 bits is sufficient and acceptable, hence my referral to 3DES as being an exception to weak ciphers.
Rather than refer to the support of 112 bit 3DES ciphers as weak, I’ve tended to note it more as an informational point, drawing attention to the NIST, the fact that it’s rapidly approaching the end of it’s useful life, and that stronger cipher suites should be offered and preferred…
…until now (well, two weeks ago on August 24th). The Sweet32 attack (CVE-2016-2183) was disclosed showing how collision attacks are now practical against 3DES and Blowfish block ciphers, here’s the paper. The proofs of concept demonstrated the ability to recover a session cookie from a 3DES HTTPS session, and Basic Auth creds sent over an OpenVPN connection. That sounds scary enough but in their test environment it required the capture of 785GB of data which took anywhere between 19-38 hours.
Crap that’s fast.
OpenSSL changes now show the disabling and removal of 3DES in the next update so I reckon it won’t be long now before AES-128 becomes the absolute bare minimum. It’s worth noting that dropping 3DES support will only really prevent XP users running IE6-8 from connecting so unless you have a massive user base running that crusty legacy setup I’d say now it really is worth removing.
…watch this space I guess, the clock’s ticking!