Now, let’s take a look at the Sweet32 attack as it applies to HTTPS connections. A typical HTTP request looks like this:
GET / HTTP/1.1
Let’s assume that the browser and server agreed to use a 3DES cipher suite to protect a TLS connection. All TLS cipher suites that use 3DES use it in cipher block chaining (CBC) mode. 3DES encrypts 64-bit blocks of data. Because of how CBC mode works and because to the birthday paradox, we would expect to see ciphertext block collisions after observing approximately 2^32 blocks (i.e., 2^35 bytes or approximately 34 GB) of data. CBC mode encrypts each block of plaintext by performing an XOR operation with the previous ciphertext block before encrypting it. That is, if the plaintext is divided into m blocks: P_1, P_2, …, P_m, then the ciphertext for each block is C_i = Encrypt(P_i XOR C_(i − 1)), where C_0 is the initialization vector.
So what does a ciphertext block collision mean?
If C_i = C_j for distinct i and j encrypted using the same key, then
Encrypt(P_i XOR C_(i − 1)) = Encrypt(P_j XOR C_(j − 1)).
Since the DES encrypt function is a permutation (i.e., each input corresponds to exactly one output), this means
P_i XOR C_(i − 1) = P_j XOR C_(j − 1).
P_i XOR P_j = C_(i − 1) XOR C_(j − 1).
Here, C_(i − 1) and C_(j − 1) are known ciphertext blocks. By XORing them together, we obtain the XOR of two plaintext blocks. If one of the plaintext blocks is known, we can compute the other.
How does this apply to Sweet32?
Now, the attacker simply sends the same request from the user’s browser over and over again until the attacker observes a ciphertext collision. Recall that this is expected to happen after about 2^32 blocks of ciphertext have been observed.
Now, there are three possibilities. The ciphertext collision is for:
- Two known plaintext blocks.
- Two unknown plaintext blocks.
- A known and an unknown plaintext block.
In the third scenario, the attacker can compute the unknown plaintext block and obtain 8 bytes of the secret.
How much data does the attacker need to collect to successfully obtain the complete 16-byte secret? The researchers that invented the Sweet32 attack found that they needed to collect about 785 GB of data over 38 hours in a lab environment to find the two required collisions.