What is Sweet32 attack and how to mitigate it?

If you’ve not explicitly disabled 3DES-CBC cipher in TLS, your HTTPS connections might be vulnerable to the new SWEET32 bug (CVE-2016-2183) disclosed on 24th Aug.

Researchers demonstrated that they can decrypt customer data using a method called SWEET32 Birthday Attack.

Cryptographic protocols like TLS, SSH, IPsec, and OpenVPN commonly use block cipher algorithms, such as AES, Triple-DES, and Blowfish, to encrypt data between clients and servers. To use such algorithms, the data is broken into fixed-length chunks, called blocks, and each block is encrypted separately according to a mode of operation. Older block ciphers, such as Triple-DES and Blowfish use a block size of 64 bits, whereas AES uses a block size of 128 bits.

What is SWEET32 Birthday Attack?

As said above web server encrypts data using cryptographic keys. These keys are chosen randomly, and the probability of any two customers getting the same key is very low.

With the SWEET32 vulnerability, a network attacker can send large amount of date say 75 GB, and get blocks of cipher text that matches that of a customer.

When 64-bit 3DES ciphers are used it generates a lot of packets, so an attacker can monitor a long-lived Triple-DES HTTPS connection between a web browser and a website can recover secure HTTP cookies by capturing around 785 GB of traffic.

To break it down:

  • The attacker sniffs all data sent to your customer.
  • Attacker sends dummy data to your server until a key used for a customer matches the attacker’s session key.
  • Once there’s a match, sensitive data can be decrypted by determining how the key was chosen.

An important requirement for the attack is to send a large number of requests in the same TLS connection. Therefore, we need to find client and servers that not only negotiate the use of Triple-DES, but also exchange a large number of HTTP request in the same TLS connection (without rekeying).


Websites that support 3DES are vulnerable to a SWEET32 Birthday attack. Your server administrator should know whether your website supports 3DES, but it is easy to determine using nmap script and check the cipher suites for 3DES.

Nmap script to detect  SWEET32 attack:

nmap -Pn -p –script ssl-enum-ciphers xx.xx.xx.xx (IP)

Server administrators should consider the following to mitigate SWEET32:

  • Prefer minimum 128-bit cipher suites
  • Limit the length of TLS sessions with a 64-bit cipher, which could be done with TLS renegotiation or closing and starting a new connection
  • Disable cipher suites using 3DES

The researchers have stated that SWEET32 is comparable to the attacks on RC4. Hopefully this means that the browsers will also plan to mitigate the attack by supporting 3DES as a fallback-only cipher, even if the server prefers 3DES over AES.

Share This:

Leave a Reply

Your email address will not be published. Required fields are marked *