Sweet32 is a birthday attack on 64-bit block ciphers such as DES, 3DES and Blowfish. These ciphers are allowed in cryptographic protocols like SSH, SSL/TLS and VPN. The attack affects all implementations of these protocols that use 64-bit ciphers.

Further technical details of the attack have been published by the researchers here

For a successful attack, a large amount of data has to be sent one-way during the session, and the session has to be encrypted using the same key. For 64-bit ciphers, it would take about 32GB of data in order to have a 50% probability of collision in any of the cipher blocks. Much more data would be needed in order to achieve the same probability with a desired ciphertext block. Furthermore, since these protocols use different keys for each direction of the channel, the attacker can only utilize data from one side of the connection, and not both sides combined.

The details above mean that the following conditions are important for a successful attack:

  1. A large amount of data must be sent during the session
  2. A desired fixed secret is sent repeatedly
  3. Some fraction of the plaintext is known by the attacker
  4. The attacker has access to the session ciphertext
  5. The encryption keys are not refreshed during the session, for example by session renegotiation

In practice, it would be very hard to fulfill all the conditions above, rendering this a hard attack and low-severity issue.

There are better alternatives to 64-bit ciphers, however. In the interest of keeping up with current security practices, we recommend that customers move away from DES, 3DES and Blowfish (only used in SSH) from SSL/TLS and SSH across our product lines and use AES instead. These options are configurable in our NetScaler and Command Center product lines.

On SSL load balancers that serve HTTP content, a partial mitigation is to prevent the back-end HTTP server from sending ‘Connection: Keep-Alive‘ header and instead send a ‘Connection: Close’ header. This can either be done on the back-end server, or it can be done on the appliance-side by rewriting the header.