Vulnerabilities In 3DES Encryption Put It Out To Pasture In IBM i
November 14, 2016 Alex Woodie
IBM i customers should stop using 3DES, also known as Triple DES, ciphers due to the SWEET32 vulnerabilities that could leave sensitive information unprotected as it moves between client and server via the OpenSSL and OpenVPN protocols. This was the gist of a security alert sent last week by IBM, which also issued new PTFs to address the problems in its own IBM i products.
On November 4, IBM issued security bulletin N1021697, which discussed what to do about so-called SWEET32 security vulnerabilities in OpenSSL and OpenVPN. The security problems, which are detailed in CVE-2016-2183 (for OpenSSL) and CVE-2016-6329 (for OpenVPN), impact all releases of the IBM i OS, from 6.1 to 7.3.
IBM issued a batch of new PTFs to address the security vulnerabilities, both of which were given a low severity rating of 3.7 on the 10-point CVSS score, largely due to high level of complexity that a successful attack would entail. Per IBM’s security alert (which you should definitely read to understand mitigations and workarounds), the PTF numbers that should be applied are as followed:
If you read our October 3 story about the last batch of OpenSSL patches, you will recall that IBM already issued the SI62622 and SI62623 patches. So what’s with the new round of patches? Two things. First, IBM is now patching the SWEET32 flaws in OpenVPN, and it’s also covering IBM i 6.1 and 6.1.1 with the patches; only IBM i versions 7.1 to 7.3 were patched in October.
The PTFs essentially disable 3DES across all IBM-controlled programs and utilities, including the SSL/TLS facilities in the IBM i Licensed Internal Code (LIC); the OpenSSL implementation in PASE; the Java JSSE-based IBMJSSE2 utility; and Domino, which contains an embedded SSL implementation (although it also uses the System SSL/TLS facility in some configurations).
The PTFs will activate newer and more secure AES ciphers in these IBM products. “Not disabling the Triple DES (3DES) cipher or algorithm will expose yourself to the attack described above,” IBM writes in its security alert.
Why is 3DES being removed? Simply put, it’s because 3DES is not considered highly secure anymore. The reasons have largely to do with the fact that the 3DES algorithm uses 64-bit block sizes, and those block sizes are no longer deemed sufficient by the security community to keep vigilant cybercriminals at bay. AES, by comparison, uses a 128-bit block size, which makes a big difference in preventing potentially sensitive data that could expose plaintext keys from leaking out.
“It is well-known in the cryptographic community that a short block size makes a block cipher vulnerable to birthday attacks, even if there are no cryptographic attacks against the block cipher itself,” write security researchers Karthikeyan Bhargavan and Gaëtan Leurent on the website sweet32.info, which is an excellent source for information on the SWEET32 vulnerability and how hackers can pull off brute-force “birthday” style attacks that uses the laws of probability and big data to crack one-way hashing algorithms.
With the 3DES algorithm encrypting data across an HTTPS connection, the researchers determined that an attacker executing a SWEET32-based birthday attack could retrieve the plaintext keys (in the form of HTTP cookies) by capturing about 785GB of traffic between a Web browser and a server. That would require the HTTPS connection to be live for about two days, which may sound impractical (and is why the vuln garnered a relatively low security threat rating). But considering the financial motivation that hackers have and the increasingly sophisticated tools at their disposal, there’s no reason to take a chance by using older, weaker cipher technology when newer and stronger ciphers like AES are readily available.
The good news is that 128-bit AES encryption is still considered practically unbreakable and is supported in popular network security protocols like OpenSSL, TLS, and SSH. AES (which is also available in 256-bit strength) should be considered the only safe encryption algorithm to use at this point. Many popular websites use it, and Web browsers support it. It’s supported in the IBM i stack.
The bad news is that there’s still a lot of 3DES out there. Because some Web browsers enable 3DES before AES by default, and because there are a lot of misconfigured servers out there, AES is still used in 1 to 2 percent of the world’s Web traffic secured with the TLS protocol, according to Bhargavan and Leurent. (SSL, you will remember, is considered weak; TLS is its replacement.)
For IBM i shops that take security seriously, it’s important to get on the right side of this. IBM is eliminating 3DES from its products. But the average IBM i shop runs a lot of non-IBM code, including FTP and Telnet utilities developed by third-party vendors. This is why it’s critical for IBM i shops to check their software inventory and upgrade all of the vulnerable products.
According to IBM i security expert Patrick Townsend, this should be a priority item for IBM i shops. “This one is important and you should take a look at it right away,” he writes on his Data Privacy Blog.
While Townsend Security uses the IBM i System SSL/TLS library in its products and is thus protected via IBM’s remediation work, there are a handful of third-party software vendors that have their own implementations of OpenSSL, which requires them to fix the problem themselves.
Customers will need to make sure that 3DES is being removed from these special ports of OpenSSL, he says. “You need to be talking to them right away,” Townsend writes in the blog post. “Unfortunately I know of one or two that are no longer supporting the IBM i platform. So you may have some difficulty getting resolution on this issue.”
You can read IBM’s security alert at www-01.ibm.com/support/docview.wss?uid=nas8N1021697.