Articles

Sweet32: Birthday Attacks on 64-Bit Ciphers

March 15, 2026 4 min read

The Sweet32 attack is a practical exploit that leverages the birthday paradox to break the security of 64-bit block ciphers, like Triple DES (3DES), by finding collisions in the cipher’s output.

Let’s see this in action. Imagine you’re encrypting a large amount of data with 3DES, which uses a 64-bit block size. Over time, as you encrypt more and more data, you’re essentially generating a sequence of 64-bit blocks. The birthday paradox tells us that in a set of randomly chosen people, you only need 23 people to have a 50% chance that two share a birthday. Applied to cryptography, this means that if you encrypt approximately $2^{32}$ blocks of data, you have a high probability of generating two identical 64-bit ciphertext blocks.

This is where the attack comes in. An attacker monitors the encrypted traffic. If they observe two identical ciphertext blocks, they can deduce that the plaintext blocks corresponding to these ciphertext blocks were also identical. While this doesn’t immediately reveal the plaintext, it’s a significant weakness. If the attacker can control or predict some of the plaintext, they can craft specific inputs to increase the chances of generating a collision.

The core problem is the relatively small block size of 64 bits. With modern computing power and the sheer volume of data transmitted over networks, generating $2^{32}$ blocks (which is about 256 GB of data) is entirely feasible. When two 64-bit ciphertext blocks are found to be identical, it means that the XOR of the corresponding plaintext blocks, when encrypted with the same key, results in a zero. This gives the attacker a mathematical relationship they can exploit.

Here’s how an attacker might practically leverage this:

  1. Monitor Traffic: The attacker observes encrypted communication, looking for duplicate ciphertext blocks.
  2. Identify Collision: They detect two identical 64-bit ciphertext blocks, say $C_i$ and $C_j$, that were generated using the same encryption key.
  3. Deduce Plaintext Relationship: Since $C_i = C_j$, this implies that $E_k(P_i) = E_k(P_j)$, where $E_k$ is the encryption function with key $k$, and $P_i, P_j$ are the corresponding plaintext blocks. Due to the properties of block ciphers, this strongly suggests that $P_i = P_j$.
  4. Exploit Predictable Data: If the attacker knows or can guess parts of the plaintext (e.g., HTTP headers, known session identifiers), they can use this collision to gain information. For example, if they can force a known plaintext block to be sent, and then later observe a collision, they can infer information about the unknown parts of the plaintext.

The Sweet32 attack specifically targets protocols that use 64-bit block ciphers for long-lived connections or for encrypting large amounts of data. This includes older versions of TLS/SSL that allowed ciphers like DES-CBC3-SHA (which uses 3DES).

The "Why it works" behind the collision: The birthday paradox states that the probability of a collision in a set of $N$ items, where each item can take one of $M$ values, is approximately $1 - e^{-N^2 / (2M)}$. In our case, $M = 2^{64}$ (the number of possible 64-bit blocks). We are looking for the number of blocks $N$ such that the probability of a collision is significant. Setting $N^2 / (2M) \approx 1$, we get $N^2 \approx 2M = 2 \cdot 2^{64} = 2^{65}$, so $N \approx \sqrt{2^{65}} = 2^{32.5}$, which is roughly $2^{32}$ blocks. Encrypting about 256 GB of data with 3DES makes a collision highly probable. When a collision occurs ($C_i = C_j$), it signifies that $P_i$ and $P_j$ are identical, giving the attacker a shared secret or a starting point to deduce further information.

Mitigation: The primary defense is to avoid 64-bit block ciphers for encrypting large amounts of data or for long-lived connections.

  • Diagnosis: Monitor network traffic for large volumes of data encrypted with ciphers like 3DES. Check TLS/SSL cipher suite negotiation logs for the presence of DES-CBC3-SHA or similar suites.
  • Fix: Configure servers and clients to disallow 64-bit block ciphers. For example, in OpenSSL, this would involve modifying the CipherString or SSLCipherSuite configuration to exclude DES-CBC3-SHA. A typical modern configuration might look like: SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 This explicitly lists strong, modern cipher suites and implicitly excludes older, weaker ones like 3DES.
  • Why it works: By moving to ciphers with larger block sizes (e.g., AES with 128-bit blocks), the number of blocks required to find a collision increases dramatically to $2^{64}$. This is computationally infeasible, effectively eliminating the birthday attack vector.

Common Causes and Fixes:

  1. Outdated TLS/SSL Configurations: Servers or clients still negotiating DES-CBC3-SHA or other 3DES-based cipher suites.

    • Diagnosis: Use openssl s_client -connect example.com:443 -cipher DES-CBC3-SHA to test if a specific cipher is supported. Check server configuration files (e.g., Apache’s httpd.conf, Nginx’s nginx.conf) for SSLCipherSuite directives.
    • Fix: Update the SSLCipherSuite directive to prioritize and include only strong, modern ciphers. For Apache, this might be: SSLProtocol -all +TLSv1.2 +TLSv1.3 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 This ensures that 3DES (which has a 64-bit block size and is often part of weaker suites) is not used.
    • Why it works: Modern cipher suites use algorithms like AES with 128-bit blocks, making the birthday attack computationally infeasible.

  2. Legacy Application Dependencies: Applications that enforce the use of 3DES for compatibility with older systems.

    • Diagnosis: Application logs showing connection errors or warnings related to cipher suite negotiation. Network packet captures showing 3DES negotiation.
    • Fix: Update the application or its dependencies to support modern TLS versions and stronger cipher suites. If an immediate update isn’t possible, configure the server to disable 3DES for connections from that application if it can be isolated, or (as a last resort) if the application itself can be configured to use stronger ciphers.
    • Why it works: By forcing the use of 128-bit block ciphers, the birthday attack’s feasibility is removed.

  3. IPsec/VPN Configurations: Older VPN or IPsec configurations might default to or allow 3DES for bulk data encryption.

    • Diagnosis: Review IPsec Security Association (SA) parameters and Phase 2 (IPsec) proposals. Look for 3DES-CBC as an encryption algorithm.
    • Fix: Configure IPsec policies to use AES-GCM or AES-CBC with 128-bit or 256-bit keys instead of 3DES. For example, a typical IKEv2 policy might look like: set ike proposal aes256-sha256-modp2048 set esp proposal aes256-gcm (Syntax varies by vendor; the key is to select AES-based, authenticated encryption like GCM or CBC with a strong hash).
    • Why it works: Using AES with a 128-bit or larger block size makes the birthday attack computationally infeasible.

  4. SSH Configuration: While less common for bulk data, older SSH configurations might have allowed 3DES.

    • Diagnosis: Check the SSH server configuration (sshd_config) for Ciphers or MACs directives that might include 3des-cbc.
    • Fix: Update the Ciphers directive to exclude 3des-cbc and prioritize modern ciphers like aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, or aes192-ctr, aes128-ctr. Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
    • Why it works: This removes 3DES as an option, forcing the use of ciphers with larger block sizes or more robust modes.

  5. Custom Implementations: Applications with custom cryptographic implementations that incorrectly use 64-bit block ciphers for large data.

    • Diagnosis: Code review of cryptographic functions. Unit tests that specifically check for collisions with large amounts of data.
    • Fix: Replace custom implementations with well-vetted libraries like OpenSSL, BoringSSL, or CryptoAPI, and ensure they are configured to use modern algorithms with sufficient block sizes (e.g., AES-128 or AES-256 in GCM or CBC mode).
    • Why it works: Leverages cryptographically secure libraries that handle block size and mode correctly, making birthday attacks infeasible.

The next problem you’ll encounter after fixing Sweet32 is likely a different type of attack that exploits weaknesses in the mode of operation or the authentication mechanism if you’re still using older protocols, such as attacks on CBC mode if not properly authenticated, or vulnerabilities in older hash functions.

Want structured learning?

Take the full Cryptography course →