[openssl-users] [openssl-security] Removal of 3DES in 1.0.2 Version

[Viktor Dukhovni]

[ The openssl-security is for reporting security issues
  in OpenSSL.  Answer redirected to openssl-users. ]

> On Mar 12, 2017, at 3:55 PM, Oren Rosenmann <rozenman at hotmail.com> wrote:
> 
> As part of our software, we use OpenSSL 1.0.2 stream.
> Due to Sweet32 attacks, security scanners are suggesting
> upgrade to 1.1.0, despite the fact that we actually
> disable 3DES ciphers in configuration.

If you explicitly disable 3DES (in TLS) then you're not
vulnerable to Sweet32, and security scanners should not
be reporting Sweet32 exposure.

> I wanted to ask if the same change done in 1.1.0 is
> also planned sometime for 1.0.2 stream (i.e. disable
> by default, not just change from High to Medium)?

No.  That's too big a change for a stable release,
and the Sweet32 issue is not a practical issue for
most users.  It is a reason to walk not run away
from 3DES.

> https://www.openssl.org/blog/blog/2016/08/24/sweet32/
>  
> Also, is the change affecting only ciphers used for
> communication?  If we use DES to encrypt internal
> data, is it also being blocked?

Sweet32 is an attack on TLS in browsers, where attackers
are able to inject known-plaintext traffic.  It is not
relevant to encryption of data at rest.  That said, do
migrate from 3DES to AES.

The deprecation of ciphersuites from TLS does not affect
the availability of the underlying cryptographic functions.
The 3DES algorithm is still available in OpenSSL 1.1.0.

You can still use 3DES with CMS, or "openssl enc", but
don't forget that "openssl enc" does not include integrity
protection, so use CMS, or arrange for some sort of MAC
on the underlying data or the output of "enc".  For
large data streams, you'll probably want to generate
a "chunked" encoding with a MAC over every chunk.

-- 
	Viktor.