Sweet32-birthday-attack-on-64-bit-block-cipher-withdrawal-of-3des-cipher-support

Sweet32-birthday-attack-on-64-bit-block-cipher-withdrawal-of-3des-cipher-support

We always try to provide utmost security and privacy to our users and here is one such instance. This is about removing weak and insecure ways to access our platform and strengthening it based on industry standard recommendations from time to time.


3DES,  a 64-bit block cipher,  is one of the algorithms used for encryption. These block ciphers, with short block size, are vulnerable to a type of  cryptographic attack, known as the Birthday Attack. In order to protect our customers from this vulnerability, all Zoho services including SDP On-Demand will stop extending support to 3DES from January 31, 2017.


After Zoho disables 3DES cipher, any communication with a Zoho service will need to use AES (128/256) cipher for encryption. All modern browsers/clients and operating systems support robust algorithms like AES. In order to avoid issues connecting with Zoho services, we advice our users to stay up-to-date and update to such latest systems.


1) Internet Browsers:

We monitored our traffic and observed that around 98% of users connecting via 3DES are using IE on Windows XP or Windows 2003 server. These legacy systems do not support AES based ciphers by default. As these systems are no longer supported by its vendor, we  recommend our customers to upgrade their OS or at least use latest   browsers like Firefox/Chrome.

 

2) API Integrations:
If your APIs use 3DES cipher to access Zoho's Applications, please update your API to connect via AES(126,256). Refer the following to set the cipher suite for the language you are using:

 

Java     - Set the cipher suite in javax.net.ssl.SSLSocket.

Ruby    - Set the preferred cipher suite in OpenSSL::SSL::SSLContext

PHP     -  Set CURLOPT_SSL_CIPHER_LIST to a list cipher suites that uses AES for encryption to your Curl options.

Python - Set the cipher suite in SSLContext.set_ciphers.

c#        - Use CipherAlgorithmType AES.

 

You can also refer SSLLabs to check whether you will be affected by this measure. Kindly contact sdp-ondemand-support@manageengine.com for any clarification.

Take  these measures right away so that you are not affected by this attack.  To know more about the sweet32 vulnerability, refer : https://sweet32.info/

Thanks
SDP On-Demand Support Team

                New to ADSelfService Plus?