Diffie Hellman key exchange (1024 bit) unreliable

Monday, October 17. 2016

Arstechnica wrote last week: NSA could put undetectable “trapdoors” in millions of crypto keys. The article in the link says:

A special prime devised by the researchers, however, contains certain invisible properties that make the secret parameters unusually susceptible to discovery. The researchers were able to break one of these weakened 1,024-bit primes in slightly more than two months using an academic computing cluster of 2,000 to 3,000 CPUs.

So, there is a mathematical weakness in DH-key exchange algorithm when using 1024 bits and suitable prime number.

It so happens, that Diffie Hellman has been taking major hits in the past. In May 2015 team of researches found out an implementation failure in DH-key exchange called Logjam Attack. There is no mathematical weakness, but when negotiating a key exchange, client forces the number of bits used to be ridiculously low instead of server's suggestion. And in their discovery they suggested:

The Logjam researchers include some talk about how some "attackers with nation-state resources" could break through 1024-bit DH.

All this means, that the entire Diffie Hellman algoritm is riddled by different types of flaws and any reliability it previously enjoyed among security community is gone. Even with a Logjam-patched server, using less than 1024 has been insane for a long time. Now 1024 bits are gone, what next?

Impact

In practice this affects HTTPS, SSH and VPN-tunnels. Ok, there are other software using DH-key exchange, but I'll try to keep this simple.

So, there is no backdoor that NSA or anybody can open. It's just that when client and server agree on details of the encryption used in communication, the encryption key used can be calculated by a listening party. If somebody cannot capture your key exchange and encrypted bits, they cannot de-crypt the communication. However, if somebody can grab your bits and either you're using too weak DH-key exchange, or somebody can tamper the connection and do a "Logjam", then your connection's security will be impaired. The best option is to use some other protocol for key exchange.

There is more information about key exchange and Diffie Hellman in my previous article TLS Security recap - HTTPS (in)security up until 2016.

Diffie Hellman in TLS (SSL)

To quote the Wikipedia article about Diffie Hellman: "There are three versions of Diffie Hellman used in SSL/TLS: Anonymous Diffie Hellman, Fixed Diffie Hellman and Ephemeral Diffie Hellman". To make things confusing, there is also Elliptic curve Diffie–Hellman (ECDHE), which is not affected. For the purpose of this article, it is considered a completely another key exchange protocol. Yes, it has Diffie Hellman in the name, but ... still not affected.

Of those four protocols, pretty much the only ones being used in today's Internet are DHE (affected) and ECDHE (not affected). When looking at stats according to SSL Pulse, Survey of the SSL Implementation of the Most Popular Web Sites, only 27% of the sites tested supported DH/DHE with 1024 or less bits.

What you can do

The simple version is: nothing.

If you really want to, you can check which cipher suite your browser is using:

The string "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", means, that the TLS 1.2 connection is using elliptic-curves DHE (the not affected one) for key exchange. 

If you want to make things really interesting, from a Linux command prompt try to lure the server to use DHE as key exchange method. First get a list of suitable ciphers:

# openssl ciphers | perl -ne 'print join("\n", grep {/DHE-/} split(/:/));'

Let's pick one with weak key exchange, but with powerful crypto DHE-RSA-AES256-GCM-SHA384, and go for it:

# openssl s_client -cipher 'DHE-RSA-AES256-GCM-SHA384' -connect www.google.com:443

As guys at Google are smart, they won't allow that. What you have is "CONNECTED" and "alert handshake failure". It means, that your client and their server failed to agree on suitable cipher suite to use. Your request for using DHE was the key here.

Final words

If you are a server admin and didn't stop accepting Diffie Hellman as key exchange before this, do it now.

If you are a regular internet user, don't worry number of government-level organizations already have your data! :-)

by Jari Turkia in Security at 16:45 | Comments (0) | Share in LinkedIn

Comments
Display comments as (Linear | Threaded)

No comments


Add Comment
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.
Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

Submitted comments will be subject to moderation before being displayed.

Calendar

Mon Tue Wed Thu Fri Sat Sun
Back November '24 Forward
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30  

Quicksearch

Archives

Categories

RSS feeds of this Blog

Blog Administration

Open login screen

Powered by

Parts of this serendipity template are by Abdussamad Abdurrazzaq and Jari Turkia. License