Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice

Authors:
David Adrian

University of Michigan, Ann Arbor, MI, USA

University of Michigan, Ann Arbor, MI, USA
View Profile

,
Karthikeyan Bhargavan

INRIA Paris-Rocquencourt, Paris, France

INRIA Paris-Rocquencourt, Paris, France
View Profile

,
Zakir Durumeric

University of Michigan, Ann Arbor, MI, USA

University of Michigan, Ann Arbor, MI, USA
View Profile

,
Pierrick Gaudry

INRIA Nancy-Grand Est, CNRS and Université de Lorraine, Nancy, France

INRIA Nancy-Grand Est, CNRS and Université de Lorraine, Nancy, France
View Profile

,
Matthew Green

Johns Hopkins University, Baltimore, MD, USA

Johns Hopkins University, Baltimore, MD, USA
View Profile

,
J. Alex Halderman

University of Michigan, Ann Arbor, MI, USA

University of Michigan, Ann Arbor, MI, USA
View Profile

,
Nadia Heninger

University of Pennsylvania, Philadelphia, PA, USA

University of Pennsylvania, Philadelphia, PA, USA
View Profile

,
Drew Springall

University of Michigan, Ann Arbor, MI, USA

University of Michigan, Ann Arbor, MI, USA
View Profile

,
Emmanuel Thomé

INRIA Nancy-Grand Est, CNRS and Université de Lorraine, Nancy, France

INRIA Nancy-Grand Est, CNRS and Université de Lorraine, Nancy, France
View Profile

,
Luke Valenta

University of Pennsylvania, Philadelphia, PA, USA

University of Pennsylvania, Philadelphia, PA, USA
View Profile

,
Benjamin VanderSloot

University of Michigan, Ann Arbor, MI, USA

University of Michigan, Ann Arbor, MI, USA
View Profile

,
Eric Wustrow

University of Michigan, Ann Arbor, MI, USA

University of Michigan, Ann Arbor, MI, USA
View Profile

,
Santiago Zanella-Béguelin

Microsoft Research, Cambridge, United Kingdom

Microsoft Research, Cambridge, United Kingdom
View Profile

,
Paul Zimmermann

INRIA Nancy-Grand Est, CNRS and Université de Lorraine, Nancy, France

INRIA Nancy-Grand Est, CNRS and Université de Lorraine, Nancy, France
View Profile

CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications SecurityOctober 2015Pages 5–17https://doi.org/10.1145/2810103.2813707

Published:12 October 2015Publication History

CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

Pages 5–17

ABSTRACT

We investigate the security of Diffie-Hellman key exchange as used in popular Internet protocols and find it to be less secure than widely believed. First, we present Logjam, a novel flaw in TLS that lets a man-in-the-middle downgrade connections to "export-grade" Diffie-Hellman. To carry out this attack, we implement the number field sieve discrete log algorithm. After a week-long precomputation for a specified 512-bit group, we can compute arbitrary discrete logs in that group in about a minute. We find that 82% of vulnerable servers use a single 512-bit group, allowing us to compromise connections to 7% of Alexa Top Million HTTPS sites. In response, major browsers are being changed to reject short groups. We go on to consider Diffie-Hellman with 768- and 1024-bit groups. We estimate that even in the 1024-bit case, the computations are plausible given nation-state resources. A small number of fixed or standardized groups are used by millions of servers; performing precomputation for a single 1024-bit group would allow passive eavesdropping on 18% of popular HTTPS sites, and a second group would allow decryption of traffic to 66% of IPsec VPNs and 26% of SSH servers. A close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break. We conclude that moving to stronger key exchange methods should be a priority for the Internet community.

References

S. Bai, C. Bouvier, A. Filbois, P. Gaudry, L. Imbert, A. Kruppa, F. Morain, E. Thomé, and P. Zimmermann.upshape cado-nfs, an implementation of the number field sieve algorithm, 2014. Release 2.1.1.Google Scholar
R. Barbulescu. Algorithmes de logarithmes discrets dans les corps finis. PhD thesis, Université de Lorraine, France, 2013.Google Scholar
R. Barbulescu, P. Gaudry, A. Joux, and E. Thomé. A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic. In Eurocrypt, 2014.Google ScholarCross Ref
E. Barker, W. Barker, W. Burr, W. Polk, and M. Smid. NIST Special Publication 800--57: Recommendation for Key Management, 2007.Google Scholar
D. J. Bernstein. How to find smooth parts of integers, 2004. http://cr.yp.to/factorization/smoothparts-20040510.pdf.Google Scholar
D. J. Bernstein and T. Lange. Batch NFS. In Selected Areas in Cryptography, 2014.Google Scholar
B. Beurdouche, K. Bhargavan, A. Delignat-Lavaud, C. Fournet, M. Kohlweiss, A. Pironti, P.-Y. Strub, and J. K. Zinzindohoue. A messy state of the union: Taming the composite state machines of TLS. In IEEE Symposium on Security and Privacy, 2015.Google ScholarDigital Library
C. Bouvier, P. Gaudry, L. Imbert, H. Jeljeli, and E. Thomé. New record for discrete logarithm in a prime finite field of 180 decimal digits, 2014. http://caramel.loria.fr/p180.txt.Google Scholar
R. Canetti and H. Krawczyk. Security analysis of IKE's signature-based key-exchange protocol. In Crypto, 2002. Google ScholarDigital Library
A. Commeine and I. Semaev. An algorithm to solve the discrete logarithm problem with the number field sieve. In PKC, 2006. Google ScholarDigital Library
D. Coppersmith. Solving linear equations over GF(2) via block Wiedemann algorithm. Math. Comp., 62(205), 1994. Google ScholarDigital Library
R. Crandall and C. B. Pomerance. Prime Numbers: A Computational Perspective. Springer, 2001.Google ScholarCross Ref
B. den Boer. Diffie-Hellman is as strong as discrete log for certain primes. In Crypto, 1988. Google ScholarDigital Library
W. Diffie and M. E. Hellman. New directions in cryptography. IEEE Trans. Inform. Theory, 22(6):644--654, 1976. Google ScholarDigital Library
Z. Durumeric, E. Wustrow, and J. A. Halderman. ZMap: Fast Internet-wide scanning and its security applications. In Usenix Security, 2013. Google ScholarDigital Library
M. Friedl, N. Provos, and W. Simpson. Diffie-Hellman group exchange for the secure shell (SSH) transport layer protocol. RFC 4419, Mar. 2006.Google Scholar
W. Geiselmann, H. Kopfer, R. Steinwandt, and E. Tromer. Improved routing-based linear algebra for the number field sieve. In Information Technology: Coding and Computing, 2005. Google ScholarDigital Library
W. Geiselmann and R. Steinwandt. Non-wafer-scale sieving hardware for the NFS: Another attempt to cope with 1024-bit. In Eurocrypt, 2007. Google ScholarDigital Library
D. Gillmor. Negotiated finite field Diffie-Hellman ephemeral parameters for TLS. IETF Internet Draft, May 2015.Google Scholar
D. M. Gordon. Designing and detecting trapdoors for discrete log cryptosystems. In Crypto, 1992. Google ScholarDigital Library
D. M. Gordon. Discrete logarithms in GF(p) using the number field sieve. SIAM J. Discrete Math., 6(1), 1993. Google ScholarDigital Library
D. Harkins and D. Carrel. The Internet key exchange (IKE). RFC 2409, Nov. 1998. Google ScholarDigital Library
T. Jager, K. G. Paterson, and J. Somorovsky. One bad apple: Backwards compatibility attacks on state-of-the-art cryptography. In NDSS, 2013.Google Scholar
A. Joux and R. Lercier. Improvements to the general number field sieve for discrete logarithms in prime fields. A comparison with the Gaussian integer method. Math. Comp., 72(242):953--967, 2003. Google ScholarDigital Library
C. Kaufman, P. Hoffman, Y. Nir, P. Eronen, and T. Kivinen. Internet key exchange protocol version 2 (IKEv2). RFC 7296, Oct. 2014.Google Scholar
S. Kent. IP authentication header. RFC 4302, Dec. 2005.Google Scholar
S. Kent. IP encapsulating security payload (ESP). RFC 4303, Dec. 2005.Google Scholar
T. Kleinjung. Cofactorisation strategies for the number field sieve and an estimate for the sieving step for factoring 1024 bit integers, 2006. http://www.hyperelliptic.org/tanja/SHARCS/talks06/thorsten.pdf.Google Scholar
T. Kleinjung, K. Aoki, J. Franke, A. K. Lenstra, E. Thomé, J. W. Bos, P. Gaudry, A. Kruppa, P. L. Montgomery, D. A. Osvik, H. te Riele, A. Timofeev, and P. Zimmermann. Factorization of a 768-bit RSA modulus. In Crypto, 2010. Google ScholarDigital Library
A. Langley, N. Modadugu, and B. Moeller. Transport layer security (TLS) false start. IETF Internet Draft, 2010.Google Scholar
A. K. Lenstra and H. W. Lenstra, Jr., editors. The Development of the Number Field Sieve. Springer, 1993.Google ScholarCross Ref
M. Lipacis. Semiconductors: Moore stress = structural industry shift. Technical report, Jefferies, 2012.Google Scholar
U. M. Maurer. Towards the equivalence of breaking the Diffie-Hellman protocol and computing discrete logarithms. In Crypto, 1994. Google ScholarDigital Library
U. M. Maurer and S. Wolf. Diffie-Hellman oracles. In Crypto, 1996. Google ScholarDigital Library
N. Mavrogiannopoulos, F. Vercauteren, V. Velichkov, and B. Preneel. A cross-protocol attack on the TLS protocol. In ACM CCS, pages 62--72, 2012. Google ScholarDigital Library
C. Meadows. Analysis of the Internet key exchange protocol using the NRL protocol analyzer. In IEEE Symposium on Security and Privacy, 1999.Google ScholarCross Ref
Microsoft Security Bulletin MS15-055. Vulnerability in Schannel could allow information disclosure, May 2015. https://technet.microsoft.com/en-us/library/security/ms15-055.aspx.Google Scholar
NIST. FIPS PUB 186--4: Digital signature standard, 2013.Google Scholar
Oak Ridge National Laboratory. Introducing Titan, 2012. https://www.olcf.ornl.gov/titan.Google Scholar
H. Orman. The Oakley key determination protocol. RFC 2412, Nov. 1998. Google ScholarDigital Library
S. C. Pohlig and M. E. Hellman. An improved algorithm for computing logarithms over $\mathrmGF(p)$ and its cryptographic significance (corresp.). Trans. Inform. Theory, 24(1), 1978. Google ScholarDigital Library
J. M. Pollard. A Monte Carlo method for factorization. BIT Numerical Mathematics, 15(3):331--334, 1975.Google ScholarDigital Library
O. Schirokauer. Virtual logarithms. J. Algorithms, 57(2):140--147, 2005. Google ScholarDigital Library
I. A. Semaev. Special prime numbers and discrete logs in finite prime fields. Math. Comp., 71(237):363--377, 2002. Google ScholarDigital Library
D. Shanks. Class number, a theory of factorization, and genera. In Proc. Sympos. Pure Math., volume 20. 1971.Google Scholar
Spiegel Staff. Prying eyes: Inside the NSA's war on Internet security. Der Spiegel, Dec 2014. http://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet-security-a-1010361.html.Google Scholar
W. Stein et al. Sage Mathematics Software (Version 6.5). The Sage Development Team, 2015. http://www.sagemath.org.Google Scholar
stud: The scalable TLS unwrapping daemon, 2012. https://github.com/bumptech/stud/blob/19a7f19686bcdbd689c6fbea31f68a276e62d886/stud.c#L593.Google Scholar
E. Thomé. Subquadratic computation of vector generating polynomials and improvement of the block Wiedemann algorithm. J. Symbolic Comput., 33(5):757--775, 2002. Google ScholarDigital Library
P. C. Van Oorschot and M. J. Wiener. Parallel collision search with application to hash functions and discrete logarithms. In ACM CCS, 1994. Google ScholarDigital Library
P. C. Van Oorschot and M. J. Wiener. On Diffie-Hellman key agreement with short exponents. In Eurocrypt, 1996. Google ScholarDigital Library
D. Wagner and B. Schneier. Analysis of the SSL 3.0 protocol. In 2nd Usenix Workshop on Electronic Commerce, 1996. Google ScholarDigital Library
J. Wagnon. SSL profiles part 5: SSL options, 2013. https://devcentral.f5.com/articles/ssl-profiles-part-5-ssl-options.Google Scholar
P. Zimmermann et al. GMP-ECM, 2012. https://gforge.inria.fr/projects/ecm.Google Scholar
APEX active/passive exfiltration. Media leak, Aug. 2009. http://www.spiegel.de/media/media-35671.pdf.Google Scholar
Fielded capability: End-to-end VPN SPIN 9 design review. Media leak. http://www.spiegel.de/media/media-35529.pdf.Google Scholar
FY 2013 congressional budget justification. Media leak. http://cryptome.org/2013/08/spy-budget-fy13.pdf.Google Scholar
GALLANTWAVE@scale. Media leak. http://www.spiegel.de/media/media-35514.pdf.Google Scholar
Innov8 experiment profile. Media leak. http://www.spiegel.de/media/media-35509.pdf.Google Scholar
Intro to the VPN exploitation process. Media leak, Sept. 2010. http://www.spiegel.de/media/media-35515.pdf.Google Scholar
LONGHAUL -- WikiInfo. Media leak. http://www.spiegel.de/media/media-35533.pdf.Google Scholar
POISONNUT -- WikiInfo. Media leak. http://www.spiegel.de/media/media-35519.pdf.Google Scholar
SIGINT strategy. Media leak. http://www.nytimes.com/interactive/2013/11/23/us/politics/23nsa-sigint-strategy-document.html.Google Scholar
SPIN 15 VPN story. Media leak. http://www.spiegel.de/media/media-35522.pdf.Google Scholar
TURMOIL/APEX/APEX high level description document. Media leak. http://www.spiegel.de/media/media-35513.pdf.Google Scholar
TURMOIL IPsec VPN sessionization. Media leak, Aug. 2009. http://www.spiegel.de/media/media-35528.pdf.Google Scholar
TURMOIL VPN processing. Media leak, Oct. 2009. http://www.spiegel.de/media/media-35526.pdf.Google Scholar
VALIANTSURF (VS): Capability levels. Media leak. http://www.spiegel.de/media/media-35517.pdf.Google Scholar
VALIANTSURF -- WikiInfo. Media leak. http://www.spiegel.de/media/media-35527.pdf.Google Scholar
VPN SigDev basics. Media leak. http://www.spiegel.de/media/media-35520.pdf.Google Scholar
What your mother never told you about SIGDEV analysis. Media leak. http://www.spiegel.de/media/media-35551.pdf.Google Scholar

Index Terms

Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice
1. Security and privacy
  1. Cryptography
    1. Cryptanalysis and other attacks
    2. Public key (asymmetric) techniques
      1. Public key encryption
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Imperfect forward secrecy: how Diffie-Hellman fails in practice

We investigate the security of Diffie-Hellman key exchange as used in popular Internet protocols and find it to be less secure than widely believed. First, we present Logjam, a novel flaw in TLS that lets a man-in-the-middle downgrade connections to "...
Read More
Certificateless Broadcast Signcryption with Forward Secrecy
CIS '11: Proceedings of the 2011 Seventh International Conference on Computational Intelligence and Security

Certificate less cryptography achieves the best of the two worlds: it inherits from identity-based techniques a solution to the certificate management problem in public-key encryption, whilst removing the secret key escrow functionality inherent to the ...
Read More
Kleptography: using cryptography against cryptography
EUROCRYPT'97: Proceedings of the 16th annual international conference on Theory and application of cryptographic techniques

The notion of a Secretly Embedded Trapdoor with Universal Protection (SETUP) has been recently introduced. In this paper we extend the study of stealing information securely and subliminally from black-box cryptosystems. The SETUP mechanisms presented ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security
October 2015
1750 pages
ISBN:9781450338325
DOI:10.1145/2810103
General Chair:
Indrajit Ray
Colorado State University, USA
,
Program Chairs:
Ninghui Li
Purdue University, USA
,
Christopher Kruegel
University of California, Santa Barbara, USA
Copyright © 2015 Owner/Author
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 12 October 2015
Check for updates
Badges
- Best Paper
Author Tags
Diffie-Hellman
internet measurement
logjam
number field sieve
vulnerabilities
Qualifiers
- research-article
Conference

Acceptance Rates
CCS '15 Paper Acceptance Rate128of660submissions,19%Overall Acceptance Rate1,261of6,999submissions,18%
More
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 233
  Total Citations
  View Citations
- 7,089
  Total Downloads
- Downloads (Last 12 months)1,245
- Downloads (Last 6 weeks)129
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice

CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

ABSTRACT

References

Cited By

Index Terms

Recommendations

Imperfect forward secrecy: how Diffie-Hellman fails in practice

Certificateless Broadcast Signcryption with Forward Secrecy

Kleptography: using cryptography against cryptography