Abstract
We investigate the security of Diffie-Hellman key exchange as used in popular Internet protocols and find it to be less secure than widely believed. First, we present Logjam, a novel flaw in TLS that lets a man-in-the-middle downgrade connections to "export-grade" Diffie-Hellman. To carry out this attack, we implement the number field sieve discrete logarithm algorithm. After a week-long precomputation for a specified 512-bit group, we can compute arbitrary discrete logarithms in that group in about a minute. We find that 82% of vulnerable servers use a single 512-bit group, and that 8.4% of Alexa Top Million HTTPS sites are vulnerable to the attack. In response, major browsers have changed to reject short groups.
We go on to consider Diffie-Hellman with 768- and 1024-bit groups. We estimate that even in the 1024-bit case, the computations are plausible given nation-state resources. A small number of fixed or standardized groups are used by millions of servers; performing precomputation for a single 1024-bit group would allow passive eavesdropping on 18% of popular HTTPS sites, and a second group would allow decryption of traffic to 66% of IPsec VPNs and 26% of SSH servers. A close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break. We conclude that moving to stronger key exchange methods should be a priority for the Internet community.
- Beurdouche, B., Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Kohlweiss, M., Pironti, A., Strub, P.-Y., Zinzindohoue, J.K. A messy state of the union: Taming the composite state machines of TLS. In IEEE Symposium on Security and Privacy (2015). Google ScholarDigital Library
- Bouvier, C., Gaudry, P., Imbert, L., Jeljeli, H., Thomé, E. New record for discrete logarithm in a prime finite field of 180 decimal digits, 2014. http://caramel.loria.fr/p180.txt.Google Scholar
- Canetti, R., Krawczyk, H. Security analysis of IKE's signature-based key-exchange protocol. In Crypto (2002). Google ScholarDigital Library
- Coppersmith, D. Solving linear equations over GF(2) via block Wiedemann algorithm. Math. Comp. 62, 205 (1994). Google ScholarDigital Library
- Diffie, W., Hellman, M.E. New directions in cryptography. IEEE Trans. Inform. Theory 22, 6 (1976), 644--654. Google ScholarDigital Library
- Durumeric, Z., Wustrow, E., Halderman, J.A. ZMap: Fast Internet-wide scanning and its security applications. In Usenix Security (2013). Google ScholarDigital Library
- Geiselmann, W., Kopfer, H., Steinwandt, R., Tromer, E. Improved routing-based linear algebra for the number field sieve. In Information Technology: Coding and Computing (2005). Google ScholarDigital Library
- Geiselmann, W., Steinwandt, R. Non-wafer-scale sieving hardware for the NFS: Another attempt to cope with 1024-bit. In Eurocrypt (2007). Google ScholarDigital Library
- Gordon, D.M. Discrete logarithms in GF(p) using the number field sieve. SIAM J. Discrete Math. 6, 1 (1993). Google ScholarDigital Library
- Harkins, D., Carrel, D. The Internet key exchange (IKE). RFC 2409 (Nov. 1998). Google ScholarDigital Library
- Joux, A., Lercier, R. Improvements to the general number field sieve for discrete logarithms in prime fields. A comparison with the Gaussian integer method. Math. Comp. 72, 242 (2003), 953--967. Google ScholarDigital Library
- Kleinjung, T., Aoki, K., Franke, J., Lenstra, A.K., Thomé, E., Bos, J.W., Gaudry, P., Kruppa, A., Montgomery, P.L., Osvik, D.A., te Riele, H., Timofeev, A., Zimmermann, P. Factorization of a 768-bit RSA modulus. In Crypto (2010). Google ScholarDigital Library
- Kleinjung, T., Diem, C., Lenstra, A.K., Priplata, C., Stahlke, C. Computation of a 768-bit prime field discrete logarithm. In EUROCRYPT (2017).Google Scholar
- Lipacis, M. Semiconductors: Moore stress = structural industry shift. Technical report, Jefferies, 2012.Google Scholar
- Meadows, C. Analysis of the Internet key exchange protocol using the NRL protocol analyzer. In IEEE Symposium on Security and Privacy (1999).Google ScholarCross Ref
- National Security Agency. Cryptography today, August 2015. https://web.archive.org/web/20150905185709/https://www.nsa.gov/ia/programs/suiteb_cryptography/.Google Scholar
- Orman, H. The Oakley key determination protocol. RFC 2412 (Nov. 1998). Google ScholarDigital Library
- Schirokauer, O. Virtual logarithms. J. Algorithms 57, 2 (2005), 140--147. Google ScholarDigital Library
- The CADO-NFS Development Team. CADO-NFS, an implementation of the number field sieve algorithm. http://cado-nfs.gforge.inria.fr/, 2017. Release 2.3.0.Google Scholar
- Thomé, E. Subquadratic computation of vector generating polynomials and improvement of the block Wiedemann algorithm. J. Symbolic Comput. 33, 5 (2002), 757--775. Google ScholarDigital Library
- Fielded capability: End-to-end VPN SPIN 9 design review. Media leak. http://www.spiegel.de/media/media-35529.pdf.Google Scholar
- FY 2013 congressional budget justification. Media leak. https://cryptome.org/2013/08/spy-budget-fy13.pdf.Google Scholar
- Intro to the VPN exploitation process. Media leak, Sept. 2010. http://www.spiegel.de/media/media-35515.pdf.Google Scholar
- SPIN 15 VPN story. Media leak. http://www.spiegel.de/media/media-35522.pdf.Google Scholar
- TURMOIL VPN processing. Media leak, Oct. 2009. http://www.spiegel.de/media/media-35526.pdf.Google Scholar
Index Terms
- Imperfect forward secrecy: how Diffie-Hellman fails in practice
Recommendations
Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications SecurityWe investigate the security of Diffie-Hellman key exchange as used in popular Internet protocols and find it to be less secure than widely believed. First, we present Logjam, a novel flaw in TLS that lets a man-in-the-middle downgrade connections to "...
Certificateless Broadcast Signcryption with Forward Secrecy
CIS '11: Proceedings of the 2011 Seventh International Conference on Computational Intelligence and SecurityCertificate less cryptography achieves the best of the two worlds: it inherits from identity-based techniques a solution to the certificate management problem in public-key encryption, whilst removing the secret key escrow functionality inherent to the ...
Post-quantum secure identity-based signature achieving forward secrecy
AbstractIdentity-based cryptography (IBC) has gained significant attention over the years by enabling authentication of public key of a party without relying on certificates. Since the discovery of IBC, we have witnessed several ID-based ...
Comments