Updated A team led by Johns Hopkins crypto researcher Matthew Green* thinks they might have an explanation for how the NSA attacked VPN services: flaws in how TLS implements Diffie-Hellman crytography.
In what's bound to be the next big branded bug, Green says servers that support 512-key “export-grade” Diffie-Hellman (DH) can be forced to downgrade a connection to that weak level. The server – and therefore the client – will both still believe they're using stronger keys such as 768-bit or 1024-bit.
Like so many things – including the similar FREAK flaw – the bug is ancient: a 20-year-old SSL bug that was inherited by TLS.
Green's already been in touch with the major browser vendors, and says they're in the process of implementing a more restrictive policy on the size of Diffie-Hellman groups they will accept.
Logjam is another exploit of the 1990s-era crypto-wars: “To comply with 1990s-era U.S. export restrictions on cryptography, SSL 3.0 and TLS 1.0 supported reduced-strength DHE_EXPORT ciphersuites that were restricted to primes no longer than 512 bits”, the paper notes.
Because “export grade” hangs around in ciphersuites, “a man-in-the-middle can force TLS clients to use export strength DH with any server that allows DHE_EXPORT.”
“The attack affects any server that supports DHE_EXPORT ciphers, and affects all modern web browsers. 8.4% of the Top 1 Million domains were initially vulnerable,” Green writes at the Logjam site.
Where 512-bit keys are supported, after an initial long computation, Green writes that “an academic team can break a 768-bit prime and that a nation-state can break a 1024-bit prime. Breaking the single, most common 1024-bit prime used by web servers would allow passive eavesdropping on connections to 18 per cent of the Top 1 Million HTTPS domains. A second prime would allow passive decryption of connections to 66 per cent of VPN servers and 26 per cent of SSH servers.”
That's where the spooks come in: “A close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break.”
Anyone running a Web or mail server need to disable export-grade cipher suites and generate a new and unique 2048-bit Diffie-Hellman group. Users need to watch for browser upgrades, and developers need to use the latest libraries and reject Diffie-Hellman groups shorter than 1024 bits. ®
*Bootnote: Matthew Green contacted the author to ask that credit be more appropriately distributed. He said most of the work on Logjam was carried out by INRIA, the University of Michigan, Microsoft and the University of Pennsylvania. ®