Skip to content

‘Logjam’ crypto bug could be how the NSA cracked VPNs

20/05/2015

http://www.theregister.co.uk/2015/05/20/logjam_johns_hopkins_cryptoboffin_ids_next_branded_bug/

Johns Hopkins crypto researcher Matthew Green thinks he might have an explanation for how the NSA attacked VPN services: flaws in how TLS implements Diffie-Hellman crytography.

In what’s bound to be the next big branded bug, Green says servers that support 512-key “export-grade” Diffie-Hellman (DH) can be forced to downgrade a connection to that weak level. The server – and therefore the client – will both still believe they’re using stronger keys such as 768-bit or 1024-bit.

Like so many things – including the similar FREAK flaw – the bug is ancient: a 20-year-old SSL bug that was inherited by TLS.

Green has hosted a site discussing what’s being called “Logjam”, Weakdh.org, with a detailed academic paper here (PDF).

Green’s already been in touch with the major browser vendors, and says they’re in the process of implementing a more restrictive policy on the size of Diffie-Hellman groups they will accept.

Logjam is another exploit of the 1990s-era crypto-wars: “To comply with 1990s-era U.S. export restrictions on cryptography, SSL 3.0 and TLS 1.0 supported reduced-strength DHE_EXPORT ciphersuites that were restricted to primes no longer than 512 bits”, the paper notes.

Because “export grade” hangs around in ciphersuites, “a man-in-the-middle can force TLS clients to use export strength DH with any server that allows DHE_EXPORT.”

“The attack affects any server that supports DHE_EXPORT ciphers, and affects all modern web browsers. 8.4% of the Top 1 Million domains were initially vulnerable,” Green writes at the Logjam site.

logjam test

Where 512-bit keys are supported, after an initial long computation, Green writes that “an academic team can break a 768-bit prime and that a nation-state can break a 1024-bit prime. Breaking the single, most common 1024-bit prime used by web servers would allow passive eavesdropping on connections to 18 per cent of the Top 1 Million HTTPS domains. A second prime would allow passive decryption of connections to 66 per cent of VPN servers and 26 per cent of SSH servers.”

That’s where the spooks come in: “A close reading of published NSA leaks shows that the agency’s attacks on VPNs are consistent with having achieved such a break.”

****

White Paper

https://weakdh.org/imperfect-forward-secrecy.pdf

Advertisements
One Comment
  1. Reblogged this on TheFlippinTruth.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: