Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice

Abstract : We investigate the security of Diffie-Hellman key exchange as used in popular Internet protocols and find it to be less secure than widely believed. First, we present Logjam, a novel flaw in TLS that lets a man-in-the-middle downgrade connections to " export-grade " Diffie-Hellman. To carry out this attack, we implement the number field sieve discrete log algorithm. After a week-long precomputation for a specified 512-bit group, we can compute arbitrary discrete logs in that group in about a minute. We find that 82% of vulnerable servers use a single 512-bit group, allowing us to compromise connections to 7% of Alexa Top Million HTTPS sites. In response, major browsers are being changed to reject short groups. We go on to consider Diffie-Hellman with 768-and 1024-bit groups. A small number of fixed or standardized groups are in use by millions of servers. Performing precomputations for just ten of these groups would allow a passive eavesdropper to decrypt traffic to up to 66% of IPsec VPN servers, 26% of SSH servers, 24% of popular HTTPS sites, or 16% of SMTP servers. In the 1024-bit case, we estimate that such computations are plausible given nation-state resources, and a close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break. We conclude that moving to stronger key exchange methods should be a priority for the Internet community.
Type de document :
Communication dans un congrès
ACM CCS 2015, Oct 2015, Denver, Colorado, United States. Proceedings of the 2015 ACM SIGSAC Conference on Computer and Communications Security, pp.14, 2015 ACM SIGSAC Conference on Computer and Communications Security. <10.1145/2810103.2813707>
Liste complète des métadonnées


https://hal.inria.fr/hal-01184171
Contributeur : Pierrick Gaudry <>
Soumis le : samedi 22 août 2015 - 17:03:31
Dernière modification le : mardi 13 décembre 2016 - 15:41:47
Document(s) archivé(s) le : mercredi 26 avril 2017 - 10:21:17

Fichier

logjam.pdf
Publication financée par une institution

Identifiants

Citation

David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, et al.. Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice. ACM CCS 2015, Oct 2015, Denver, Colorado, United States. Proceedings of the 2015 ACM SIGSAC Conference on Computer and Communications Security, pp.14, 2015 ACM SIGSAC Conference on Computer and Communications Security. <10.1145/2810103.2813707>. <hal-01184171v2>

Partager

Métriques

Consultations de
la notice

495

Téléchargements du document

547