Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice (original) (raw)

David Adrian (1) , Karthikeyan Bhargavan (2) , Zakir Durumeric (1) , Pierrick Gaudry (3) , Matthew Green (4) , J. Alex Halderman (1) , Nadia Heninger (5) , Drew Springall (4) , Emmanuel Thomé (3) , Luke Valenta (5) , Benjamin Vandersloot (1) , Eric Wustrow (1) , Santiago Zanella-Béguelin (6) , Paul Zimmermann (3)

Résumé

We investigate the security of Diffie-Hellman key exchange as used in popular Internet protocols and find it to be less secure than widely believed. First, we present Logjam, a novel flaw in TLS that lets a man-in-the-middle downgrade connections to " export-grade " Diffie-Hellman. To carry out this attack, we implement the number field sieve discrete log algorithm. After a week-long precomputation for a specified 512-bit group, we can compute arbitrary discrete logs in that group in about a minute. We find that 82% of vulnerable servers use a single 512-bit group, allowing us to compromise connections to 7% of Alexa Top Million HTTPS sites. In response, major browsers are being changed to reject short groups. We go on to consider Diffie-Hellman with 768-and 1024-bit groups. A small number of fixed or standardized groups are in use by millions of servers. Performing precomputations for just ten of these groups would allow a passive eavesdropper to decrypt traffic to up to 66% of IPsec VPN servers, 26% of SSH servers, 24% of popular HTTPS sites, or 16% of SMTP servers. In the 1024-bit case, we estimate that such computations are plausible given nation-state resources, and a close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break. We conclude that moving to stronger key exchange methods should be a priority for the Internet community.

Domaines

Connectez-vous pour contacter le contributeur

https://inria.hal.science/hal-01184171

Soumis le : samedi 22 août 2015-17:03:31

Dernière modification le : mercredi 24 décembre 2025-11:40:03

Archivage à long terme le : mercredi 26 avril 2017-10:21:17

Dates et versions

hal-01184171 , version 1 (13-08-2015)

hal-01184171 , version 2 (22-08-2015)

Licence

Identifiants

• HAL Id : hal-01184171 , version 2
• DOI : 10.1145/2810103.2813707

Citer

David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, et al.. Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice. CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Oct 2015, Denver, Colorado, United States. pp.5-17, ⟨10.1145/2810103.2813707⟩. ⟨hal-01184171v2⟩

1694 Consultations

1750 Téléchargements

Altmetric