Imperfect forward secrecy: How Diffie-Hellman fails in practice (original) (raw)
David Adrian (1) , Karthikeyan Bhargavan (2) , Zakir Durumeric (1) , Pierrick Gaudry (3) , Matthew Green (4) , J. Alex Halderman (1) , Nadia Heninger (5) , Drew Springall (4) , Emmanuel Thomé (3) , Luke Valenta (6) , Benjamin Vandersloot (1) , Eric Wustrow (1) , Santiago Zanella-Béguelin (7) , Paul Zimmermann (3)
Résumé
We investigate the security of Diffie-Hellman key exchange as used in popular Internet protocols and find it to be less secure than widely believed. First, we present Logjam, a novel flaw in TLS that lets a man-in-the-middle downgrade connections to "export-grade" Diffie-Hellman. To carry out this attack, we implement the number field sieve discrete logarithm algorithm. After a week-long precomputation for a specified 512-bit group, we can compute arbitrary discrete logarithms in that group in about a minute. We find that 82% of vulnerable servers use a single 512-bit group, and that 8.4% of Alexa Top Million HTTPS sites are vulnerable to the attack. a In response, major browsers have changed to reject short groups. We go on to consider Diffie-Hellman with 768-and 1024-bit groups. We estimate that even in the 1024-bit case, the computations are plausible given nation-state resources. A small number of fixed or standardized groups are used by millions of servers; performing precomputation for a single 1024-bit group would allow passive eavesdropping on 18% of popular HTTPS sites, and a second group would allow decryption of traffic to 66% of IPsec VPNs and 26% of SSH servers. A close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break. We conclude that moving to stronger key exchange methods should be a priority for the Internet community.
Domaines
Connectez-vous pour contacter le contributeur
https://inria.hal.science/hal-01982426
Soumis le : mardi 15 janvier 2019-16:20:30
Dernière modification le : mardi 17 février 2026-15:38:02
Archivage à long terme le : mardi 16 avril 2019-16:01:23
Dates et versions
hal-01982426 , version 1 (15-01-2019)
Licence
Identifiants
- HAL Id : hal-01982426 , version 1
- DOI : 10.1145/3292035
Citer
David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, et al.. Imperfect forward secrecy: How Diffie-Hellman fails in practice. Communications of the ACM, 2018, 62 (1), pp.106-114. ⟨10.1145/3292035⟩. ⟨hal-01982426⟩
787 Consultations
646 Téléchargements