Another crypto downgrade attack: Logjam

By Jake Edge
May 20, 2015

If more evidence was needed that deliberately weakening cryptographic algorithms based on politics is likely to go astray, the new Logjam attack against TLS seems to provide it. All of that evidence probably won't stop politicians (and others) from further attempts to cripple crypto, sadly, but it may at least provide some guidance to those who must implement those decisions down the road. In the meantime, though, there is yet another attack against the encryption used by the web and other internet protocols.

Downgrade attack

There are two related pieces to Logjam. The first is a crypto downgrade attack (somewhat akin to the FREAK attack) that, once again, abuses the export-strength ciphers that were mandated by the US government and are often still supported for backward compatibility. In this case, though, the attack is against Diffie-Hellman (DH) key exchange, rather than the RSA keys targeted by FREAK. Also unlike FREAK, the Logjam crypto downgrade attack uses a flaw in the TLS protocol instead of exploiting a bug in some TLS implementations.

The basic problem that Logjam exploits is that the message a server sends for key exchange can be undetectably replaced with a weaker variant. The message that uses a DH key that has been restricted to using prime numbers of at most 512 bits for political reasons (i.e. DHE_EXPORT ciphers) and one that uses the non-export variety can't be distinguished by clients. So a properly functioning server that supports, but does not prefer, DHE_EXPORT ciphers will send a key exchange message using a 1024-bit (or larger) DH group (i.e. one that has been derived from a 1024-bit prime). A man in the middle can intercept that message and rewrite it using the server's 512-bit group without alerting the client that anything has changed.

It turns out that the vast majority of servers that support DHE_EXPORT also use the same 512-bit prime number. The Logjam paper [PDF] shows that 82% of DHE_EXPORT-supporting web servers used a prime that had been distributed with the Apache web server for a number of years. It also reports that nearly 5% of the 14.3 million HTTPS web sites supported DHE_EXPORT, so roughly 4% of the net is using that one prime number. This practice was not seen as a problem, as the paper notes:

When primes are of sufficient strength, there seems to be no disadvantage to reusing them. However, widespread reuse of Diffie-Hellman groups can convert attacks that are at the limits of an adversary’s capabilities into devastating breaks, since it allows the attacker to amortize the cost of discrete log precomputation among vast numbers of potential targets.

In order to exploit the downgrade to DHE_EXPORT, an attacker needs to be able to calculate discrete logarithms in near real-time. It is a nearly impossible math problem, but one that is made vastly easier with access to the prime number of interest. Using that, the man in the middle can precompute values that allow it to extract the session key from the key exchange. Once that is obtained, the man in the middle can pretend to be the server with impunity; the client will be none the wiser.

On a system with four six-core Xeon processors, the researchers' proof of concept was able to crack the session key in an average of 90 seconds. That may seem like a long time for users to wait for the browser to connect to the server—and it is, at least for interactive sessions. There are a number of techniques described in the paper to work around that delay.

To start with, non-interactive uses, such as curl or Git, are often unattended so they have long timeouts and "we could hijack their connections without much difficulty". There is a TLS warning alert mechanism that can be used to reset the browsers' handshake timers. The delay still might be noticed by the user, however, so the attacker might choose to compromise a request for some background resource that won't delay the page display. There is also the fact that many TLS implementations cache their ephemeral key and reuse it multiple times; that allows the calculation to be done once and to be used again and again. Beyond that, more optimization or more powerful systems could potentially reduce the average time to crack the key substantially.

Diffie-Hellman and state-level attackers

The second piece of the Logjam report looks at how vulnerable the DH key exchange is to attack when there is no downgrade ability. Once again, various protocols often use (or even specify) the same prime numbers everywhere. The paper specifically mentions SSH, TLS, and Internet Key Exchange (IKE) which is used by IPsec. Currently, 768-bit DH groups are fairly widespread and the paper estimates that precomputing the values needed would require around 36,000 core-years, which is "within reach by computing power available to academics". Once that precomputation is done, doing a single 768-bit discrete log computation is on the order of two core-days.

Perhaps even more eye-opening, though, is that 1024-bit DH groups are estimated to be crackable by state-level attackers (i.e. governments and their ilk). Precomputation is on the order of 45 million core-years, which is an enormous effort, but could be reduced with specialized hardware. Once that was done, the discrete log calculations could be done in roughly 30 core-days. That estimate leads to a possible answer to a question that has been asked frequently in the crypto community:

Our calculations suggest that it is plausibly within NSA’s resources to have performed number field sieve precomputations for at least a small number of 1024-bit Diffie-Hellman groups. This would allow them to break any key exchanges made with those groups in close to real time. If true, this would answer one of the major cryptographic questions raised by the Edward Snowden leaks: How is NSA defeating the encryption for widely used VPN protocols?

Documents leaked by Snowden indicate that the NSA has been passively decrypting virtual private network (VPN) traffic. The paper concludes that the documented information is consistent with an attack against the 1024-bit DH group used by IKE. That doesn't mean it is the mechanism used by the NSA, but it could be.

That leads the authors of the paper (David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J. Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel Thomé, Luke Valenta, Benjamin VanderSloot, Eric Wustrow, Santiago Zanella-Béguelin, and Paul Zimmermann) to a number of recommendations. Disabling DHE_EXPORT ciphers, and configuring the other DHE ciphers to use groups of 2048 bits or larger, head that list. Browsers and other clients should require groups of at least 1024 bits to avoid the downgrade attack but still interoperate with servers that have not been upgraded.

Avoiding fixed-prime groups is another recommendation, as is transitioning to elliptic curve DH (ECDH), which does not provide as much of an advantage for precomputation. The parameters for ECDH still need to be worked out—those recommended by the US government are viewed with suspicion due to NSA influence on their choice.

The last two recommendations are admonishments to politicians and the crypto community respectively. First: "In combination with FREAK, our attacks warn of the long-term debilitating effects of deliberately weakening cryptography." But there is also lots of room for better communication by the crypto community:

Although the cheaper cost of individual discrete logs was known to cryptographers, it appears to not have been as widely understood by implementers. Indeed, many implementations believed RSA key exchange to be inferior to Diffie-Hellman, which offered forward secrecy. Ironically, the opposite appears to be true: for a medium-value target, a fresh, well-generated 1024-bit RSA key would be significantly more expensive to factor than a 1024-bit discrete log in a group for which precomputation has already been done.

For those wanting to check their status, the Logjam web site will warn if their browser is susceptible to the attack (i.e. if it will accept DH groups with less than 1024 bits). Another page provides tools to test servers and information on how to upgrade those that are found to have an inadequate DH group size (i.e. less than 2048). For example, the LWN.net server needs an upgrade to its DH group, which we will be taking care of soon.

This research is quite timely, interesting, and important, though it may not require a "drop everything" response—at least for sites that don't support DHE_EXPORT. For those that believe their traffic may be targeted by state-level attackers, however, prudence would seem to indicate a faster response. At this point, after the information leaked by Snowden and others, these kinds of attacks seem a little less surprising—we have known that secret services were decrypting lots of this data for some time. Now, at least, we may know some of the "how" as well.

Index entries for this article
Security	Transport Layer Security (TLS)
Security	Vulnerabilities/Crypto downgrade

Another crypto downgrade attack: Logjam

Posted May 21, 2015 7:24 UTC (Thu) by nmav (guest, #34036) [Link] (1 responses)

The paper looks like it is hastily written and uses very sloppy language confusing people not familiar with TLS. There are no DHE_EXPORT ciphersuites, and the DH key exchange was never crippled due to export restrictions, it was simply not allowed in export mode. So there is no way to disable them as the article suggests. In TLS there are the DHE ciphersuites which can be used with short parameters without most clients complaining about them. What the researchers found is that there is software in the wild which uses a default set of DHE parameters which are extremely short.

Another crypto downgrade attack: Logjam

Posted May 21, 2015 7:43 UTC (Thu) by nmav (guest, #34036) [Link]

And to correct myself there is DHE_RSA_EXPORT used with DES40 for this attack. Never thought that these ciphersuites were even implemented, even more present on real web sites.

Postfix?

Posted May 21, 2015 9:10 UTC (Thu) by inganman (guest, #8234) [Link]

Does this also apply to postfix?

There is a option "smtpd_tls_dh512_param_file" that "should use with export-grade EDH ciphers" ( http://www.postfix.org/postconf.5.html )

Another crypto downgrade attack: Logjam

Posted May 21, 2015 14:34 UTC (Thu) by cesarb (subscriber, #6266) [Link]

CloudFlare's explanation of Logjam: https://blog.cloudflare.com/logjam-the-latest-tls-vulnera...

And what about SSH?

Posted May 21, 2015 14:48 UTC (Thu) by cesarb (subscriber, #6266) [Link] (5 responses)

People seem to be talking mostly about TLS (where the break is more worrying), so I couldn't find enough information to answer the following question:

How much should we worry about SSH?

From my quick look at the "ssh -v" output, it seems to require at least a 1024-bit DH group when not using the newer elliptic curves. From what I have read, the DH group used comes from /etc/ssh/moduli, which doesn't seem to be regenerated on install at least on Ubuntu (I already found two machines with identical /etc/ssh/moduli files on a quick look). Would a state-level attacker have done the required precomputation for the /etc/ssh/moduli found in common Linux distributions?

And what about SSH?

Posted May 22, 2015 14:33 UTC (Fri) by robbe (guest, #16131) [Link]

https://weakdh.org/sysadmin.html (linked in the article) not only has instructions for a couple of webservers, but also for ssh, postfix, etc.

And what about SSH?

Posted May 22, 2015 14:59 UTC (Fri) by tialaramex (subscriber, #21167) [Link] (3 responses)

Yes, it is reasonable to think that a resourceful state actor _might_ have pre-computed answers for this popular modulus. This would allow them to passively eavesdrop SSH sessions using conventional DH with the affected settings, and also of course if they have complete transcripts, to play back older sessions using those settings. Likewise someone who cannot afford the work today, but does keep transcripts of encrypted sessions, will know that in the future they may be able to afford to decode them.

Regenerating the values should be done very carefully, or else not at all, since erroneous inputs destroy the security of DH entirely. Switching towards Elliptic Curves may be a better choice.

And what about SSH?

Posted May 22, 2015 21:04 UTC (Fri) by wahern (subscriber, #37304) [Link] (2 responses)

In retrospect we would have been better off randomly generating primes for DH rather than using fixed ones. Yes, you may generate a non-strong prime. But the likelihood is extraordinarily low as long as you generate what's called a safe prime. Fortunately, OpenSSL generates safe primes. (See crypto/dh/dh_gen.c.) It's why `openssl dhparam 1024` takes so much longer than `openssl genrsa 1024`.

In other words, just use OpenSSL to generate new DH parameters and move on to improving the rest of your software and infrastructure.

And what about SSH?

Posted May 24, 2015 9:35 UTC (Sun) by reubenhwk (guest, #75803) [Link] (1 responses)

generating a new DH* in OpenSSL can be very slow, especially 1024+ bits. It's not something you really want to do on startup. Better to read the p & g params from a file, then fork off a new process to generate new p & g in the background then write them out when done...

And what about SSH?

Posted May 27, 2015 17:40 UTC (Wed) by flussence (guest, #85566) [Link]

Something seems off here: `openssl dhparam 3072` takes 3-4 minutes for me on a fairly high end Intel server CPU, which is in line with what you said, but the gnutls equivalent `certtool --generate-dh-params --sec-param=high` takes 1-2 *seconds*.

Red Hat's Logjam Knowledgebase article

Posted May 21, 2015 18:43 UTC (Thu) by dowdle (subscriber, #659) [Link] (1 responses)

https://access.redhat.com/articles/1456263

Summary, RHEL6 (as of 6.6) and 7 are not vulnerable but...

"Red Hat Enterprise Linux 5 does support the export-grade cipher suite in its default cipher list. Red Hat does not plan to change the default cipher list in Red Hat Enterprise Linux 5."

I have left a comment to that and am curious what folks think about that response.

Red Hat's Logjam Knowledgebase article

Posted May 21, 2015 20:36 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

RedHat is pretty conservative with regards for the backwards compatibility. And if you're using RHEL5 (which is 8 years old by now) then you probably have some software that can be even older and supports only EXPORT ciphers or can't support large key size.

Another crypto downgrade attack: Logjam

Posted May 21, 2015 23:32 UTC (Thu) by gerdesj (subscriber, #5446) [Link] (1 responses)

I seem to spend more and more of my time farting around with re-setting up the SSL/TLS for various Apaches and IISs these days.

Some handy hints:
* Test the results and some great articles: https://www.ssllabs.com/ssltest/
* Mozilla's conf generator: https://mozilla.github.io/server-side-tls/ssl-config-gene...
* For those that have to play with something odd: https://www.nartac.com/Products/IISCrypto/

As ever, the above are no substitute for research but they will get you on the right track.

I note that my browser has picked TLS 1.0 on this site which PCI DSS 1.3 has deprecated as not strong enough for those concerned by such things and must be gone by June next year for new systems. See: https://www.pcisecuritystandards.org/documents/Migrating_... (PDF)

Cheers
Jon

Another crypto downgrade attack: Logjam

Posted May 22, 2015 15:08 UTC (Fri) by robbe (guest, #16131) [Link]

I agree that LWN should enable newer TLS variants.

Keeping SSL3 around /may/ be useful to cater to those poor souls still chained to IE on XP... Wikimedia clocks these in at 0.3% of requests, can't imagine that the percentage is higher around here. corbet is certainly aware of the numbers.

Another crypto downgrade attack: Logjam

Posted May 22, 2015 14:49 UTC (Fri) by robbe (guest, #16131) [Link] (4 responses)

I don't understand this quote from the paper:
> would require around 36,000 core-years, which is "within
> reach by computing power available to academics"

Do they mean that a typical academic can commandeer a cluster of 500+ nodes for a year?

I am aware that a significant number of universities house a monster like that, but is "available to academics" really the right expression to use?

Another crypto downgrade attack: Logjam

Posted May 22, 2015 16:40 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link] (3 responses)

Well, Amazon EC2 routinely has spot nodes available for $0.008 per CPU-hour. So that works out to about $2.5 million USD - not entirely outrageously out of reach for academics, but definitely not a trivial expense.

Another crypto downgrade attack: Logjam

Posted May 22, 2015 20:51 UTC (Fri) by cesarb (subscriber, #6266) [Link] (2 responses)

> Well, Amazon EC2 routinely has spot nodes available for $0.008 per CPU-hour. So that works out to about $2.5 million USD - not entirely outrageously out of reach for academics, but definitely not a trivial expense.

An attacker is not necessarily going to buy all these CPU-hours with their own money. Unlike academics, attackers are not expected to be honest. They are going to hijack Amazon accounts and use them for the computation. The only cost for these attackers would then be an opportunity cost: would breaking the DH key be worth more than the Bitcoins they could get with the same hijacked computing power?

Another crypto downgrade attack: Logjam

Posted May 23, 2015 14:18 UTC (Sat) by ncm (guest, #165) [Link] (1 responses)

Likewise, botnets are available fairly cheaply. A million cores could do a 36000 core-years job in under two weeks, without impairing much the botnet's primary job of DDOSing or SPAM distribution.

We read of botnets being taken over and "shut down" by law enforcement, but without any independent verification. They could as easily have been repurposed for spooks' occasional convenience.

Another crypto downgrade attack: Logjam

Posted May 24, 2015 20:38 UTC (Sun) by robbe (guest, #16131) [Link]

I was specifically referring to the "academics", i.e. people who are held to some standards of ethics by their peers.

If the authors would have written "within reach of medium to large criminal organisations" I wouldn't have batted an eye. You can also replace "criminal" with "operating outside the law" if you want to include rather than imply spooks.

Children

Posted May 27, 2015 0:38 UTC (Wed) by ras (subscriber, #33059) [Link]

> All of that evidence probably won't stop politicians (and others) from further attempts to cripple crypto,

Of course not. They are like kids.

No matter how often you tell them if they play with matches they have to be burnt several times before the lesson it learnt. And when after many teary lessons you start to relax because the job is done, along comes the next generation. It never ends.

As I get older, I find I have less and less the patience for it. Fortunately mothers do, otherwise our species would be here today. Unfortunately, most mothers don't understand the importance of good crypto. So there is a never-ending task of training the pollies. I don't have the patience for that either. Thank god for the EFF.