Author : Naresh T A
The TLS protocol is vulnerable once again. This time it’s identified as the logjam attack and it is the most recent one in a long list of weaknesses that have been identified in the SSL/TLS protocol ever since it was introduced. This recent vulnerability has been identified in the Diffie-Hellman key exchange algorithm by research teams from INRIA, Microsoft Research, Johns Hopkins, the University of Michigan, and the University of Pennsylvania.
Logjam is very similar to the FREAK attack, in the sense that it also exploits the availability and the use of export ciphers but while FREAK exploits the RSA key exchange algorithm, Logjam exploits the DH key exchange algorithm. Export ciphers are a relic of the cold war era in which the U.S. Government restricted the export of software with strong cryptographic algorithms to countries it perceived as enemies; thus allowing it to easily eavesdrop on them.
Even though these restrictions no longer exist, a large number of cryptographic libraries continue to support and offer these ciphers. Let’s first understand how the Handshake and Key Exchange works
The Handshake
In the initial phase (called the handshake), when a connection is being established between two systems, the following steps happen:
- The client sends a message (called Client Hello) telling the server what cipher suites (algorithms) it supports.
- The server picks a cipher suite from the list sent by the client, then picks a set of parameters for key exchange and performs a set of computations.
- The chosen cipher suite, parameters and the computation performed is signed by the server using its certificate and sent to the client (called Server Hello)
- The client verifies the signature, extracts the parameters and performs its own computations on it which is sent to the server.
Once this is done, both systems use the parameters and computations to separately arrive at the same common key. This is the shared secret key and is used by both the systems to encrypt future communications in the session.
Key Exchange
The algorithm that allows two systems to generate a common key by only sharing a few computations is called the key exchange algorithm. The most commonly used ones are RSA, DH and recently ECDH.
The DH (Diffie-Hellman) algorithm is the oldest of the three, makes use of the fact that it is extremely difficult for computers to calculate the discrete logarithms of two large prime numbers in a finite group.
These large primes are the parameters that are chosen by both the client and the server during the handshake process. When export cipher suites are used, the sizes of the parameters chosen are limited to 512-bits in length.
A 512-bit key by itself was good enough even though most libraries choose these keys from a single group of primes, this was considered secure as long as a new key was chosen for each connection.
The Attack
The research team modified the general number field sieve, the most efficient algorithm that can calculate the discrete log for a set of primes to pre-compute the first step. Since most implementations only use primes from a known common group, the researchers could pre-compute a part of the results with the algorithm and calculate the discrete logs for 512-bits long primes in a few minutes.
Furthermore, the same technique was tested on 768-bit and 1024-bit primes and was found to be computable by capable adversaries.
The logjam attack is not only applicable to TLS but also to any protocol that implements the DH algorithm including IPSec and SSH.
The Impact
An attacker who is able to intercept and store the communication that is using weak DH ciphers would be able to decrypt the encryption key offline and as a result decrypt the entire communication.
Even if the connection is not using EXPORT DH ciphers by default, an attacker can launch a man-in-the-middle attack to downgrade the connection and later decrypt it offline.
Testing for Logjam
The research team behind identifying logjam have created a website for quickly testing if you're vulnerable to logjam. For checking clients you can go to https://weakdh.org and for testing servers you can use the testing tool at https://weakdh.org/sysadmin.html.
Mitigations
- Disable all EXPORT cipher suites: Although export-grade cryptography is no longer supported by modern browsers, an adversary can trick them into supporting it.
- Use ECDH over DH: Elliptic-Curve Diffie-Hellman prevents all known cryptanalytic attacks of the original DH and should be given preference over DH.
- Use a strong, unique DH group: Servers should generate a unique 2048-bit or stronger DH group for each server.
The instructions for configuring many different kinds of servers to mitigate logjam can be found here.
References:
https://www.schneier.com/blog/archives/2015/05/the_logjam_and_.html
