LAS VEGAS – The FREAK, LOGJAM and DROWN attacks of the last 17 months weren’t just the work of academics and security researchers who found a cool way to unmask encrypted traffic. They were ugly reminders of the Crypto Wars of the 1990s and why export-grade cryptography and intentional encryption backdoors are fraught with potential trouble.
All three attacks allow hackers to downgrade the crypto protecting traffic—the RSA, Diffie-Hellman and TLS protocols—to export-grade levels. These levels were deliberately weakened versions of crypto protocols insisted upon by the U.S. government on products shipped outside the country. Support for export-grade versions should have been deprecated in each case, but as was discovered in a 364-day span starting in March 2015, that wasn’t so.
With the FREAK attack, for example, shorter RSA keys were used in the export crypto along with a complex protocol handshake that weakened the protocol. Essentially, hackers could factor a server key for around $100 and impersonate that server, intercepting what was supposed to be secure traffic. At the outset last March, 37 percent of servers still supported RSA export crypto, but awareness of the issue under the larger contextual umbrella of government surveillance and intentional subversion of some NIST crypto standards has today dropped those numbers well into the single digits.
“Initially, we were surprised because we didn’t think anyone supported export-grade crypto, Then we were amazed at how many initially supported just RSA export crypto,” said David Adrian, a graduate student at the University of Michigan brought in to analyze the problem via data culled from a number of Internet scans. Adrian is scheduled to give a talk at Black Hat USA 2016 on Wednesday about export cryptography and why weakened crypto is such a bad idea.
“Ever since then, we stopped being amazed,” Adrian said.
FREAK was the first export crypto flaw found affecting most major SSL clients including OpenSSL, some of which accepted deprecated 512-bit RSA keys. It required a number of conditions be in place for it to be exploited, including not only finding a vulnerable server, but one that has re-used a key for a period of time. That key must be broken and then an attacker would need to be in a man-in-the-middle position to sniff and crack traffic.
LOGJAM came two months later and similar to FREAK, this attack found that some servers still supported 512-bit Diffie-Hellman keys, another 1990s artifact. Once again, this is likely the realm of advanced attackers who are more likely to have the computing resources necessary to break DHE-protected traffic.
“Fixing FREAK and LOGJAM required changing ciphers, which is not difficult,” Adrian said, adding that today about 1 percent of servers support DHE export grade. “Tracking an old piece of software that might have SSLv2 enabled could be a lot more involved, especially if it’s on a different server or in a different country.”
Patching for the DROWN vulnerability has not been as swift; estimates are that 16 percent of servers are still affected, down from 33 percent upon its discovery earlier this year.
“Awareness definitely helped with FREAK and LOGJAM,” Adrian said. “Less so with DROWN because it’s so complicated.”
Adrian’s talk will highlight these numbers and potential pitfalls in light of the government’s Going Dark problem and the tense conflict between Apple and FBI over Apple’s refusal to help unlock a terrorist’s iPhone where in both cases the government wants encryption intentionally weakened in the name of extraordinary access in criminal and national security investigations.
“Look at these attacks two decades after the regulations were dropped in 1999,” Adrian said. “We’re still being harmed by these things.
“In terms of actual exploitation, none of these have likely been exploited—maybe FREAK by governments,” Adrian continued. “I don’t expect a practical impact in the near term. I wouldn’t be worried about being in a coffee shop and someone doing these attacks on me. But five to 10 years from now with costs going down and everything capable of being run on a laptop and commoditized, then I might be worried. Protocol designers back then had to put crap in to comply with regulations, and we’ve been bitten by it.”