Logjam was one of several downgrade attacks discovered in the last 18 months that could theoretically allow a resourced attacker to take advantage of lingering export-grade cryptography to read and modify data over a supposedly secure connection.
While the severity of this particular attack against the Diffie-Hellman key exchange has been debated, Mozilla last week took steps in the Firefox browser to deny connections to servers using weak D-H keys.
Mozilla said in a short announcement last week that the move was an effort to shore up the privacy of Firefox users by increasing the minimum key size to 1023 bits for TLS handshakes configured to use the Diffie-Hellman key exchange.
“A small number of servers are not configured to use strong enough keys. If a user attempts to connect to such a server, they will encounter the error ‘ssl_error_weak_server_ephemeral_dh_key,'” Mozilla engineer David Keeler said.
The Diffie-Hellman algorithm is used in symmetric encryption ciphers such as AES to set up key exchanges. Researchers last May found a weakness in Diffie-Hellman where an attacker could downgrade the strength of the encryption used in an exchange to an export-grade 512 bits. The Logjam attack is similar to its cousin FREAK, but FREAK attacked RSA key exchanges.
“The attack affects any server that supports DHE_EXPORT ciphers, and affects all modern web browsers,” wrote a team of researchers in explaining the circumstances enabling the Logjam attack. Export cryptography is an artifact of the ’90s crypto wars where deliberately weakened versions of crypto protocols were insisted upon by the U.S. government on products shipped outside the country. Support for export-grade crypto should have been deprecated long ago, but lingering issues crop up, as was the case with the FREAK, Logjam and DROWN attacks.
It’s believed that, for now, only advanced attackers such as the NSA or other government-backed groups focused on offensive security, could have the computational resources and experience to exploit export-grade crypto sufficiently to impact encrypted traffic.
“Millions of HTTPS, SSH, and VPN servers all use the same prime numbers for Diffie-Hellman key exchange. Practitioners believed this was safe as long as new key exchange messages were generated for every connection,” the Logjam researchers wrote at the time. “However, the first step in the number field sieve—the most efficient algorithm for breaking a Diffie-Hellman connection—is dependent only on this prime. After this first step, an attacker can quickly break individual connections.”
Initially, it was believed that the Logjam attacks could be used to downgrade connections on 80 percent of servers supporting weak Diffie-Hellman exchanges. Coupled with the belief that a nation state group could break a 1024-bit prime number, the Logjam researchers believed that breaking the most common 1024-bit prime number used by webservers would allow for the interception of traffic against nearly 20 percent of the web’s top one million HTTPS-protected sites, and a second prime would put 66 percent of VPN servers and 26 percent of SSH servers in harm’s way.
Those numbers, however, were quickly reduced after a reality check by other cryptographers. Paul Wouters, a core developer at the Libreswan Project said because of the way the researchers scanned and tested VPN servers, their projections were likely too high. This was backed up in a comment to a Threatpost article on Wouters’ work by Adi Shamir, one of the developers of the RSA crypto algorithm, and one of Shamir’s PhD students Eyal Ronen.
Shamir and Ronen said they arrived at the same conclusions in independent tests against IPsec connections and said the success rate of a hypothetical NSA attack on Diffie-Hellman would be lower than original estimates. They also tested HTTPS connections and concluded that the most popular sites on the web are the least likely to negotiate Diffie-Hellman handshakes and are rarely of interest to intelligence services.