Vulnerability of TLS Logjam - FREAK with DH
Researchers from CNRS, Inria Nancy-Grand Est, Inria Paris-Rocquencourt, Microsoft Research, Johns Hopkins University, University of Michigan and University of Pennsylvania have discovered a new vulnerability in TLS similar to FREAK, but more dangerous and applicable in real life - Logjam. In the case of Logjam, the attack is made on session keys, which are installed during the exchange about the Diffie-Hellman protocol, in order to reduce their cryptographic strength to 512-bit. Such keys, as FREAK researchers have shown, can be cracked within a few hours, but the situation is somewhat different here: due to the fact that a lot of (outdated) software uses public static DH groups and the same predefined initial primes, there is a possibility preliminary execution of the discrete logarithm by the sieve of the number field to a certain state, which allows you to quickly, within 2 minutes, crack the session key of the DH-group for which such a calculation was made.
Scientists made a preliminary calculation for two popular export DH-groups: the first group is used in Apache in versions 2.1.5-2.4.7 and is found on 7% of sites from TOP 1M according to Alexa, and the second is protected in OpenSSL, even when it was called SSLeay , in 1995. The calculation took a week for each group, and it was carried out using a modified version of CADO-NFS .
According to the researchers, a preliminary calculation of these two groups allows you to crack up to 80% of encrypted connections on servers that support export DH keys. Three methods of carrying out an attack were proposed and demonstrated on video:
- Offline decryption of weak connections for servers using 512-bit default DH keys when listening to traffic passively
- Reducing the strength of keys to 512-bit using TLS False Start, by MiTM-substitution of DH type data sent to the server
- Reducing the strength of keys to 512-bit by MiTM-substitution of data on the type of DH sent to the server, and suspension of the connection until the keys are cracked
Consider each of the methods in more detail. The first method is applicable only to those servers that use 512-bit DH groups by default. There are very few such servers, but they do not require a man-in-the-middle attack, but rather passively record the traffic. After breaking the key, the traffic can be decrypted.
The second method exploits the feature of TLS False Start - a special mechanism for accelerating the TLS handshake, in which the client sends data before the end of the handshake (sending Server Finished). Performing a man-in-the-middle attack, an attacker can substitute a client request for using DHE_EXPORT instead of DHE, the server will return the parameters for the 512-bit DH group and the server’s public DH key (g ^ b), the attacker will return a server response with this data to the client and by recording that this is DHE, as he requested. Due to the fact that the standard does not prohibit the use of 512 keys in a non-export version, the client does not see the substitution until the request data is sent (the hash will not converge only when the server sends Server Finished, but the client’s request has already been sent by then )
The third type of attack is based on the suspension of the TLS handshake for the time required to crack the session key (according to researchers, up to 10 minutes with preliminary calculation). It also requires the execution of MiTM and the replacement of DHE with DHE_EXPORT and vice versa, but does not require TLS Fast Start support. Here's how it goes:
- The client connects to www.tcl.tk and offers at least one cipher suite that includes DHE but does not include DHE_EXPORT.
- The attacker intercepts the request and modifies it by sending to the server a cipher suite consisting of only DHE_EXPORT
- Server selects DHE_EXPORT
- The attacker modifies the server’s response by replacing DHE_EXPORT with one of the non-export DHE options proposed by the client
- Server sends key parameters with 512-bit base
- The hacker begins to crack the key - calculate the discrete logarithm, and disconnects from the server
- The client waits for the hacker to crack the key and send him a server confirmation
- As soon as an attacker breaks a key, he receives a master secret - a symmetric encryption key, and sends a confirmation to the client
- The client confirms the data from the server and sends a request. An attacker can respond to client requests.
Researchers note that attackers with a lot of powerful equipment are able to recover 768-bit keys, and special services can recover 1024-bit keys, which are often used in IPsec IKEv1.
Vulnerability exists in all popular browsers and in almost all popular server software. The vulnerability site describes how to generate more robust Diffie-Hellman groups, as well as the necessary TLS settings for Apache httpd, nginx, Microsoft IIS, Lighttpd, Apache Tomcat, Postfix, Sendmail, Dovecot, and HAProxy. The server configuration checker is also available on the same page.
Scientists report that 8.4% of sites from the top millionth Alexa top are vulnerable, and 17.9% of sites use 1024-bit keys. The vulnerability can also be applied on mail servers using IMAPS (8.4%), POP3S (8.9%) and STARTTLS (14.8%) protocols. In addition, the vulnerability can be exploited in not the latest versions of OpenSSH. PDF
with a detailed description of the vulnerability
Server configuration and verification of the correct settings
Description of the vulnerability from CloudFlare
Clarification of the IPsec situation from the Libreswan developer