research-article

Open access

Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice

Authors:

Karthikeyan Bhargavan,

Zakir Durumeric,

Pierrick Gaudry,

J. Alex Halderman,

Nadia Heninger,

Drew Springall,

Emmanuel Thomé,

Benjamin VanderSloot,

Santiago Zanella-Béguelin,

Paul ZimmermannAuthors Info & Claims

CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

Pages 5 - 17

https://doi.org/10.1145/2810103.2813707

Published: 12 October 2015 Publication History

Abstract

We investigate the security of Diffie-Hellman key exchange as used in popular Internet protocols and find it to be less secure than widely believed. First, we present Logjam, a novel flaw in TLS that lets a man-in-the-middle downgrade connections to "export-grade" Diffie-Hellman. To carry out this attack, we implement the number field sieve discrete log algorithm. After a week-long precomputation for a specified 512-bit group, we can compute arbitrary discrete logs in that group in about a minute. We find that 82% of vulnerable servers use a single 512-bit group, allowing us to compromise connections to 7% of Alexa Top Million HTTPS sites. In response, major browsers are being changed to reject short groups. We go on to consider Diffie-Hellman with 768- and 1024-bit groups. We estimate that even in the 1024-bit case, the computations are plausible given nation-state resources. A small number of fixed or standardized groups are used by millions of servers; performing precomputation for a single 1024-bit group would allow passive eavesdropping on 18% of popular HTTPS sites, and a second group would allow decryption of traffic to 66% of IPsec VPNs and 26% of SSH servers. A close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break. We conclude that moving to stronger key exchange methods should be a priority for the Internet community.

References

[1]

S. Bai, C. Bouvier, A. Filbois, P. Gaudry, L. Imbert, A. Kruppa, F. Morain, E. Thomé, and P. Zimmermann.upshape cado-nfs, an implementation of the number field sieve algorithm, 2014. Release 2.1.1.

[2]

R. Barbulescu. Algorithmes de logarithmes discrets dans les corps finis. PhD thesis, Université de Lorraine, France, 2013.

[3]

R. Barbulescu, P. Gaudry, A. Joux, and E. Thomé. A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic. In Eurocrypt, 2014.

[4]

E. Barker, W. Barker, W. Burr, W. Polk, and M. Smid. NIST Special Publication 800--57: Recommendation for Key Management, 2007.

[5]

D. J. Bernstein. How to find smooth parts of integers, 2004. http://cr.yp.to/factorization/smoothparts-20040510.pdf.

[6]

D. J. Bernstein and T. Lange. Batch NFS. In Selected Areas in Cryptography, 2014.

[7]

B. Beurdouche, K. Bhargavan, A. Delignat-Lavaud, C. Fournet, M. Kohlweiss, A. Pironti, P.-Y. Strub, and J. K. Zinzindohoue. A messy state of the union: Taming the composite state machines of TLS. In IEEE Symposium on Security and Privacy, 2015.

Digital Library

[8]

C. Bouvier, P. Gaudry, L. Imbert, H. Jeljeli, and E. Thomé. New record for discrete logarithm in a prime finite field of 180 decimal digits, 2014. http://caramel.loria.fr/p180.txt.

[9]

R. Canetti and H. Krawczyk. Security analysis of IKE's signature-based key-exchange protocol. In Crypto, 2002.

Digital Library

[10]

A. Commeine and I. Semaev. An algorithm to solve the discrete logarithm problem with the number field sieve. In PKC, 2006.

Digital Library

[11]

D. Coppersmith. Solving linear equations over GF(2) via block Wiedemann algorithm. Math. Comp., 62(205), 1994.

Digital Library

[12]

R. Crandall and C. B. Pomerance. Prime Numbers: A Computational Perspective. Springer, 2001.

[13]

B. den Boer. Diffie-Hellman is as strong as discrete log for certain primes. In Crypto, 1988.

Digital Library

[14]

W. Diffie and M. E. Hellman. New directions in cryptography. IEEE Trans. Inform. Theory, 22(6):644--654, 1976.

Digital Library

[15]

Z. Durumeric, E. Wustrow, and J. A. Halderman. ZMap: Fast Internet-wide scanning and its security applications. In Usenix Security, 2013.

Digital Library

[16]

M. Friedl, N. Provos, and W. Simpson. Diffie-Hellman group exchange for the secure shell (SSH) transport layer protocol. RFC 4419, Mar. 2006.

[17]

W. Geiselmann, H. Kopfer, R. Steinwandt, and E. Tromer. Improved routing-based linear algebra for the number field sieve. In Information Technology: Coding and Computing, 2005.

Digital Library

[18]

W. Geiselmann and R. Steinwandt. Non-wafer-scale sieving hardware for the NFS: Another attempt to cope with 1024-bit. In Eurocrypt, 2007.

Digital Library

[19]

D. Gillmor. Negotiated finite field Diffie-Hellman ephemeral parameters for TLS. IETF Internet Draft, May 2015.

[20]

D. M. Gordon. Designing and detecting trapdoors for discrete log cryptosystems. In Crypto, 1992.

Digital Library

[21]

D. M. Gordon. Discrete logarithms in GF(p) using the number field sieve. SIAM J. Discrete Math., 6(1), 1993.

Digital Library

[22]

D. Harkins and D. Carrel. The Internet key exchange (IKE). RFC 2409, Nov. 1998.

Digital Library

[23]

T. Jager, K. G. Paterson, and J. Somorovsky. One bad apple: Backwards compatibility attacks on state-of-the-art cryptography. In NDSS, 2013.

[24]

A. Joux and R. Lercier. Improvements to the general number field sieve for discrete logarithms in prime fields. A comparison with the Gaussian integer method. Math. Comp., 72(242):953--967, 2003.

Digital Library

[25]

C. Kaufman, P. Hoffman, Y. Nir, P. Eronen, and T. Kivinen. Internet key exchange protocol version 2 (IKEv2). RFC 7296, Oct. 2014.

[26]

S. Kent. IP authentication header. RFC 4302, Dec. 2005.

[27]

S. Kent. IP encapsulating security payload (ESP). RFC 4303, Dec. 2005.

[28]

T. Kleinjung. Cofactorisation strategies for the number field sieve and an estimate for the sieving step for factoring 1024 bit integers, 2006. http://www.hyperelliptic.org/tanja/SHARCS/talks06/thorsten.pdf.

[29]

T. Kleinjung, K. Aoki, J. Franke, A. K. Lenstra, E. Thomé, J. W. Bos, P. Gaudry, A. Kruppa, P. L. Montgomery, D. A. Osvik, H. te Riele, A. Timofeev, and P. Zimmermann. Factorization of a 768-bit RSA modulus. In Crypto, 2010.

Digital Library

[30]

A. Langley, N. Modadugu, and B. Moeller. Transport layer security (TLS) false start. IETF Internet Draft, 2010.

[31]

A. K. Lenstra and H. W. Lenstra, Jr., editors. The Development of the Number Field Sieve. Springer, 1993.

[32]

M. Lipacis. Semiconductors: Moore stress = structural industry shift. Technical report, Jefferies, 2012.

[33]

U. M. Maurer. Towards the equivalence of breaking the Diffie-Hellman protocol and computing discrete logarithms. In Crypto, 1994.

Digital Library

[34]

U. M. Maurer and S. Wolf. Diffie-Hellman oracles. In Crypto, 1996.

Digital Library

[35]

N. Mavrogiannopoulos, F. Vercauteren, V. Velichkov, and B. Preneel. A cross-protocol attack on the TLS protocol. In ACM CCS, pages 62--72, 2012.

Digital Library

[36]

C. Meadows. Analysis of the Internet key exchange protocol using the NRL protocol analyzer. In IEEE Symposium on Security and Privacy, 1999.

[37]

Microsoft Security Bulletin MS15-055. Vulnerability in Schannel could allow information disclosure, May 2015. https://technet.microsoft.com/en-us/library/security/ms15-055.aspx.

[38]

NIST. FIPS PUB 186--4: Digital signature standard, 2013.

[39]

Oak Ridge National Laboratory. Introducing Titan, 2012. https://www.olcf.ornl.gov/titan.

[40]

H. Orman. The Oakley key determination protocol. RFC 2412, Nov. 1998.

Digital Library

[41]

S. C. Pohlig and M. E. Hellman. An improved algorithm for computing logarithms over $\mathrmGF(p)$ and its cryptographic significance (corresp.). Trans. Inform. Theory, 24(1), 1978.

Digital Library

[42]

J. M. Pollard. A Monte Carlo method for factorization. BIT Numerical Mathematics, 15(3):331--334, 1975.

Digital Library

[43]

O. Schirokauer. Virtual logarithms. J. Algorithms, 57(2):140--147, 2005.

Digital Library

[44]

I. A. Semaev. Special prime numbers and discrete logs in finite prime fields. Math. Comp., 71(237):363--377, 2002.

Digital Library

[45]

D. Shanks. Class number, a theory of factorization, and genera. In Proc. Sympos. Pure Math., volume 20. 1971.

[46]

Spiegel Staff. Prying eyes: Inside the NSA's war on Internet security. Der Spiegel, Dec 2014. http://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet-security-a-1010361.html.

[47]

W. Stein et al. Sage Mathematics Software (Version 6.5). The Sage Development Team, 2015. http://www.sagemath.org.

[48]

stud: The scalable TLS unwrapping daemon, 2012. https://github.com/bumptech/stud/blob/19a7f19686bcdbd689c6fbea31f68a276e62d886/stud.c#L593.

[49]

E. Thomé. Subquadratic computation of vector generating polynomials and improvement of the block Wiedemann algorithm. J. Symbolic Comput., 33(5):757--775, 2002.

Digital Library

[50]

P. C. Van Oorschot and M. J. Wiener. Parallel collision search with application to hash functions and discrete logarithms. In ACM CCS, 1994.

Digital Library

[51]

P. C. Van Oorschot and M. J. Wiener. On Diffie-Hellman key agreement with short exponents. In Eurocrypt, 1996.

Digital Library

[52]

D. Wagner and B. Schneier. Analysis of the SSL 3.0 protocol. In 2nd Usenix Workshop on Electronic Commerce, 1996.

Digital Library

[53]

J. Wagnon. SSL profiles part 5: SSL options, 2013. https://devcentral.f5.com/articles/ssl-profiles-part-5-ssl-options.

[54]

P. Zimmermann et al. GMP-ECM, 2012. https://gforge.inria.fr/projects/ecm.

[55]

APEX active/passive exfiltration. Media leak, Aug. 2009. http://www.spiegel.de/media/media-35671.pdf.

[56]

Fielded capability: End-to-end VPN SPIN 9 design review. Media leak. http://www.spiegel.de/media/media-35529.pdf.

[57]

FY 2013 congressional budget justification. Media leak. http://cryptome.org/2013/08/spy-budget-fy13.pdf.

[58]

GALLANTWAVE@scale. Media leak. http://www.spiegel.de/media/media-35514.pdf.

[59]

Innov8 experiment profile. Media leak. http://www.spiegel.de/media/media-35509.pdf.

[60]

Intro to the VPN exploitation process. Media leak, Sept. 2010. http://www.spiegel.de/media/media-35515.pdf.

[61]

LONGHAUL -- WikiInfo. Media leak. http://www.spiegel.de/media/media-35533.pdf.

[62]

POISONNUT -- WikiInfo. Media leak. http://www.spiegel.de/media/media-35519.pdf.

[63]

SIGINT strategy. Media leak. http://www.nytimes.com/interactive/2013/11/23/us/politics/23nsa-sigint-strategy-document.html.

[64]

SPIN 15 VPN story. Media leak. http://www.spiegel.de/media/media-35522.pdf.

[65]

TURMOIL/APEX/APEX high level description document. Media leak. http://www.spiegel.de/media/media-35513.pdf.

[66]

TURMOIL IPsec VPN sessionization. Media leak, Aug. 2009. http://www.spiegel.de/media/media-35528.pdf.

[67]

TURMOIL VPN processing. Media leak, Oct. 2009. http://www.spiegel.de/media/media-35526.pdf.

[68]

VALIANTSURF (VS): Capability levels. Media leak. http://www.spiegel.de/media/media-35517.pdf.

[69]

VALIANTSURF -- WikiInfo. Media leak. http://www.spiegel.de/media/media-35527.pdf.

[70]

VPN SigDev basics. Media leak. http://www.spiegel.de/media/media-35520.pdf.

[71]

What your mother never told you about SIGDEV analysis. Media leak. http://www.spiegel.de/media/media-35551.pdf.

Cited By

Berbecaru DLioy A(2024)Threat-TLS: A Tool for Threat Identification in Weak, Malicious, or Suspicious TLS ConnectionsProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3670945(1-9)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3670945
Luo YLi CWang ZYang J(2024)IPREDS: Efficient Prediction System for Internet-wide Port and Service ScanningProceedings of the ACM on Networking10.1145/36494702:CoNEXT1(1-24)Online publication date: 28-Mar-2024
https://dl.acm.org/doi/10.1145/3649470
Dolev S(2024)Post Quantum Communication Over the Internet InfrastructureProceedings of the 25th International Conference on Distributed Computing and Networking10.1145/3631461.3632514(1-3)Online publication date: 4-Jan-2024
https://dl.acm.org/doi/10.1145/3631461.3632514
Show More Cited By

Index Terms

Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice
1. Security and privacy
  1. Cryptography
    1. Cryptanalysis and other attacks
    2. Public key (asymmetric) techniques
      1. Public key encryption
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Imperfect forward secrecy: how Diffie-Hellman fails in practice

We investigate the security of Diffie-Hellman key exchange as used in popular Internet protocols and find it to be less secure than widely believed. First, we present Logjam, a novel flaw in TLS that lets a man-in-the-middle downgrade connections to "...
Certificateless Broadcast Signcryption with Forward Secrecy
CIS '11: Proceedings of the 2011 Seventh International Conference on Computational Intelligence and Security

Certificate less cryptography achieves the best of the two worlds: it inherits from identity-based techniques a solution to the certificate management problem in public-key encryption, whilst removing the secret key escrow functionality inherent to the ...
Kleptography: using cryptography against cryptography
EUROCRYPT'97: Proceedings of the 16th annual international conference on Theory and application of cryptographic techniques

The notion of a Secretly Embedded Trapdoor with Universal Protection (SETUP) has been recently introduced. In this paper we extend the study of stealing information securely and subliminally from black-box cryptosystems. The SETUP mechanisms presented ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

October 2015

1750 pages

ISBN:9781450338325

DOI:10.1145/2810103

General Chair:
Indrajit Ray
Colorado State University, USA
,
Program Chairs:
Ninghui Li
Purdue University, USA
,
Christopher Kruegel
University of California, Santa Barbara, USA

Copyright © 2015 Owner/Author.

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 October 2015

Check for updates

Badges

Best Paper

Author Tags

Qualifiers

Research-article

Funding Sources

NSF
ONR
ERC
ANR

Conference

CCS'15

Sponsor:

SIGSAC

CCS'15: The 22nd ACM Conference on Computer and Communications Security

October 12 - 16, 2015

Colorado, Denver, USA

Acceptance Rates

CCS '15 Paper Acceptance Rate 128 of 660 submissions, 19%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

245
Total Citations
View Citations
7,355
Total Downloads

Downloads (Last 12 months)949
Downloads (Last 6 weeks)95

Reflects downloads up to 13 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Berbecaru DLioy A(2024)Threat-TLS: A Tool for Threat Identification in Weak, Malicious, or Suspicious TLS ConnectionsProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3670945(1-9)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3670945
Luo YLi CWang ZYang J(2024)IPREDS: Efficient Prediction System for Internet-wide Port and Service ScanningProceedings of the ACM on Networking10.1145/36494702:CoNEXT1(1-24)Online publication date: 28-Mar-2024
https://dl.acm.org/doi/10.1145/3649470
Dolev S(2024)Post Quantum Communication Over the Internet InfrastructureProceedings of the 25th International Conference on Distributed Computing and Networking10.1145/3631461.3632514(1-3)Online publication date: 4-Jan-2024
https://dl.acm.org/doi/10.1145/3631461.3632514
Tang KWu KChau SVilela JSchulmann HLi N(2024)Investigating TLS Version Downgrade in Enterprise SoftwareProceedings of the Fourteenth ACM Conference on Data and Application Security and Privacy10.1145/3626232.3653263(31-42)Online publication date: 19-Jun-2024
https://dl.acm.org/doi/10.1145/3626232.3653263
Xu PWu HTao XWang CChen DNan G(2024)Anti-Quantum Certificateless Group Authentication for Massive Accessing IoT DevicesIEEE Internet of Things Journal10.1109/JIOT.2024.335380711:9(16561-16577)Online publication date: 1-May-2024
https://doi.org/10.1109/JIOT.2024.3353807
Liu RPan J(2024)CRS: A Privacy-Preserving Two-Layered Distributed Machine Learning Framework for IoVIEEE Internet of Things Journal10.1109/JIOT.2023.328779911:1(1080-1095)Online publication date: 1-Jan-2024
https://doi.org/10.1109/JIOT.2023.3287799
Zhang ZJia LPăsăreanu C(2024)ProInspector: Uncovering Logical Bugs in Protocol Implementations2024 IEEE 9th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP60621.2024.00040(617-632)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSP60621.2024.00040
Pfeiffer STihanyi N(2024)D(HE)at: A Practical Denial-of-Service Attack on the Finite Field Diffie–Hellman Key ExchangeIEEE Access10.1109/ACCESS.2023.334742212(957-980)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2023.3347422
Yaseen FAlkhalidi NAl-Raweshidy H(2024)ITor-SDN: Intelligent Tor Networks-Based SDN for Data Forwarding ManagementIEEE Access10.1109/ACCESS.2023.334735012(4792-4800)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2023.3347350
Biryukov AFisch BHerold GKhovratovich DLeurent GNaya-Plasencia MWesolowski B(2024)Cryptanalysis of Algebraic Verifiable Delay FunctionsAdvances in Cryptology – CRYPTO 202410.1007/978-3-031-68382-4_14(457-490)Online publication date: 18-Aug-2024
https://dl.acm.org/doi/10.1007/978-3-031-68382-4_14
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents