'Logjam' crypto bug could be how the NSA cracked VPNs

Johns Hopkins crypto boffin spots FREAK-like protocol bug



Updated A team led by Johns Hopkins crypto researcher Matthew Green* thinks they might have an explanation for how the NSA attacked VPN services: flaws in how TLS implements Diffie-Hellman crytography.


In what's bound to be the next big branded bug, Green says servers that support 512-key “export-grade” Diffie-Hellman (DH) can be forced to downgrade a connection to that weak level. The server – and therefore the client – will both still believe they're using stronger keys such as 768-bit or 1024-bit.


Like so many things – including the similar FREAK flaw – the bug is ancient: a 20-year-old SSL bug that was inherited by TLS.


Green has hosted a site discussing what's being called "Logjam", Weakdh.org, with a detailed academic paper here (PDF).


Green's already been in touch with the major browser vendors, and says they're in the process of implementing a more restrictive policy on the size of Diffie-Hellman groups they will accept.


Logjam is another exploit of the 1990s-era crypto-wars: “To comply with 1990s-era U.S. export restrictions on cryptography, SSL 3.0 and TLS 1.0 supported reduced-strength DHE_EXPORT ciphersuites that were restricted to primes no longer than 512 bits”, the paper notes.


Because “export grade” hangs around in ciphersuites, “a man-in-the-middle can force TLS clients to use export strength DH with any server that allows DHE_EXPORT.”


“The attack affects any server that supports DHE_EXPORT ciphers, and affects all modern web browsers. 8.4% of the Top 1 Million domains were initially vulnerable,” Green writes at the Logjam site.


Where 512-bit keys are supported, after an initial long computation, Green writes that “an academic team can break a 768-bit prime and that a nation-state can break a 1024-bit prime. Breaking the single, most common 1024-bit prime used by web servers would allow passive eavesdropping on connections to 18 per cent of the Top 1 Million HTTPS domains. A second prime would allow passive decryption of connections to 66 per cent of VPN servers and 26 per cent of SSH servers.”


That's where the spooks come in: “A close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break.”


Anyone running a Web or mail server need to disable export-grade cipher suites and generate a new and unique 2048-bit Diffie-Hellman group. Users need to watch for browser upgrades, and developers need to use the latest libraries and reject Diffie-Hellman groups shorter than 1024 bits. ®