LogJam is a new attack which threatens many applications from HTTPS to VPNs. It targets Diffie-Hellmann (DH) key exchanges, which are widely used in many protocols. Normal DH computations operate over a mathematical structure (multiplicative group) created by a large prime number. The security of the algorithm depends on the fact that some operations in this structure are difficult (expensive) to reverse.
Like the recent FREAK attack, the attack scenarios described by the authors mainly target SSL/TLS connections with the outdated “EXPORT” cipher suites (designed to be weak by US authorities). The main finding of this attack is that it is possible to pre-compute parts of the calculation once per prime number and then attack any connection using this prime in a couple of seconds to minutes. What makes this attack even more interesting is that many implementations use the same prime groups for their DH calculations. Many of the “EXPORT” cipher suite implementations (and also some others) use only 512bit primes for the key exchange. The authors used one week of pre-computation (per prime) to be able to break any of the affected key exchanges in about 10 minutes.
The proof-of-concept attacks described by the authors can all be defeated by either changing the client to reject small (<1024bit) DH prime parameters or disabling “EXPORT” cipher suites on the servers and ensuring that unique, large and safe primes are used for the key exchanges (which the authors describe how to configure in a guide in great detail).
As “EXPORT” cipher suites are by now usually disabled by default, this issue should not be very wide-spread in modern setups. However, another result of the paper is a lot more worrying to us than the attacks on “EXPORT” cipher suites:
The authors estimate that it should be possible for a state-level adversary to execute the pre-computation step for 1024bit primes and thus endangering a lot more systems and services. For example they found that over 60% of the discovered VPN gateways use the same 1024bit prime for the key exchange! Making this attack a very interesting option for any intelligence agency.
There are a number of options as general recommendations on how to avoid this problem:
- Use custom generated, large and secure primes wherever possible (as described in this guide)
- Use at least 2048bit primes if you have the choice and cannot use a custom prime
- Change to elliptic-curve DH calculations with at least 256bit keys
- Disable (E)DH options if none of the other solutions are possible and you are concerned about state-level adversaries
This article was produced by our research team who analyzes and engineers new exploits and attack scenarios. Oneconsult AG has one of the largest teams of salaried and certified penetration testers in Switzerland. As a result of over 850 sophisticated penetration tests, we discover several dozen zero-day vulnerabilities per year.