Blog
Informative, up-to-date and exciting - the Oneconsult Cybersecurity Blog.

LogJam – Oneconsult Security Advisory

LogJam is a new attack which threatens many applications from HTTPS to VPNs. It targets Diffie-Hellmann (DH) key exchanges, which are widely used in many protocols. Normal DH computations operate over a mathematical structure (multiplicative group) created by a large prime number. The security of the algorithm depends on the fact that some operations in this structure are difficult (expensive) to reverse.

Like the recent FREAK attack, the attack scenarios described by the authors mainly target SSL/TLS connections with the outdated “EXPORT” cipher suites (designed to be weak by US authorities). The main finding of this attack is that it is possible to pre-compute parts of the calculation once per prime number and then attack any connection using this prime in a couple of seconds to minutes. What makes this attack even more interesting is that many implementations use the same prime groups for their DH calculations. Many of the “EXPORT” cipher suite implementations (and also some others) use only 512bit primes for the key exchange. The authors used one week of pre-computation (per prime) to be able to break any of the affected key exchanges in about 10 minutes.

The proof-of-concept attacks described by the authors can all be defeated by either changing the client to reject small (<1024bit) DH prime parameters or disabling “EXPORT” cipher suites on the servers and ensuring that unique, large and safe primes are used for the key exchanges (which the authors describe how to configure in a guide in great detail).

As “EXPORT” cipher suites are by now usually disabled by default, this issue should not be very wide-spread in modern setups. However, another result of the paper is a lot more worrying to us than the attacks on “EXPORT” cipher suites:

The authors estimate that it should be possible for a state-level adversary to execute the pre-computation step for 1024bit primes and thus endangering a lot more systems and services. For example they found that over 60% of the discovered VPN gateways use the same 1024bit prime for the key exchange! Making this attack a very interesting option for any intelligence agency.
There are a number of options as general recommendations on how to avoid this problem:

  • Use custom generated, large and secure primes wherever possible (as described in this guide)
  • Use at least 2048bit primes if you have the choice and cannot use a custom prime
  • Change to elliptic-curve DH calculations with at least 256bit keys
  • Disable (E)DH options if none of the other solutions are possible and you are concerned about state-level adversaries

This article was produced by our research team who analyzes and engineers new exploits and attack scenarios. Oneconsult AG has one of the largest teams of salaried and certified penetration testers in Switzerland. As a result of over 850 sophisticated penetration tests, we discover several dozen zero-day vulnerabilities per year.

Published on: 21.05.2015

Share

Never miss the latest news on cyber security topics again? Sign up for our newsletter

Autor

Keine Beschreibung verfügbar.

Don’t miss anything! Subscribe to our free newsletter.

Your security is our top priority – our specialists provide you with professional support.

Availability Monday to Friday 8:00 a.m. – 6:00 p.m (exception: customers with SLA – please call the 24/7 IRR emergency number).

Private individuals please contact your trusted IT service provider or the local police station.

For more information about our DFIR services here:

QR_CSIRT_2022_EN@2x
Add CSIRT to contacts