As a result of the NSA surveillance, organizations are increasingly moving towards the use of encryption technologies. It turns out however that encryption is not easy to get right, Heartbleed is only about a year old but other vulnerabilities like FREAK or POODLE have also surfaced in that time frame.
This time, a new attack named LogJam is targeting the cryptographic component named Diffie-Hellman, a means of securely exchanging cryptographic keys over a public channel. First, an explanation of Diffie-Hellman (DH for short). It’s a key that’s known to two parties with no other prior knowledge of one another, and that can encrypt their further communication. If DH is weak, the key used to encrypt the connection would become weak too, thus the entire communication on that channel could be de-crypted. DH is widely used in cryptographic protocols, it is an important part of VPN protocols like IPSec/IKE and SSH. Its use in SSL is optional, the enabling of Perfect Forward Secrecy (or PFS for short) activates Diffie-Hellman. The use of PFS is on the rise, the security community believes it to make global surveillance and eavesdropping in general more difficult.
LogJam – this week’s new problem – is actually a combination of two issues:
- It describes a downgrade attack in SSL
- The downgrade requires an active attacker positioned on the network path between the client and the server.
- The attacker can trick servers to use export grade (e.g. crackable) 512bit Diffie-Hellman groups.
- This is only applicable to SSL with PFS enabled.
Mitigation: servers should disable support for export grade ciphers, DHE_EXPORT specifically. Clients should validate the length of the DH generator returned by the server. Disabling PFS would also mitigate this specific attack, but PFS is believed to be more secure otherwise.
- It is pre-computing Diffie-Hellman key exchanges
- It describes a way to pre-compute large parts of the computation required to crack a Diffie-Hellmann key exchange.
- This is applicable to all protocols that use Diffie-Hellman, such as VPNs, SSH & SSL with PFS enabled.
Mitigation: instead of using default Diffie-Hellman parameters supplied by applications such as Apache and OpenSSH, we should generate those separately for every installation, making the pre-computation less useful.
Both export grade ciphers and DH parameters should be configurable in almost all software today without patching, which makes the change easier to implement.
The severity of this attack is definitely lower than that of Heartbleed and is comparable to FREAK: it requires an active attacker performing a man-in-the-middle and the result is also similar: the ability to decrypt and/or rewrite all communications between the two endpoints.
By Balázs Scheidler CTO at Balabit
About Balabit
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.