From brg at gladman.plus.com Fri Oct 16 17:29:05 2015 From: brg at gladman.plus.com (Brian Gladman) Date: Fri, 16 Oct 2015 17:29:05 +0100 Subject: How is NSA breaking into VPNs? Message-ID: <562125D1.7060500@gladman.plus.com> An interesting paper on the weaknesses of DH key exchange protocols: https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf From zenadsl6186 at zen.co.uk Fri Oct 16 23:41:03 2015 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Fri, 16 Oct 2015 23:41:03 +0100 Subject: How is NSA breaking into VPNs? In-Reply-To: <562125D1.7060500@gladman.plus.com> References: <562125D1.7060500@gladman.plus.com> Message-ID: <56217CFF.3060101@zen.co.uk> On 16/10/15 17:29, Brian Gladman wrote: > An interesting paper on the weaknesses of DH key exchange protocols: > > https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf The paper describes the Logjam attack, and the state-level attacks on shared DH primes. Logjam, like FREAK, degrades crypto suite choices, in this case TLS DH to 512-bit "export grade" crypto. It's a bit more sophisticated than FREAK, but not much. 7th principle: Holes for "good guys" are holes for bad guys too. 8th principle: In code, nothing ever really goes away. (big nod to Jerry Leichter) More controversial, and quite possibly more damaging, is this: "Threats from state-level adversaries. Millions of HTTPS, SSH, and VPN servers all use the same prime numbers for Diffie-Hellman key exchange. Practitioners believed this was safe as long as new key exchange messages were generated for every connection. However, the first step in the number field sieve ? the most efficient algorithm for breaking a Diffie-Hellman connection ? is dependent only on this prime. After this first step, an attacker can quickly break individual connections. [...] A close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved a break [of the single, most common 1024-bit prime]." I wonder whether the "state level threat" of breaking common 1024-bit DH primes is the "major breakthrough" which NSA told Congress about a few years ago, for which they got all that lovely extra money. If so, the people who in 2013 were supporting the idea of replacing 2048-bit RSA with ubiquitous 1024-bit DH in order to provide FS look a bit silly .. [ the major browsers supported only 1024-bit DH, but supported 2048-bit RSA, perhaps due to people mistakenly thinking that DH keys needed to be half the size of RSA keys - it might be interesting to see where that rumour came from. To quote Peter Gutmann, posting on the cryptography at metzdowd list: "It's a debate between two groups, the security practitioners, "we'd like a PFS solution as soon as we can, and given currently-deployed infrastructure DH-1024 seems to be the best bet", and the theoreticians, "only a theoretically perfect solution is acceptable, even if it takes us forever to get it"." By the way, this was just after Snowden, when Google and the like were moving to ubiquitous 2048-bit RSA, and supposedly crypto people were running around like headless chickens saying "we must do something". NSA must have been laughing all the way to the bank. ] -- Peter Fairbrother