HackDig : Dig high-quality web security articles for hackers

A Deeper Look At Logjam - And Why You Should Care

2015-05-29 07:20

The so-called Logjam vulnerability has been making headlines in both the tech and mainstream press since it was announced last week and for good reason. Potentially tens of thousands of websites and mail servers (as well as the users who access them) remain open to attack because of weaknesses in the TLS security protocol. A group of researchers published their findings about Logjam and drew attention to fundamental problems with export-grade encryption standards.

As the researchers noted, a substantial portion of HTTPS, SSH, and VPN servers running in the IPv4 space are vulnerable to Logjam. In the 1990s, the US government began requiring developers to use “export-grade” encryption algorithms in applications they want to be able to deploy in foreign countries. The export-grade ciphers underlying these applications use relatively short keys (512 bits for Diffie-Hellman, for instance). Whenever export-grade Diffie-Hellman is chosen as the key exchange algorithm, attackers can compromise it quickly if it relies on frequently used parameters.

One of the researchers, Matthew Green, posted an outstanding explanation of Diffie-Hellman and key elements of the vulnerability here. A diagram from his post of a typical Diffie-Hellman key exchange is especially helpful in understanding how attackers can use Logjam:

Dr, Green went on to explain,

“The server takes the role of Alice, selecting (p, g, ga mod p) and signing this tuple (and some nonces) using its long-term signing key. The client responds gb mod p and the two sides then calculate a shared secret...

...What you need to know about "export DHE" is simple: it works identically to standard DHE, but limits the size of p to 512 bits. Oh yes, and it's still out there today. Because the Internet.”

FortiGuard researchers described the attack further:

“Interestingly, the method used [for computing the secret value a above] (the now infamous ‘Number Field Sieve’ algorithm) has a precomputation phase, that involves p only, and that accounts for most of the computing time needed to find [the secret value]

...Most implementations of DH use ‘standard’ primes for p...The consequence is that someone can relatively easily create a “database” of precomputations for all these standard primes p. Once this is done, the attacker can quickly compute a (and thus break the encryption of a connection).”

Even in cases where longer values of p are used (e.g., 764 or 1028 bits), servers configured to accept export-grade encrypted connections may be vulnerable to man-in-the-middle attacks that downgrade the encryption to the more easily computed 512-bit values of p. While cracking this level of encryption is within reach of hackers with access to academic-level computing power, the researchers team that initially published the findings noted that nation-states likely have access to sufficient computing power to break DH encryption in a finite time without exploiting the downgrade vulnerability.

The good news is that servers and applications that are not configured to use export-grade Diffie-Hellman encryption are not vulnerable. They simply won’t negotiate secure sessions with short keys that can be rapidly compromised. The bad news is that, according to Ars Technica, “3.4 percent of HTTPS-supported websites overall are susceptible”. This represents a broad cross-section of web applications, ranging from webmail to banking.

From a network security perspective, there are several ways to address this vulnerability:

  • 1. Use an appropriately configured appliance capable of detecting man-in-the-middle attacks like those described here. The FortiWeb Web Application Firewall, for example, detects these kinds of intrusions and compromises and FortiGate firewalls with the latest IPS signatures deployed also handle this element of the attack.
  • 2. Administrators should disable support for “DHE_EXPORT” (the export-grade Diffie-Hellman ciphersuite) so that secure connections cannot be downgraded
  • 3. Where possible, use larger primes for encryption (security experts recommend using 2048-bit primes).

End users can expect browsers and email clients to be patched shortly with updates that prevent 512-bit parameters from being used to negotiate secure session keys. Currently, Internet Explorer is the only browser that has been updated to prevent these attacks on the client side. Chrome is expected to be patched within weeks, while users on a Mozilla forum posted a temporary fix since Firefox won’t be officially patched until Version 39 is released

More importantly, though, businesses, users, and governments all need to recognize and respect that the era of export-grade cryptography being “good enough” is over. Strong encryption may get in the way of government snooping, but researchers have now demonstrated that hackers with access to reasonable computing power (and not just nation-states with exceptional computing resources) can compromise weaker forms of encryption.

Source: erac-dluohs-uoy-yhw-dna-majgol-ta-kool-repeed-a/tsop/moc.tenitrof.golb

Read:3961 | Comments:0 | Tags:No Tag

“A Deeper Look At Logjam - And Why You Should Care”0 Comments

Submit A Comment



Blog :

Verification Code: