Logjam: Diffie-Hellman, discrete logs, the NSA, and you

Presented at 32C3 (2015), Dec. 28, 2015, 9:45 p.m. (60 minutes)

Earlier this year, we discovered that Diffie-Hellman key exchange – cornerstone of modern cryptography – is less secure in practice than the security community believed. In this talk, we’ll explain how the NSA is likely exploiting this weakness to allow it to decrypt connections to at least 20% of HTTPS websites, 25% of SSH servers, and 66% of IPsec VPNs. Unlike the NSA, most of us don’t have a billion-dollar budget, but thanks to 1990s-era U.S. crypto backdoors, even attackers with much more modest resources can break the crypto for a sizable fraction of web sites. We’ll explain these flaws and how to defend yourself, and we’ll demonstrate how you too can experiment with Diffie-Hellman cryptanalysis from the comfort of your local hacker space. Diffie-Hellman key exchange lets two parties negotiate a shared secret key in the presence of an eavesdropper who can see every message they exchange. This bit of cryptographic magic underlies the security of the Internet, from TLS to SSH, IPsec, Tor, OTR, and beyond. Diffie-Hellman is widely believed to offer „perfect forward secrecy“ – after you’re done communicating, you can „forget" your secret key and not even the NSA can later reconstruct it. In recent years, this property led to the security community (us included!) promoting Diffie-Hellman over other crypto techniques as a defense against mass surveillance. We were wrong. We’re really sorry. In this talk, we’ll explain how a confluence of number theory, lazy implementations, and aging protocols has created a world where anyone willing to spend a few hundred million dollars is likely able to passively decrypt a huge fraction of Internet traffic. We’ll then go back for a close reading of the Snowden documents that were published at 31C3 and show how such a cryptanalytic exploit lines up exactly with several of the NSA’s most powerful known decryption capabilities. For those who prefer a more hands-on approach, we’ll tell you how you too can experiment with breaking Diffie-Hellman for the „export-grade“ 512-bit key sizes that were mandated in the 1990s by U.S. crypto regulations. About 8% of popular HTTPS sites still support these weakened keys for use with legacy browsers, but we discovered a TLS protocol flaw, which we named the Logjam attack, that allowed a man-in-the-middle to trick all modern browsers into accepting them. We’re pretty sure your browser has shipped a security update to fix this by now... We’ll conclude the talk by discussing what went wrong with communication between mathematical cryptographers and security practitioners, how we can prevent this from happening again, and what flavors of cryptography you should really be using to defend yourself. (Hint: It starts with „elliptic“ and ends with „curve“.)

Presenters:

  • Nadia Heninger
  • J. Alex Halderman
    I’m a professor of computer science at the University of Michigan and Director of Michigan’s Center for Computer Security and Society. <a href="https://jhalderm.com">My research</a> spans software security, network security, data privacy, anonymity, electronic voting, and censorship resistance. Alex also studies the interaction of technology with law, governmental regulation, and international affairs. He is known for developing the cold boot attack against disk encryption, which altered widespread security assumptions about the behavior of RAM, influenced computer forensics practice, and inspired the creation of a new subfield of theoretical cryptography. A noted expert on electronic voting security, he helped lead the first independent review of the election technology used by half a billion voters in India, which prompted the national government to undertake major technical reforms. He introduced ZMap, an open source tool for performing Internet-wide port scans that can probe the entire IPv4 address space from a single machine in minutes. He is also a co-founder of Let’s Encrypt, a free, automated, and open certificate authority he is developing in partnership with Mozilla and the EFF.

Links:

Similar Presentations: