TLS Logjam - FREAK with DH vulnerability

Researchers from CNRS, Inria Nancy-Grand Est, Inria Paris-Rocquencourt, Microsoft Research, Johns Hopkins University, University of Michigan and University of Pennsylvania discovered a new TLS vulnerability, similar to FREAK , but more dangerous and applicable in real life - Logjam. In the case of Logjam, the attack is made on session keys, which are set during the exchange of the Diffie-Hellman protocol, in order to lower their cryptographic strength to 512-bit. Such keys, as shown by FREAK researchers, can be cracked in a few hours, but the situation here is somewhat different: because a lot of (outdated) software uses publicly available static DH groups and the same predefined initial primes, there is a possibility preliminary execution of the discrete logarithm by the sieve method of the numerical field to a certain state, which allows quickly, within 2 minutes, to crack the session key of the DH group for which this calculation was made.

Scientists made a preliminary calculation for two popular export DH-groups: the first group is used in Apache in versions 2.1.5-2.4.7 and is found on 7% of sites from TOP 1M according to Alexa, and the second is protected in OpenSSL, even when it was called SSLeay in 1995. The calculation took a week for each group, and it was carried out using a modified version of CADO-NFS .
According to the researchers, a preliminary calculation of these two groups allows hacking up to 80% of encrypted connections on servers that support export DH-keys. Three methods of attack were proposed and demonstrated on video:

• Offline decryption of weak connections for servers using 512-bit DH keys by default, with passive listening to traffic
• Reducing the durability of keys to 512-bit using TLS False Start, by MiTM-substitution of data about type DH sent to the server
• Reducing the durability of keys to 512-bit by MiTM-substitution of data on the type DH sent to the server, and suspension of the connection until the keys are cracked

Consider each of the methods in more detail. The first method is applicable only to those servers that use default 512-bit DH groups. There are very few such servers, but they do not need to perform a man-in-the-middle attack, but rather passively record traffic. After breaking the key, the traffic can be decrypted.
')
The second method exploits the TLS False Start feature - a special TLS-handshake acceleration mechanism, with which the client sends data even before the end of the hend-tail (Server Finished). By performing a man-in-the-middle attack, an attacker can override the client’s request to use DHE_EXPORT instead of DHE, the server will give the parameters for the 512-bit DH group and the public DH key of the server (g ^ b), the attacker will return the server’s response with this data to the client and the record that this is DHE, as he requested. Due to the fact that the standard does not prohibit the use of 512 keys in the non-export version, the client does not see the substitution until the request data is sent (the hash will not converge only at the moment when the server sends Server Finished, but the client request has already gone ).



The third type of attack is based on the suspension of the TLS handshake for the time it takes to crack the session key (according to the researchers, up to 10 minutes with a preliminary calculation). It also requires running MiTM and replacing DHE with DHE_EXPORT and back, but does not require support for TLS Fast Start. Here’s how it happens:

1. The client connects to www.tcl.tk and offers at least one cipher suite that includes DHE, but does not include DHE_EXPORT.
2. The attacker intercepts the request and modifies by sending to the server a cipher suite consisting only of DHE_EXPORT
3. Server chooses DHE_EXPORT
4. The attacker modifies the server's response, replacing the DHE_EXPORT with one of the non-export DHE options offered by the client
5. The server sends key parameters with a 512-bit basis.
6. The hacker begins to crack the key - to calculate the discrete logarithm, and breaks the connection to the server
7. The client waits for the hacker to crack the key and send him a confirmation of the server
8. As soon as the attacker hacks the key, he gets a master secret - a key for symmetric encryption, and sends a confirmation to the client.
9. The client confirms the data from the server and sends a request. An attacker could respond to client requests.

The researchers note that attackers with a lot of powerful equipment are able to recover 768-bit keys, and special services can recover 1024-bit keys, which are often used in IPsec IKEv1.

Vulnerability exists in all popular browsers and in almost all popular server software. The vulnerability site describes the process of generating more persistent Diffie-Hellman groups, as well as the necessary TLS settings for Apache httpd, nginx, Microsoft IIS, Lighttpd, Apache Tomcat, Postfix, Sendmail, Dovecot and HAProxy. On the same page the server configuration checker is available.

Scientists report that 8.4% of sites from the Alexa Alexa top million are affected, and 17.9% of sites use 1024-bit keys. Vulnerability can also be applied on mail servers in IMAPS (8.4%), POP3S (8.9%) and STARTTLS (14.8%) protocols. In addition, the vulnerability can be exploited in not the latest versions of OpenSSH.

Vulnerability site
PDF with a detailed description of the vulnerability
Server configuration and validation check
Description of vulnerability to CloudFlare
Clarification of the situation with IPsec from the developer Libreswan