'Logjam' Vulnerability Threatens Encrypted Connections

An anonymous reader writes: A team of security researchers has revealed a new encryption vulnerability called 'Logjam,' which is the result of a flaw in the TLS protocol used to create encrypted connections. It affects servers supporting the Diffie-Hellman key exchange, and it's caused by export restrictions mandated by the U.S. government during the Clinton administration. "Attackers with the ability to monitor the connection between an end user and a Diffie-Hellman-enabled server that supports the export cipher can inject a special payload into the traffic that downgrades encrypted connections to use extremely weak 512-bit key material. Using precomputed data prepared ahead of time, the attackers can then deduce the encryption key negotiated between the two parties."

Internet Explorer is the only browser yet updated to block such an attack — patches for Chrome, Firefox, and Safari are expected soon. The researchers add, "Breaking the single, most common 1024-bit prime used by web servers would allow passive eavesdropping on connections to 18% of the Top 1 Million HTTPS domains. A second prime would allow passive decryption of connections to 66% of VPN servers and 26% of SSH servers. A close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break." Here is their full technical report (PDF).

And that is why you do not downgrade encryption...

[gweihir]

At the time these utterly stupid laws were made, these ciphers where still somewhat secure against most attackers. The problem is that encryption software and parameters can stay in use for a long time.

Re:downgrade attacks...

[Creepy]

It actually has more to do with export law - in fact, Clinton's Executive Order transferred control of encryption from the Munition List to the Commerce Control List. Prior to the Clinton updates, the maximum exportable encryption was 40 bits. Part of the reason the change got Clinton's attention is the PGP investigation, where the creator of PGP exported the computer code in a hardback book (free speech) as opposed to in a computer (munitions), allowing it to be scanned and compiled outside of the US. Also the weak foreign encryption export limits were starting to hurt US businesses (mine included at the time - we outsourced all encryption work and worldwide distribution to England, leading to about 20 US workers losing their jobs).

Re:Certificate authorities surely?

[petermgreen]

There have been a couple of recent developments which attempt to fight back against the "CA coercion" vulnerability.

One is "http key pinning", that way your browser is still trusting the public CA network for the initial connection to a site but after that it additionally checks a list of keys provided by the site (the site has the option of whether to declare trust in a CA or whether to approve individual keys). This will make it very difficult for a MITM with a coerced key to operate in secret, if the user ever uses an internet connection the MITM doesn't control and then comes back to the one controlled by the MITM then they will notice the interference.

Another is "certificate transparency" which if enforced means a CA can't issue certs without publishing the fact they are doing so. This is a bit of a longer term goal, it will be some time if ever before clients can force this model on all CAs but again it will make it much easier to discover MITM attacks.