Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fewer IPsec Connections At Risk From Weak Diffie-Hellman (threatpost.com)

Posted by samzenpus on from the protect-ya-neck dept.

msm1267 writes: A challenge has been made against one of the conclusions in an academic paper on cryptographic weaknesses that may be the open door through which intelligence agencies are breaking encrypted connections. The paper, 'Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice,' claims that a massively resourced agency such as the NSA could build enough custom hardware that would crack the prime number used to derive an encryption key. Once enough information is known about the prime, breaking Diffie-Hellman connections that use that same prime is relatively trivial. In the paper, the team of 14 cryptographers and academics who wrote it claim that upwards of 66 percent of IPsec VPN connections can be passively decrypted in this manner. Paul Wouters, a founding member and core developer of the Libreswan Project, as well as a Red Hat associate, said that researchers are jumping to a conclusion because of the way they scanned and tested VPN servers, and that the number is likely too high.

28 comments

  1. Key Exchange by sexconker · · Score: 2, Interesting

    All key exchange algorithms are vulnerable.
    You can't negotiate a key without secrecy in the first place. Certs don't cover that because the CA model is inherently broken.

    1. Re:Key Exchange by houstonbofh · · Score: 2

      It doesn't need to be secure forever. Because in 2 hours I will be using a new key. The constant update of keys is one of the nicer features of IPsec.

    2. Re: Key Exchange by Anonymous Coward · · Score: 5, Insightful

      The NSA will just store your 2 hours of traffic and decrypt it later.

    3. Re:Key Exchange by unrtst · · Score: 3, Insightful

      All key exchange algorithms are vulnerable.

      And all absolutes are false.

    4. Re: Key Exchange by jabuzz · · Score: 3, Informative

      That won't work.unless the NSA/GCHQ get lucky. The premise of the original article was that a relatively small number of primes are precomputed at huge expense and the results stored in a relatively small database (a few GB in size). If you are changing that prime every two hours to one that the NSA have not precomputed then they are going to be unable to keep pace with the required precompution to continue decrypting your communication.

      As long as it takes the NSA longer to precompute the prime you are using than you are using the prime for you are good to go.

      Now of course if I where the NSA I would be designing custom hardware to do the precompute, and would expect it to be way way faster than the original analysis suggested. It's like the difference between doing bitcoin mining on a CPU compared to custom silicon.

    5. Re: Key Exchange by Anonymous Coward · · Score: 0

      I figured since you have all the possibilities of say the 1024 Moduli computed for DH, you could gain access to the exchanged secret and have complete access to the entire session.

      If it works like you say, 66% might be vulnerable, but less than 0.001% is going to get targeted since it's a massive amount of cracking to do.

      I've seen postfix and I think nginx generate brand new 2048bit DH on configuration change at service startup. OpenSSH: default, default and default moduli file on every installation.

    6. Re:Key Exchange by Lennie · · Score: 1

      I don't know why you'd say that applies to IPSEC VPNs:

      - Create your own CA.
      - generate the public/private key on each VPN device/machine
      - send the CSR (public key) to your own CA
      - then create certs for each CSR (a certificate is public key signed by CA)
      - put the CA cert on each VPN device/machine
      - put the certs on each VPN device/machine

      Where is the problem ?

      --
      New things are always on the horizon
    7. Re:Key Exchange by Anonymous Coward · · Score: 0

      Except some absolutes. Those ones are true...

    8. Re: Key Exchange by Anonymous Coward · · Score: 0

      There are more 512 bit primes than there are atoms in the observable universe. Finding the one you are using by exhaustive search might take some time.

    9. Re: Key Exchange by 0xdeaddead · · Score: 1

      > every installation

      And there lies the problem, the installation could be years old.

  2. Well, sounds like he's right by mveloso · · Score: 2

    While their vulnerability numbers are probably off by a magnitude or two, that doesn't negate the idea behind the paper - just the importance.

  3. The real enemy to security by TimMD909 · · Score: 1

    I'm not afraid of hackers or the NSA or anything else. I'm afraid of Bruce Schneier. Rumor has it he even can intercept information flow between quantumly entangled particles. Until we deal with the real threat, all your data are belong to us.

    1. Re:The real enemy to security by Anonymous Coward · · Score: 0

      I'm afraid of Bruce Schneier. Rumor has it he even can intercept information flow between quantumly entangled particles.

      Bruce Schneier doesn't intercept the information flow, he is the source of it. When one particle in a entangled pair is measured, the other sends a tachyon to Bruce Schneier to find out what state it should be in. The requesting particle is then forced into that state by the sheer power of Bruce Scheier's will.

    2. Re:The real enemy to security by Aaden42 · · Score: 1

      So the new meme is s/Lee/Schneier/g now?

    3. Re:The real enemy to security by Anonymous Coward · · Score: 0

      Bruce Schneier once roundhouse kicked Chuck Norris so hard that Bruce Lee sat up in his grave and said, "Ouch!".

      http://www.schneierfacts.com/, bringing you Bruce Schneier facts since 06-Jun-2009.

    4. Re: The real enemy to security by Anonymous Coward · · Score: 0

      Fix random not being random. That's an insult to Bruce.

  4. Not several orders of magnitude by Anonymous Coward · · Score: 0

    If Libreswan, Freeswan and Openswan*, had 50% of the VPN market, it would still be 33% success rate at passive decryption.

    So VPNs are a joke at this point, the encryption is flawed.

    * i.e. it would double the number of tested servers and half the success. Assuming his claim is correct. I think their market share is lower than this, I'm shooting for an upper guestimate.

    1. Re:Not several orders of magnitude by Aaden42 · · Score: 1

      The encryption is fine. The original key generation process is flawed. Regenerate keys correctly, and the traffic is secure(*) again.

      (*) At least to the point that (according to TFA) it should take the various TLA’s about a year per key of Very Expensive computer time to break.

  5. 2600 fake Symantec certs by Anonymous Coward · · Score: 0

    Symantec issued 2600 fake certificates:

    http://www.engadget.com/2015/10/29/google-warns-symantec-over-certificates/

    "For its part, Symantec claims that it issued a "small number" of test certificates by mistake, and revoked them before notifying those affected. It also fired a handful of staff who reportedly weren't following guidelines. There's a good chance this won't happen again. However, the antivirus maker also appears to be downplaying the scope of the problem. Google notes that it found dodgy certificates after the first time Symantec examined its behavior, and Symantec's second audit caught over 2,600 of them"

    Please note, that these certificates were spotted because THEY WERE SERVED UP AS SITE CERTIFICATES BY A MAN IN THE MIDDLE ATTACK.

    They are not 'test' certificates, they were attacks. Likely NSA's 'Flying Pig' HTTPS attack.

    Do you trust their anti-virus software?

  6. Elliptic Curve by Big+Hairy+Ian · · Score: 1

    I thought Diffie Hellman relied on elliptic curves rather than huge prime numbers. Please correct me if I'm wrong

    --

    Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.

    1. Re:Elliptic Curve by Anonymous Coward · · Score: 2, Informative

      We have Diffie-Helman (DH), Ephemeral Diffie-Hellman (DHE), Elliptic Curve Diffie–Hellman (ECDH), and Elliptic Curve Ephemeral Diffie-Hellman (ECDHE).

    2. Re:Elliptic Curve by Anonymous Coward · · Score: 0

      Don't worry. Huge primes are not crackable, and in the general case can not be precomputed. The only issue is that some systems will silently downgrade to small primes, and some systems use the default primes which are well known, instead of computing new ones at install time.

  7. DH groups by Anonymous Coward · · Score: 0

    I'm particularly interested in the ramifications for IPSEC VPN's, hence I've checked out Cisco's response.

    Seems like cisco were recommending DH with 2048bits since at least April 2012.

    https://web.archive.org/web/20130503031549/http://www.cisco.com/web/about/security/intelligence/nextgen_crypto.html

    So although I'm grateful for this paper pointing it out to me, as I was unaware, this particular recommendation does not appear to be new. Cisco now in fact recommend 3072 bit.

    http://www.cisco.com/web/about/security/intelligence/nextgen_crypto.html

    Regards,

    1. Re:DH groups by houstonbofh · · Score: 1

      I love that page. A good coverage of what is considered secure. In SmallWall, http://www.smallwall.org/ the continuation of m0n0wall, the IPsec configuration page actually has a link to that Cisco page, along with warnings about what is no longer secure.

      Note, however, that they also consider DH-2048 acceptable. I believe the general consensus is that it will be secure until about 2020.

    2. Re:DH groups by Anonymous Coward · · Score: 0

      Noted.

  8. limited effect on HTTPS by Anonymous Coward · · Score: 0

    We (Eyal Ronen and Adi Shamir) have been running multiple tests over the last few weeks in order to check the claims made in the Adrian et al paper[1], titled "Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice", and are in the final stages of writing a comprehensive report about our findings. In the specific case of IPSEC, we have independently reached essentially the same conclusions as in Wouters’ blog post (which had just been published at https://nohats.ca/wordpress/blog/2015/10/17/66-of-vpns-are-not-in-fact-broken/ , and reported in https://threatpost.com/fewer-ipsec-vpn-connections-at-risk-from-weak-diffie-hellman/115189/ , and in http://it.slashdot.org/story/15/10/29/2230233/fewer-ipsec-connections-at-risk-from-weak-diffie-hellman ), namely, that the success rate of a hypothetical NSA attack on this protocol would be much lower than the original estimate which appeared in [1]. More interestingly, we also checked the claimed statistics in [1] related to HTTPS connections (which was not checked by Wouters). These connections use the TLS protocol (or its predecessor SSL) to securely access http servers on the internet, and is of great interest to intelligence services since it protects access to search engines (such as GOOGLE), to email (such as GMAIL), to social networks (such as FACEBOOK), to financial information (such as CITIBANK and VISA) and to various services (such as ordering books on AMAZON or reserving airline tickets on EXPEDIA). In particular, we tested the percentage of all DH-based connections (which use all key sizes, including the safer groups with 1536 bit primes which presumably cannot be attacked by the NSA with a feasible preprocessing). Our methodology was to use OpenSSL version 1.0.1e-fips from 11 Feb 2013 in its standard configuration (the version installed on our cluster computer at the Weizmann Institute) in order to open a secure connection to every single site in the Alexa list of the top one million web sites, and to check if the server chose ECC, DH, RSA, or completely declined opening a secure connection. Since many sites declined an SSL connection attempt, we also tried to add either the "www." or "login." prefix to all the sites on the list. This slightly increased the number of successful connections, since some sites only encrypt the communication after you log in.
    Our full scan of all the top one million websites showed that DH-based connections were established to around 18.7% of the sites that accepted HTTPS. This is a slightly smaller percentage than the 23.9% described in [1], which refers to the fraction of HTTPS connections that use the ten most popular 1024-bit DH groups (note that this discrepancy could be due to natural trends in the use of cryptography on the internet, due to the time difference between the two scans). However, our main claim is that most of these 1000000 web sites have a relatively small amount of traffic and are of little interest to intelligence services, and thus this statistics is not the right one to use when trying to estimate the possible success rate of a hypothetical NSA attack. We thus compiled the fraction of DH-based connections among the attempted connections to the top k web sites for all values of k smaller than one million. For example, when we restrict our attention to the top 1000 web sites, the percentage of sites whose connection used a DH handshake drops to 4.5%, and if we consider only the top 100 web sites (which include most of the interesting sites mentioned above), the percentage drops to just 2%. In other words, the most popular web sites are the least likely to negotiate a DH handshake when the client is not actively modified or influenced by the NSA.

    It is interesting to note that some of the leaked Snowden documents support the conclusion that DH-handshakes are rarely seen by intelligence services. For example, consider the document at http://www.spiegel.de/media/media-35512.pdf made public in December 2014 whose title is "TLS trends at GHCQ”. It probably dates from the end of 2012,