Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fewer IPsec Connections At Risk From Weak Diffie-Hellman (threatpost.com)

Posted by samzenpus on from the protect-ya-neck dept.

msm1267 writes: A challenge has been made against one of the conclusions in an academic paper on cryptographic weaknesses that may be the open door through which intelligence agencies are breaking encrypted connections. The paper, 'Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice,' claims that a massively resourced agency such as the NSA could build enough custom hardware that would crack the prime number used to derive an encryption key. Once enough information is known about the prime, breaking Diffie-Hellman connections that use that same prime is relatively trivial. In the paper, the team of 14 cryptographers and academics who wrote it claim that upwards of 66 percent of IPsec VPN connections can be passively decrypted in this manner. Paul Wouters, a founding member and core developer of the Libreswan Project, as well as a Red Hat associate, said that researchers are jumping to a conclusion because of the way they scanned and tested VPN servers, and that the number is likely too high.

14 of 28 comments (clear)

  1. Key Exchange by sexconker · · Score: 2, Interesting

    All key exchange algorithms are vulnerable.
    You can't negotiate a key without secrecy in the first place. Certs don't cover that because the CA model is inherently broken.

    1. Re:Key Exchange by houstonbofh · · Score: 2

      It doesn't need to be secure forever. Because in 2 hours I will be using a new key. The constant update of keys is one of the nicer features of IPsec.

    2. Re: Key Exchange by Anonymous Coward · · Score: 5, Insightful

      The NSA will just store your 2 hours of traffic and decrypt it later.

    3. Re:Key Exchange by unrtst · · Score: 3, Insightful

      All key exchange algorithms are vulnerable.

      And all absolutes are false.

    4. Re: Key Exchange by jabuzz · · Score: 3, Informative

      That won't work.unless the NSA/GCHQ get lucky. The premise of the original article was that a relatively small number of primes are precomputed at huge expense and the results stored in a relatively small database (a few GB in size). If you are changing that prime every two hours to one that the NSA have not precomputed then they are going to be unable to keep pace with the required precompution to continue decrypting your communication.

      As long as it takes the NSA longer to precompute the prime you are using than you are using the prime for you are good to go.

      Now of course if I where the NSA I would be designing custom hardware to do the precompute, and would expect it to be way way faster than the original analysis suggested. It's like the difference between doing bitcoin mining on a CPU compared to custom silicon.

    5. Re:Key Exchange by Lennie · · Score: 1

      I don't know why you'd say that applies to IPSEC VPNs:

      - Create your own CA.
      - generate the public/private key on each VPN device/machine
      - send the CSR (public key) to your own CA
      - then create certs for each CSR (a certificate is public key signed by CA)
      - put the CA cert on each VPN device/machine
      - put the certs on each VPN device/machine

      Where is the problem ?

      --
      New things are always on the horizon
    6. Re: Key Exchange by 0xdeaddead · · Score: 1

      > every installation

      And there lies the problem, the installation could be years old.

  2. Well, sounds like he's right by mveloso · · Score: 2

    While their vulnerability numbers are probably off by a magnitude or two, that doesn't negate the idea behind the paper - just the importance.

  3. The real enemy to security by TimMD909 · · Score: 1

    I'm not afraid of hackers or the NSA or anything else. I'm afraid of Bruce Schneier. Rumor has it he even can intercept information flow between quantumly entangled particles. Until we deal with the real threat, all your data are belong to us.

    1. Re:The real enemy to security by Aaden42 · · Score: 1

      So the new meme is s/Lee/Schneier/g now?

  4. Elliptic Curve by Big+Hairy+Ian · · Score: 1

    I thought Diffie Hellman relied on elliptic curves rather than huge prime numbers. Please correct me if I'm wrong

    --

    Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.

    1. Re:Elliptic Curve by Anonymous Coward · · Score: 2, Informative

      We have Diffie-Helman (DH), Ephemeral Diffie-Hellman (DHE), Elliptic Curve Diffie–Hellman (ECDH), and Elliptic Curve Ephemeral Diffie-Hellman (ECDHE).

  5. Re:DH groups by houstonbofh · · Score: 1

    I love that page. A good coverage of what is considered secure. In SmallWall, http://www.smallwall.org/ the continuation of m0n0wall, the IPsec configuration page actually has a link to that Cisco page, along with warnings about what is no longer secure.

    Note, however, that they also consider DH-2048 acceptable. I believe the general consensus is that it will be secure until about 2020.

  6. Re:Not several orders of magnitude by Aaden42 · · Score: 1

    The encryption is fine. The original key generation process is flawed. Regenerate keys correctly, and the traffic is secure(*) again.

    (*) At least to the point that (according to TFA) it should take the various TLA’s about a year per key of Very Expensive computer time to break.