Newly disclosed Logjam bug might be how the NSA broke VPNs
Another vulnerability courtesy of 1990s-era US export restrictions on cryptography has been discovered, and researchers believe it might be how the NSA managed to regularly break their targets’ encrypted connections.
The vulnerability is due to several weaknesses in how Diffie-Hellman key exchange – a cryptographic algorithm that allows two parties that have no prior knowledge of each other to establish a shared secret key over an insecure channel, and therefore to create a secure connection – is implemented.
The Diffie-Hellman key exchange is used in many internet protocols, such as HTTPS, SSH, IPsec, SMTPS, and protocols that rely on TLS.
A group of researchers from several French and US universities and from Microsoft have investigated the algorithm’s security and found that:
- A man-in-the-middle attacker can downgrade vulnerable TLS connections to 512-bit export-grade cryptography, which allows him to read and modify any data passed over the connection. They dubbed this attack “Logjam,” and say that the vulnerability affects all modern web browsers and many HTTPS websites and mail servers.
- Nation-state attackers with adequate resources can perform precomputations on several 768- and 1024-bit prime Diffie-Hellman groups used for TLS, allowing them to eavesdrop on most Internet connections, as “a small number of fixed or standardized groups are in use by millions of TLS, SSH, and VPN servers.”
“Breaking the single, most common 1024-bit prime used by web servers would allow passive eavesdropping on connections to 18% of the Top 1 Million HTTPS domains. A second prime would allow passive decryption of connections to 66% of VPN servers and 26% of SSH servers,” the researchers noted. “A close reading of published NSA leaks shows that the agency’s attacks on VPNs are consistent with having achieved such a break.”
For more details about the attacks check out the technical report.
The researchers advise server administrators to disable support for export cipher suites and generate a unique 2048-bit Diffie-Hellman group (here‘s how), and developers to steer clear of Diffie-Hellman Groups smaller than 1024-bit and to use up-to-date TLS libraries.
Users should take care to update their browser – Chrome, Firefox, Safari, Internet Explorer, and the Android Browser – to the latest version, and do so regularly in the incoming days, as the companies are all in the process of fixing the vulnerabilities that allow the Logjam attack.