imperfect forward secrecy how diffie hellman fails in
play

Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice - PowerPoint PPT Presentation

Jan 12, 2024 •662 likes •1.01k views

Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J. Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel Thom e, Luke Valenta, Benjamin

  1. Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J. Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel Thom´ e, Luke Valenta, Benjamin VanderSloot, Eric Wustrow, Santiago Zanella-B´ eguelin, Paul Zimmermann weakdh.org

  2. Textbook Diffie-Hellman [Diffie Hellman 1976] Public Parameters p a prime g < p group generator (often 2 or 5) Key Exchange g a mod p g b mod p g ab mod p g ab mod p

  3. Diffie-Hellman is extremely common on the Internet Protocol support for “mod p ” Diffie-Hellman, spring 2015: HTTPS Alexa Top 1M 68% HTTPS Trusted cert 24% SMTP StartTLS 41% IMAPS 75% POP3S 75% SSH 100% IPsec VPNs 100%

  4. “Perfect Forward Secrecy” “Sites that use perfect forward secrecy can provide better security to users in cases where the encrypted data is being monitored and recorded by a third party.” “With Perfect Forward Secrecy, anyone possessing the private key and a wiretap of Internet activity can decrypt nothing.” “Ideally the DH group would match or exceed the RSA key size but 1024-bit DHE is arguably better than straight 2048-bit RSA so you can get away with that if you want to.” “But in practical terms the risk of private key theft, for a non-ephemeral key, dwarfs out any cryptanalytic risk for any RSA or DH of 1024 bits or more; in that sense, PFS is a must-have and DHE with a 1024-bit DH key is much safer than RSA-based cipher suites, regardless of the RSA key size.”

  5. Cryptanalysis: number field sieve discrete log algorithm Goal: Given g x ≡ y mod p , compute x . linear polynomial sieving descent y , g selection algebra p log db x precomputation individual log L (1 / 3 , 1 . 923) = exp(1 . 923(log p ) 1 / 3 (log log p ) 2 / 3 )

  6. Cryptanalysis: number field sieve discrete log algorithm Goal: Given g x ≡ y mod p , compute x . linear polynomial sieving descent y , g selection algebra p log db x precomputation individual log L (1 / 3 , 1 . 923) = exp(1 . 923(log p ) 1 / 3 (log log p ) 2 / 3 ) L (1 / 3 , 1 . 232)

  7. Cryptanalysis: number field sieve discrete log algorithm Goal: Given g x ≡ y mod p , compute x . linear polynomial sieving descent y , g selection algebra p log db x precomputation individual log L (1 / 3 , 1 . 923) = exp(1 . 923(log p ) 1 / 3 (log log p ) 2 / 3 ) L (1 / 3 , 1 . 232) Sieving Linear Algebra Descent RSA-512 0.5 core-years 0.33 core-years DH-512 2.5 core-years 7.7 core-years 10 core-mins Precomputation can be done once and reused for many individual logs!

  8. Our Results Result #1: “Logjam”: Active TLS MITM downgrade attack to 512-bit DHE export-grade cipher suites.

  9. Diffie-Hellman TLS Handshake hello, client random list of cipher suites [. . . DHE . . . ]

  10. Diffie-Hellman TLS Handshake hello, client random list of cipher suites [. . . DHE . . . ] hello, server random, [DHE] certificate = public RSA key + CA signatures p , g , g a , Sign RSAkey ( p , g , g a )

  11. Diffie-Hellman TLS Handshake hello, client random list of cipher suites [. . . DHE . . . ] hello, server random, [DHE] certificate = public RSA key + CA signatures p , g , g a , Sign RSAkey ( p , g , g a ) g b KDF( g ab , KDF( g ab , randoms) → randoms) → k m c , k m s , k e k m c , k m s , k e

  12. Diffie-Hellman TLS Handshake hello, client random list of cipher suites [. . . DHE . . . ] hello, server random, [DHE] certificate = public RSA key + CA signatures p , g , g a , Sign RSAkey ( p , g , g a ) g b KDF( g ab , KDF( g ab , client finished: Auth k mc (dialog) randoms) → randoms) → k m c , k m s , k e server finished: Auth k ms (dialog) k m c , k m s , k e Enc k e (request)

  13. Export cipher suites in TLS TLS_RSA_EXPORT_WITH_RC4_40_MD5 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLS_RSA_EXPORT_WITH_DES40_CBC_SHA FREAK attack [BDFKPSZZ 2015]: Implementation flaw; use fast 512-bit factorization to downgrade modern browsers to broken export-grade RSA. TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_DH_Anon_EXPORT_WITH_RC4_40_MD5 TLS_DH_Anon_EXPORT_WITH_DES40_CBC_SHA April 2015: 8.4% of Alexa top 1M HTTPS support DHE EXPORT .

  14. Logjam: Active downgrade attack to export Diffie-Hellman Protocol flaw: Server does not sign chosen cipher suite. hello, client random [. . . DHE . . . ] hello, server random, [DHE] certificate = public RSA key + CA signatures p , g , g a , Sign RSAkey ( p , g , g a ) g b KDF( g ab , KDF( g ab , client finished: Auth k mc (dialog) randoms) → randoms) → k m c , k m s , k e server finished: Auth k ms (dialog) k m c , k m s , k e Enc k e (request)

  15. Logjam: Active downgrade attack to export Diffie-Hellman Protocol flaw: Server does not sign chosen cipher suite. hello, client random [. . . DHE . . . ] [DHE EXPORT] hello, server random, [DHE] certificate = public RSA key + CA signatures p , g , g a , Sign RSAkey ( p , g , g a ) g b KDF( g ab , KDF( g ab , client finished: Auth k mc (dialog) randoms) → randoms) → k m c , k m s , k e server finished: Auth k ms (dialog) k m c , k m s , k e Enc k e (request)

  16. Logjam: Active downgrade attack to export Diffie-Hellman Protocol flaw: Server does not sign chosen cipher suite. hello, client random [. . . DHE . . . ] [DHE EXPORT] hello, server random, [DHE EXPORT] certificate = public RSA key + CA signatures p 512 , g , g a , Sign RSAkey ( p 512 , g , g a ) g b KDF( g ab , KDF( g ab , client finished: Auth k mc (dialog) randoms) → randoms) → k m c , k m s , k e server finished: Auth k ms (dialog) k m c , k m s , k e Enc k e (request)

  17. Logjam: Active downgrade attack to export Diffie-Hellman Protocol flaw: Server does not sign chosen cipher suite. hello, client random [. . . DHE . . . ] [DHE EXPORT] hello, server random, [DHE EXPORT][DHE] certificate = public RSA key + CA signatures p 512 , g , g a , Sign RSAkey ( p 512 , g , g a ) g b KDF( g ab , KDF( g ab , client finished: Auth k mc (dialog) randoms) → randoms) → k m c , k m s , k e server finished: Auth k ms (dialog) k m c , k m s , k e Enc k e (request)

  18. Logjam: Active downgrade attack to export Diffie-Hellman Protocol flaw: Server does not sign chosen cipher suite. hello, client random [. . . DHE . . . ] [DHE EXPORT] hello, server random, [DHE EXPORT][DHE] certificate = public RSA key + CA signatures p 512 , g , g a , Sign RSAkey ( p 512 , g , g a ) g b KDF( g ab , KDF( g ab , client finished: Auth k mc (modified dialog) randoms) → randoms) → k m c , k m s , k e server finished: Auth k ms (modified dialog) k m c , k m s , k e Enc k e (request)

  19. Most hosts use the same parameters Parameters hard-coded in implementations or built into standards. 97% of DHE EXPORT hosts choose one of three 512-bit primes. Hosts Source Year Bits 80% Apache 2.2 2005 512 13% mod ssl 2.3.0 1999 512 4% JDK 2003 512 Top ten primes accounted for 99% of hosts.

  20. Computing 512-bit discrete logs ◮ Carried out precomputation for Apache, mod ssl primes. polysel sieving linalg descent 2000-3000 cores 288 cores 36 cores DH-512 3 hours 15 hours 120 hours 70 seconds ◮ After 1 week precomputation, median individual log time 70s. ◮ Many ways attacker can work around delay. ◮ Logjam and our precomputations can be used to break connections to 8% of the HTTPS top 1M sites!

  22. Logjam mitigation ◮ Major browsers have raised minimum DH lengths: IE, Chrome, Firefox to 1024 bits; Safari to 768. ◮ TLS 1.3 draft includes anti-downgrade flag in client random.

  23. Our Results Result #1: “Logjam”: Active TLS MITM downgrade attack to 512-bit DHE “export”-grade cipher suites. Result #2: 1024-bit discrete log within range for governments. Parameter reuse allows wide-scale passive decryption.

  24. Cost estimates for 768- and 1024-bit DHE and RSA Sieving Linear Algebra Descent core-years core-years core-time RSA-512 0.5 0.33 DH-512 2.5 7.7 10 mins RSA-768 800 100 DH-768 8,000 28,500 2 days RSA-1024 1,000,000 120,000 DH-1024 10,000,000 35,000,000 30 days ◮ Special-purpose hardware →≈ 80 × speedup ◮ ≈ $ 100Ms machine precomputes for one 1024-bit p every year ◮ Then, individual logs can be computed in close to real time

  25. James Bamford, 2012, Wired According to another top official also involved with the program, the NSA made an enormous breakthrough several years ago in its ability to cryptanalyze, or break, unfathomably complex encryption systems employed by not only governments around the world but also many average computer users in the US. The upshot, according to this official: “Everybody’s a target; everybody with communication is a target.” [...] The breakthrough was enormous, says the former official, and soon afterward the agency pulled the shade down tight on the project, even within the intelligence community and Congress. “Only the chairman and vice chairman and the two staff directors of each intelligence committee were told about it,” he says. The reason? “They were thinking that this computing breakthrough was going to give them the ability to crack current public encryption.”

  26. Parameter reuse for 1024-bit Diffie-Hellman ◮ Precomputation for a single 1024-bit prime allows passive decryption of connections to 66% of VPN servers and 26% of SSH servers. (Oakley Group 2) ◮ Precomputation for a second common 1024-bit prime allows passive decryption for 18% of top 1M HTTPS domains. (Apache 2.2)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The LOGJAM attack Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice David Adrian,

The LOGJAM attack Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice David Adrian,

The LOGJAM attack Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J. Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel Thom e, Luke

674 views • 45 slides
Diffie-Hellman, discrete logs, the NSA, and you J. Alex Halderman University of Michigan Based

Diffie-Hellman, discrete logs, the NSA, and you J. Alex Halderman University of Michigan Based

Diffie-Hellman, discrete logs, the NSA, and you J. Alex Halderman University of Michigan Based on joint work: Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry,

879 views • 63 slides
Lecture Outline Review of Diffie-Hellman key exchange Looking at Authentication from a

Lecture Outline Review of Diffie-Hellman key exchange Looking at Authentication from a

Lecture Outline Review of Diffie-Hellman key exchange Looking at Authentication from a number of perspectives Today: authenticating users, services Agreeing on Secret Keys Without Prior Arrangement Diffie-Hellman Key Exchange

1.07k views • 73 slides
Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography Asymmetric cryptography Invented in 1974-1978 (Diffie-Hellman and Rivest-Shamir- Adleman) Two keys: private (SK), public (PK) Encryption:

256 views • 22 slides
Lecture 7 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 7 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 7 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography Asymmetric cryptography Invented in 1974-1978 (Diffie-Hellman and Rivest-Shamir- Adleman) Two keys: private (SK), public (PK) Encryption:

810 views • 42 slides
Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography Asymmetric cryptography Invented in 1974-1978 (Diffie-Hellman and Rivest-Shamir- Adleman) Two keys: private (SK), public (PK) Encryption: with

445 views • 17 slides
High-speed Diffie-Hellman, part 2 D. J. Bernstein University of Illinois at Chicago Classic

High-speed Diffie-Hellman, part 2 D. J. Bernstein University of Illinois at Chicago Classic

High-speed Diffie-Hellman, part 2 D. J. Bernstein University of Illinois at Chicago Classic question about the Diffie-Hellman system: How quickly can we compute n th powers mod p ? Modular exponentiation. p ; Assume standard prime p =

684 views • 45 slides
1 Diffie-Hellman exponential key exchange Diffie-Hellman exponential key exchange Alice has

1 Diffie-Hellman exponential key exchange Diffie-Hellman exponential key exchange Alice has

Symmetric cryptography Both parties must agree on a secret key, K message is encrypted, sent, decrypted at other side E K (P) D K (C) Secure Communication Bob Alice Key distribution must be secret otherwise messages can be

553 views • 10 slides
RSA Public Key CryptoSystem One way Trapdoor Functions Diffie and Hellman (76) New Directions

RSA Public Key CryptoSystem One way Trapdoor Functions Diffie and Hellman (76) New Directions

RSA Public Key CryptoSystem One way Trapdoor Functions Diffie and Hellman (76) New Directions in Cryptography Split the Bobs secret key K to two parts: K E , to be used for encrypting messages to Bob. K D , to be used for

482 views • 32 slides
C.c) DSA and Diffie-Hellman W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 C.73 DSA

C.c) DSA and Diffie-Hellman W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 C.73 DSA

1 C.c) DSA and Diffie-Hellman W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 C.73 DSA (Digital Signature Algorithm) standardized by NIST A) Generation of a key pair Select a prime q with 2 159 &lt; q &lt; 2 160 Select a

348 views • 11 slides
Diffie-Hellman not secure against Man-in-the-Middle-attack: Want to guarantee authenticity. Alice

Diffie-Hellman not secure against Man-in-the-Middle-attack: Want to guarantee authenticity. Alice

Diffie-Hellman not secure against Man-in-the-Middle-attack: Want to guarantee authenticity. Alice Mallory Bob Can achieve this with publc-key cryptography as well. g a a First example: Schnorr Signature g m m a 1024 bit

283 views • 3 slides
Diffie-Hellman not secure against Man-in-the-Middle-attack: Alice Mallory Bob g a a g

Diffie-Hellman not secure against Man-in-the-Middle-attack: Alice Mallory Bob g a a g

Diffie-Hellman not secure against Man-in-the-Middle-attack: Alice Mallory Bob g a a g m m g ma g ma g n n g b b g nb g nb g ma g ma , g nb g nb Eike Ritter Cryptography 2014/15 106

417 views • 9 slides
Public Key Cryptography Diffie-Hellman Others CSS441: Security and Cryptography Sirindhorn

Public Key Cryptography Diffie-Hellman Others CSS441: Security and Cryptography Sirindhorn

CSS441 Public Key Crypto Principles RSA Public Key Cryptography Diffie-Hellman Others CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20 December 2015

461 views • 29 slides
A Static Diffie-Hellman Attack on Several Direct Anonymous Attestation Schemes Ernie Brickell 1

A Static Diffie-Hellman Attack on Several Direct Anonymous Attestation Schemes Ernie Brickell 1

A Static Diffie-Hellman Attack on Several Direct Anonymous Attestation Schemes Ernie Brickell 1 Liqun Chen 2 Jiangtao Li 1 1. Intel Corporation, Hillsboro, Oregon, USA 2. Hewlett-Packard Laboratories, Bristol, UK InTrust 2012 Royal Holloway,

827 views • 17 slides
On the Static Diffie-Hellman Problem on Elliptic Curves over Extension Fields Robert Granger

On the Static Diffie-Hellman Problem on Elliptic Curves over Extension Fields Robert Granger

Background and Motivation Main Algorithm and Results On the Static Diffie-Hellman Problem on Elliptic Curves over Extension Fields Robert Granger rgranger@computing.dcu.ie Claude Shannon Institute, UCD and DCU, Ireland ASIACRYPT, 8th December

655 views • 48 slides
Measuring small subgroup attacks against Diffie-Hellman Luke Valenta , David Adrian ,

Measuring small subgroup attacks against Diffie-Hellman Luke Valenta , David Adrian ,

Measuring small subgroup attacks against Diffie-Hellman Luke Valenta , David Adrian , Antonio Sanso , Shaanan Cohney , Joshua Fried , Marcella Hastings , J. Alex Halderman , Nadia Heninger University of

461 views • 42 slides
BEYOND PROJECT AND SIGN FOR COSINE ESTIMATION WITH BINARY CODES Raghavendran Balu, Teddy

BEYOND PROJECT AND SIGN FOR COSINE ESTIMATION WITH BINARY CODES Raghavendran Balu, Teddy

BEYOND PROJECT AND SIGN FOR COSINE ESTIMATION WITH BINARY CODES Raghavendran Balu, Teddy Furon and Herv Jgou INRIA, Rennes Problem statement: Nearest Neighbors search Finding the closest vector(s) from a database for a given query

424 views • 18 slides
Log-Linear Models Michael Collins, Columbia University The Language Modeling Problem w i is

Log-Linear Models Michael Collins, Columbia University The Language Modeling Problem w i is

Log-Linear Models Michael Collins, Columbia University The Language Modeling Problem w i is the i th word in a document Estimate a distribution p ( w i | w 1 , w 2 , . . . w i 1 ) given previous history w 1 , . . . , w i 1

679 views • 33 slides
Implementing the CARES Act for HOPWA Competitive Renewal Grantees May 20, 2020 Presenters

Implementing the CARES Act for HOPWA Competitive Renewal Grantees May 20, 2020 Presenters

Implementing the CARES Act for HOPWA Competitive Renewal Grantees May 20, 2020 Presenters Office of HIV Housing: Rita Harcrow, Director Lisa Steinhauer, CPD Specialist The Cloudburst Group: Morgan Stephenson Heather Rhoda Steven Ellis

628 views • 23 slides
Sign-Up Campaign Internal Training Webinar Over-service the top 20% of your accounts. ~ David

Sign-Up Campaign Internal Training Webinar Over-service the top 20% of your accounts. ~ David

Top 20% Communication Sign-Up Campaign Internal Training Webinar Over-service the top 20% of your accounts. ~ David Connolly, IQ Consulting, NRP 2017 Business Sales Training 1. Campaign Details Kate Burnevik, Marketing Communication Manager

746 views • 36 slides
MATH 12002 - CALCULUS I 3.3: Increasing &amp; Decreasing Functions Professor Donald L. White

MATH 12002 - CALCULUS I 3.3: Increasing &amp; Decreasing Functions Professor Donald L. White

MATH 12002 - CALCULUS I 3.3: Increasing &amp; Decreasing Functions Professor Donald L. White Department of Mathematical Sciences Kent State University D.L. White (Kent State University) 1 / 11 First Derivative Tests Increasing/Decreasing

333 views • 11 slides
s r s srtr

s r s srtr

s r s srtr t sttr r rrss ss rr

665 views • 38 slides
O F A V IRTUAL C AREER F AIR Sponsored by Tyler Gerstandt Director of Audit Services 1

O F A V IRTUAL C AREER F AIR Sponsored by Tyler Gerstandt Director of Audit Services 1

8/27/2020 M AKING T HE M OST O F A V IRTUAL C AREER F AIR Sponsored by Tyler Gerstandt Director of Audit Services 1 8/27/2020 C AREER F AIR O VERVIEW A ND H ANDSHAKE A CCESS Going Virtual! A virtual format will enhance the experience,

554 views • 19 slides
Overview of SPS-Provided Technology Student-Parent Orientations 2020-2021 Springfield Public

Overview of SPS-Provided Technology Student-Parent Orientations 2020-2021 Springfield Public

Overview of SPS-Provided Technology Student-Parent Orientations 2020-2021 Springfield Public Schools 2020-2021 Springfield Public Schools 2020-2021 Springfield Public Schools 2016-2017 Topics Covered About your students username and

617 views • 16 slides

More recommend