Thursday, February 4, 2016

What is Logjam Attack ?



By default, internet is unsecured. Data transferred between two hosts normally are not encrypted. As a result, attackers can intercept the connection easily and listen to the conversation.

To counter the problem, we use protocols like SSH, SSL and TLS. These protocols establish a secure connection between two hosts and encrypt the data before transferring it. Email communications, bank transactions or VPN connections rely on these secure protocols.

If we look deeply, to establish a secure connection, the two hosts need to agree on a few parameters like the secret keys using which the data is encrypted and then transferred. And, that is exactly when protocols like Diffie-Hellman Key Exchange Protocol are used.

To transfer data in encrypted fashion, the two hosts communicating over the unsecured network need to agree on some secret parameters. And, these parameters need to get exchanged even before a proper secure connection is established. So, clearly at that point the communication can be intercepted by an attacker. So, the secret parameters cannot be exchanged as it is.

Diffie-Hellman Key Exchange Protocol enables the two hosts to agree on secret parameters for the secure communication, without transferring the secret parameters themselves.




Classical Diffie-Hellman Key Exchange Protocol


Let's try to understand in simple English, how Diffie-Hellman Protocol actually works.

Let's say, Alice and Bob are communicating with each other over the unsecured network and they want to agree on a secret parameter K, using which they would later encrypt all the data getting transferred between them.





To do that, Alice and Bob will first agree on a prime number p and a generator g which is a primitive root of p.

Now, Alice will take an integer a secret only to her and compute A = ga mod p Alice will then transfer A to Bob.

Now, Bob will receive A and compute B = gb mod p, where b is an integer secret only to Bob. Bob will transfer B to Alice.

Now, Alice will compute K = Ba mod p

And, Bob will compute K = Ab mod p


Because of properties of p and corresponding g, K = Ba mod p = Ab mod p

Please note that, even if an attacker eavesdrop the connection and grabs the values of g, p, A and B which are communicated between Alice and Bob, it will be computationally infeasible for the attacker to derive the value of secret parameter K. And, now Alice and Bob are free to encrypt the data using the secret key K and transfer between them.

To find out more on Diffie-Hellman Key Exchange Protocol, please see Diffie-Hellman Key Exchange Protocol




Where is Diffie-Hellman Key Exchange Protocol Used


Diffie-Hellman Key Exchange Protocol is used in protocols like SSL/TLS and IPSec. These protocols are used extensively in bank transactions, email communications, VPN Connections etc.




Implementation of Diffie-Hellman Key Exchange Protocol in Server-Client Secure Communications


There are many types of Diffie-Hellman Key Exchanges like Diffie-Hellman or DHE cipher suites, Elliptic Curve Diffie-Hellman or ECDHE cipher suites. An important property of DHE and ECDHE is they both provide Forward Secrecy, which means, even if the server key is compromised at some point, the key cannot be used to decrypt past connections. This ensures security in a better way.

Logjam Attack applies to non-EC Diffie-Hellman Key Exchange or DHE. So, we will discuss about how DHE works between a server and the client in this article.


This is how the server and the client communicate with each other in DHE.

  • The client sends a Client Hello message to the server and advertises its support for DHE cipher suites.
  • The server picks the parameters and performs half of the DH computations using those parameters.
  • The server signs those parameters using its certificate and sends them to the client.
  • The client verifies the signature, performs rest of the computation using the parameters and sends the result to the server.
  • Both the server and the client put all the computations together and derive the secret key, using which they can now encrypt the data transferred between them.



What is Logjam Attack


I think now we are quite ready to discuss about Logjam Attack. Logjam Attack is an attack which was first reported in May, 2015.

Some servers and clients support DHE_EXPORT instead of the DHE cipher suites. Because of this, the server and the client communicationg with each other select weaker parameters for Diffie-Hellman Key Exchange. Weaker parameters, especially the length of prime number p, weakens the algorithm much, especially when p is selected to be 512 bit long.

If we look deeply, if an attacker captures the value of g and ga and from there compute the value of a, he can make an attack. And, this becomes considerable easier when the selected prime number p is 512 bit long.

So, if the client asks for DHE_EXPORT, instead of DHE to the server and selects the length of p to be 512 bit long, the algorithm becomes vulnerable. And, the attackers exploit this opportunity.


In Logjam Attack, the attacker intercept the connection between the server and the client and replaces the ciphersuites with DHE_EXPORT.

The server cannot understand the trickery of the attacker. It simply goes for DHE_EXPORT and selects weaker parameter of 512 bit.

The server continues with its computation and sends the signed parameters to the client.

When the client finds DHE_EXPORT, it also cannot understand the trickery. It supposes the server does not support DHE and it continues with its computations using those parameters.

The server and the client goes ahead with deriving the secret key. But, the attacker breaks that easily and gets the secret data.



Mitigation


So, the most important question is can we mitigate this attack ?

The answer is yes.

The server and the client communicating with each other can draw a line about how weak the parameters can be. The server can opt for selecting parameters which are at least 1024 bits long. And, the client can refuse to connect to any server which select parameters weaker than 1024 bits.


Good that most of the web browsers including Chrome, Firefox, Safari, Internet Explorer are working on this.  

No comments:

Post a Comment