If not redirected, please click here https://www.thesecuritybuddy.com/vulnerabilities/what-is-logjam-attack/
By default, internet is unsecured. Data
transferred between two hosts normally are not encrypted. As a
result, attackers can intercept the connection easily and listen to
the conversation.
To counter the problem, we use
protocols like SSH, SSL and TLS. These protocols establish a secure
connection between two hosts and encrypt the data before transferring
it. Email communications, bank transactions or VPN connections rely
on these secure protocols.
If we look deeply, to establish a
secure connection, the two hosts need to agree on a few parameters
like the secret keys using which the data is encrypted and then
transferred. And, that is exactly when protocols like Diffie-Hellman
Key Exchange Protocol are used.
To transfer data in encrypted fashion,
the two hosts communicating over the unsecured network need to agree
on some secret parameters. And, these parameters need to get
exchanged even before a proper secure connection is established. So,
clearly at that point the communication can be intercepted by an
attacker. So, the secret parameters cannot be exchanged as it is.
Diffie-Hellman Key Exchange Protocol
enables the two hosts to agree on secret parameters for the secure
communication, without transferring the secret parameters themselves.
Classical Diffie-Hellman Key
Exchange Protocol
Let's try to understand in simple
English, how Diffie-Hellman Protocol actually works.
Let's say, Alice and Bob are
communicating with each other over the unsecured network and they
want to agree on a secret parameter K, using which they would later
encrypt all the data getting transferred between them.
To do that, Alice and Bob will first
agree on a prime number p and a generator g which is a primitive root
of p.
Now, Alice will take an integer a secret only to her and compute A = ga mod p Alice will then transfer A to Bob.
Now, Bob will receive A and compute B = gb mod p, where b is an integer secret only to Bob. Bob will transfer B to Alice.
Now, Alice will take an integer a secret only to her and compute A = ga mod p Alice will then transfer A to Bob.
Now, Bob will receive A and compute B = gb mod p, where b is an integer secret only to Bob. Bob will transfer B to Alice.
Now, Alice will compute K = Ba
mod p
And, Bob will compute K = Ab
mod p
Because of properties of p and
corresponding g, K = Ba mod p = Ab mod p
Please note that, even if an attacker
eavesdrop the connection and grabs the values of g, p, A and B which
are communicated between Alice and Bob, it will be computationally
infeasible for the attacker to derive the value of secret parameter
K. And, now Alice and Bob are free to encrypt the data using the
secret key K and transfer between them.
To find out more on Diffie-Hellman Key Exchange Protocol, please see Diffie-Hellman Key Exchange Protocol
Where is Diffie-Hellman Key Exchange
Protocol Used
Diffie-Hellman Key Exchange Protocol is
used in protocols like SSL/TLS and IPSec. These protocols are used
extensively in bank transactions, email communications, VPN
Connections etc.
Implementation of Diffie-Hellman Key
Exchange Protocol in Server-Client Secure Communications
There are many types of Diffie-Hellman
Key Exchanges like Diffie-Hellman or DHE cipher suites, Elliptic
Curve Diffie-Hellman or ECDHE cipher suites. An important property of
DHE and ECDHE is they both provide Forward Secrecy, which means, even
if the server key is compromised at some point, the key cannot be
used to decrypt past connections. This ensures security in a better
way.
Logjam Attack applies to non-EC
Diffie-Hellman Key Exchange or DHE. So, we will discuss about how DHE
works between a server and the client in this article.
This is how the server and the client
communicate with each other in DHE.
- The client sends a Client Hello message to the server and advertises its support for DHE cipher suites.
- The server picks the parameters and performs half of the DH computations using those parameters.
- The server signs those parameters using its certificate and sends them to the client.
- The client verifies the signature, performs rest of the computation using the parameters and sends the result to the server.
- Both the server and the client put all the computations together and derive the secret key, using which they can now encrypt the data transferred between them.
What is Logjam Attack
I think now we are quite ready to
discuss about Logjam Attack. Logjam Attack is an attack which was
first reported in May, 2015.
Some servers and clients support
DHE_EXPORT instead of the DHE cipher suites. Because of this, the
server and the client communicationg with each other select weaker
parameters for Diffie-Hellman Key Exchange. Weaker parameters,
especially the length of prime number p, weakens the algorithm much,
especially when p is selected to be 512 bit long.
If we look deeply, if an attacker
captures the value of g and ga and from there compute the
value of a, he can make an attack. And, this becomes considerable
easier when the selected prime number p is 512 bit long.
So, if the client asks for DHE_EXPORT,
instead of DHE to the server and selects the length of p to be 512
bit long, the algorithm becomes vulnerable. And, the attackers
exploit this opportunity.
In Logjam Attack, the attacker
intercept the connection between the server and the client and
replaces the ciphersuites with DHE_EXPORT.
The server cannot understand the
trickery of the attacker. It simply goes for DHE_EXPORT and selects
weaker parameter of 512 bit.
The server continues with its
computation and sends the signed parameters to the client.
When the client finds DHE_EXPORT, it
also cannot understand the trickery. It supposes the server does not
support DHE and it continues with its computations using those
parameters.
The server and the client goes ahead
with deriving the secret key. But, the attacker breaks that easily
and gets the secret data.
Mitigation
So, the most important question is can
we mitigate this attack ?
The answer is yes.
The server and the client communicating
with each other can draw a line about how weak the parameters can be.
The server can opt for selecting parameters which are at least 1024
bits long. And, the client can refuse to connect to any server which
select parameters weaker than 1024 bits.
Good that most of the web browsers
including Chrome, Firefox, Safari, Internet Explorer are working on
this.
No comments:
Post a Comment