HTTPS-crippling attack threatens tens of thousands of Web and mail servers

[ObscureMammal]

Source: http://arstechnica.com/security/2015/05/https-crippling-attack-threatens-tens-of-thousands-of-web-and-mail-servers/

              https://weakdh.org/

 

 

Tens of thousands of HTTPS-protected websites, mail servers, and other widely used Internet services are vulnerable to a new attack that lets eavesdroppers read and modify data passing through encrypted connections, a team of computer scientists has found.

 

The vulnerability affects an estimated 8.4 percent of the top one million websites and a slightly bigger percentage of mail servers populating the IPv4 address space, the researchers said. The threat stems from a flaw in the transport layer security protocol that websites and mail servers use to establish encrypted connections with end users. The new attack, which its creators have dubbed Logjam, can be exploited against a subset of servers that support the widely used Diffie-Hellman key exchange, which allows two parties that have never met before to negotiate a secret key even though they're communicating over an unsecured, public channel.

 

The weakness is the result of export restrictions the US government mandated in the 1990s on US developers who wanted their software to be used abroad. The regime was established by the Clinton administration so the FBI and other agencies could break the encryption used by foreign entities. Attackers with the ability to monitor the connection between an end user and a Diffie-Hellman-enabled server that supports the export cipher can inject a special payload into the traffic that downgrades encrypted connections to use extremely weak 512-bit key material. Using precomputed data prepared ahead of time, the attackers can then deduce the encryption key negotiated between the two parties.

 

"Logjam shows us once again why it's a terrible idea to deliberately weaken cryptography, as the FBI and some in law enforcement are now calling for," J. Alex Halderman, one of the scientists behind the research, wrote in an e-mail to Ars. "That's exactly what the US did in the 1990s with crypto export restrictions, and today that backdoor is wide open, threatening the security of a large part of the Web."........

 

 

Logjam is a new attack against the Diffie-Hellman key-exchange protocol used in TLS. Basically:

 

"The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and modify any data passed over the connection. The attack is reminiscent of the FREAK attack, but is due to a flaw in the TLS protocol rather than an implementation vulnerability, and attacks a Diffie-Hellman key exchange rather than an RSA key exchange. The attack affects any server that supports DHE_EXPORT ciphers, and affects all modern web browsers. 8.4% of the Top 1 Million domains were initially vulnerable."

 

Here's the academic paper

 

 

One of the problems with patching the vulnerability is that it breaks things:

 

"On the plus side, the vulnerability has largely been patched thanks to consultation with tech companies like Google, and updates are available now or coming soon for Chrome, Firefox and other browsers. The bad news is that the fix rendered many sites unreachable, including the main website at the University of Michigan, which is home to many of the researchers that found the security hole."

 

This is a common problem with version downgrade attacks; patching them makes you incompatible with anyone who hasn't patched. And it's the vulnerability the media is focusing on.

 

Much more interesting is the other vulnerability that the researchers found:

 

"Millions of HTTPS, SSH, and VPN servers all use the same prime numbers for Diffie-Hellman key exchange. Practitioners believed this was safe as long as new key exchange messages were generated for every connection. However, the first step in the number field sieve -- the most efficient algorithm for breaking a Diffie-Hellman connection -- is dependent only on this prime. After this first step, an attacker can quickly break individual connections."

 

The researchers believe the NSA has been using this attack:

 

"We carried out this computation against the most common 512-bit prime used for TLS and demonstrate that the Logjam attack can be used to downgrade connections to 80% of TLS servers supporting DHE_EXPORT. We further estimate that an academic team can break a 768-bit prime and that a nation-state can break a 1024-bit prime. Breaking the single, most common 1024-bit prime used by web servers would allow passive eavesdropping on connections to 18% of the Top 1 Million HTTPS domains. A second prime would allow passive decryption of connections to 66% of VPN servers and 26% of SSH servers. A close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break."

 

 

 

Edward Snowden and Jameel Jaffer, from the ACLU, did a AMA on reddit earlier today and a user asked about this topic:

https://www.reddit.com/r/IAmA/comments/36ru89/just_days_left_to_kill_mass_surveillance_under/

Q: Do you believe that NSA has done massive pre-computation of common groups to passively break Diffie-Hellman exchanges in protocols (TLS, SSH, IPsec) as posited in the recent paper Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice?

 

Snowden: So this attack was published just yesterday, I believe. I had a private talk recently with several of the best cryptographers and computer security researchers in the US at Princeton, including some of the authors of the paper. I've spoken with some of them in the wake of this publication, and the general consensus was that they would be amazed if the NSA was not doing this, and in fact a close reading of some of the previously published NSA documents on efforts against VPN connections implies a similar effort. All I can say is that I share their suspicions, but I simply do not know the answer one way or another. I don't want to mislead anybody by speculating.

Given that the attack you cite, which can just as easily be performed by any government from Belgium to China is a product of previous efforts by the US Government to weaken encryption standards, members of Congress should be writing letters to the Director of National Intelligence to find out why the NSA failed to close a vulnerability that left huge percentages of American (and international) internet traffic at risk.

 

Noah Swartz: A few days ago a group of researchers published what's being called the 'logjam attack' (https://weakdh.org/[1] ) and seem to think that it fits the description of some of the capabilities described in some of the NSA slides you released. Does it seem plausible to you that this was in fact a vulnerability that was being exploited by the NSA?

 

Snowden: I wish I could help more, because this vulnerability represents the central folly of government interference in cryptographic standards. For those who are not familiar with it, this vulnerability exists in most browsers and server packages only because the US Government regulations meant "weak cryptography" fallbacks were mandated in 90s-era software exports... the problem is today, those fallbacks still exist, and even domestic US communications can be tricked into "falling back" to them. Basically, due some truly brilliant researchers published a paper yesterday proving you modern smartphones or laptops can be tricked into using awful paper-thin crypto mandated as a result of long-dead policies from the 90s. This constitutes a central threat to the security of the internet that is so central to our economy, but few journalists and politicians have a meaningful understanding of cryptography or its implications.

 

Unfortunately, even to people work directly with mass surveillance tools like XKEYSCORE, the details and capabilities of NSA's CES (Cryptographic Exploitation Service) office are a black box. The way it worked for someone like me, who analyses computer-to-computer communications (rather than the legacy phone networks) for NSA, is that you'd basically query your way through the rolling buffer of the previous days' internet traffic -- the de rigeur -- until you find something that is relevant to your actors (the people/groups you're targeting) that is clearly enciphered but (based on a review of the data flow and knowledge of the target's pattern of life) doesn't look it would be a low-value waste of time (like an encrypted video streaming site) to decrypt.

 

You then flag those comms and task them to CES for processing. If they've got a capability against it and consider your target is worth using it against, they'll return the plaintext decrypt. They might even set up a processor to automate decryption for that data flow going forward as matching traffic gets ingested as they pass the mass surveillance sensors out at the telecom companies and landing sites. If you don't meet CES's justifications for the capability use or they lack a capability, you get nothing back. In my experience NSA rarely uses meaningful decryption capabilities against terrorists, firstly because most of those who actually work in intelligence consider terrorism to be a nuisance rather than a national security threat, and secondly because terrorists are so fantastically inept that they can be countered through far less costly means.

 

The down side of this is most analysts who aren't already technically high speed (and the average NSA analyst is an unimpressive uniform who learned to paint by numbers in a government class, but knows how to punch the buttons, although there are also people who are almost impossibly talented) just stop bothering to request decrypts on anything that they don't know from rumor or personal experience there is a capability against, because they figure it's not worth the effort of writing an email. On the plus side, it's great opsec.

 

I try not to speculate on this topic, because a bad answer can be worse than no answer, so I have to limit my replies to things that I both have personal knowledge of and journalists have done a public-interest review of.

To summarize the linked response: I don't know, and none of our representatives in Congress have been willing to tell us. What I can say is that some of the finest minds in cryptography find it unbelievable that NSA did not have knowledge of this weakness. The fact that they did not publicly disclose it is concerning in either case:

 

• If they knew about it and did exploited the vulnerability rather than publicly disclosing it, they placed critical US (and international) infrastructure at risk for over a decade, which has certainly been exploited by the adversaries of any sophistication.
• If they did not know about it, but a team of academics with no access to nation state resources could both find the vulnerability and prove that it works, it's incompetent to the point of negligence.

 

[Sakkura]

The fix to the government-mandated critical bug in the encryption rendered the website of the researchers who found the bug unreachable.

 

America, W T F are you doing.

[Dabombinable]

 

Source: http://arstechnica.com/security/2015/05/https-crippling-attack-threatens-tens-of-thousands-of-web-and-mail-servers/

              https://weakdh.org/

 

 

 

 

Logjam is a new attack against the Diffie-Hellman key-exchange protocol used in TLS. Basically:

 

"The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and modify any data passed over the connection. The attack is reminiscent of the FREAK attack, but is due to a flaw in the TLS protocol rather than an implementation vulnerability, and attacks a Diffie-Hellman key exchange rather than an RSA key exchange. The attack affects any server that supports DHE_EXPORT ciphers, and affects all modern web browsers. 8.4% of the Top 1 Million domains were initially vulnerable."

 

Here's the academic paper

 

 

One of the problems with patching the vulnerability is that it breaks things:

 

"On the plus side, the vulnerability has largely been patched thanks to consultation with tech companies like Google, and updates are available now or coming soon for Chrome, Firefox and other browsers. The bad news is that the fix rendered many sites unreachable, including the main website at the University of Michigan, which is home to many of the researchers that found the security hole."

 

This is a common problem with version downgrade attacks; patching them makes you incompatible with anyone who hasn't patched. And it's the vulnerability the media is focusing on.

 

Much more interesting is the other vulnerability that the researchers found:

 

"Millions of HTTPS, SSH, and VPN servers all use the same prime numbers for Diffie-Hellman key exchange. Practitioners believed this was safe as long as new key exchange messages were generated for every connection. However, the first step in the number field sieve -- the most efficient algorithm for breaking a Diffie-Hellman connection -- is dependent only on this prime. After this first step, an attacker can quickly break individual connections."

 

The researchers believe the NSA has been using this attack:

 

"We carried out this computation against the most common 512-bit prime used for TLS and demonstrate that the Logjam attack can be used to downgrade connections to 80% of TLS servers supporting DHE_EXPORT. We further estimate that an academic team can break a 768-bit prime and that a nation-state can break a 1024-bit prime. Breaking the single, most common 1024-bit prime used by web servers would allow passive eavesdropping on connections to 18% of the Top 1 Million HTTPS domains. A second prime would allow passive decryption of connections to 66% of VPN servers and 26% of SSH servers. A close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break."

 

 

 

Edward Snowden and Jameel Jaffer, from the ACLU, did a AMA on reddit earlier today and a user asked about this topic:

https://www.reddit.com/r/IAmA/comments/36ru89/just_days_left_to_kill_mass_surveillance_under/

 

 

*facedesk* Can I call the FBI retarded now?

[Neil]

Welp. Time to add the DFE ciphers to my block list for Apache.

[ThomasD]

 

This is a common problem with version downgrade attacks; patching them makes you incompatible with anyone who hasn't patched.

 

That's not exactly a bug, more like a feature given that anyone who has not patched is otherwise vulnerable.

 

The problem isn't so much what the Clinton adminstration did, as the general laziness and/or cost cutting that leads to misplaced levels of trust.