Logjam (computer security)
Logjam is a security vulnerability in systems that use Diffie–Hellman key exchange with the same prime number. It was discovered by a team of computer scientists and publicly reported on May 20, 2015.[1] The discoverers were able to demonstrate their attack on 512-bit (US export-grade) DH systems. They estimated that a state-level attacker could do so for 1024-bit systems, then widely used, thereby allowing decryption of a significant fraction of Internet traffic. They recommended upgrading to at least 2048 bits for shared prime systems.[2][3][4]
Details
Diffie–Hellman key exchange depends for its security on the presumed difficulty of solving the
One approach enabled by this vulnerability that the authors demonstrated was using a
The authors also estimated the feasibility of the attack against 1024-bit Diffie–Hellman primes. By design, many Diffie–Hellman implementations use the same pre-generated
Responses
- On May 12, 2015, Microsoft released a patch for Internet Explorer.[9]
- On June 16, 2015, the Tor Browser.[10]
- On June 30, 2015, Apple released a patch for both OS X Yosemite and iOS 8 operating system.[11][12]
- On June 30, 2015, the Mozilla project released a fix for the Firefox browser.[13]
- On September 1, 2015, Google released a fix for the Chrome browser.[14]
- On December 6, 2017, RFC 8270called "Increase the Secure Shell Minimum Recommended Diffie-Hellman Modulus Size to 2048 Bits".
See also
- BEAST (computer security)
- BREACH (security exploit)
- CRIME
- POODLE
- Server-Gated Cryptography
References
- ^ a b "The Logjam Attack". weakdh.org. 2015-05-20. Archived from the original on 2021-03-29. Retrieved 2015-05-20.
- ^ Dan Goodin (2015-05-20). "HTTPS-crippling attack threatens tens of thousands of Web and mail servers". Ars Technica. Archived from the original on 2017-05-19. Retrieved 2022-04-30.
- ZDNet. Archivedfrom the original on 2015-05-23. Retrieved 2015-05-23.
- ^ Valentino-DeVries, Jennifer (2015-05-19). "New Computer Bug Exposes Broad Security Flaws". The Wall Street Journal. Archived from the original on 2022-02-24. Retrieved 2022-04-30.
- ^ Whitfield Diffie, Paul C. Van Oorschot, and Michael J. Wiener "Authentication and Authenticated Key Exchanges", in Designs, Codes and Cryptography, 2, 107–125 (1992), Section 5.2, available as Appendix B to Method and apparatus for enhancing software security and distributing software: "If q has been chosen correctly, extracting logarithms modulo q requires a precomputation proportional to though after that individual logarithms can be calculated fairly quickly."
- ^ Adrian, David; Bhargavan, Karthikeyan; Durumeric, Zakir; Gaudry, Pierrick; Green, Matthew; Halderman, J. Alex; Heninger, Nadia; Springall, Drew; Thomé, Emmanuel; Valenta, Luke; VanderSloot, Benjamin; Wustrow, Eric; Zanella-Béguelin, Santiago; Zimmermann, Paul (October 2015). "Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice" (PDF). Archived (PDF) from the original on 2020-02-27. Retrieved 2015-05-23. Originally published in Proc. 22nd Conf. on Computers and Communications Security (CCS). Republished, CACM, Jan. 2019, pp. 106-114, with Technical Perspective, "Attaching Cryptographic Key Exchange with Precomputation", by Dan Boneh, p. 105.
- ^ "CVE-2015-4000". Common Vulnerabilities and Exposures List. The MITRE Corporation. 2015-05-15. Archived from the original on 2015-08-11. Retrieved 2015-06-16.
"The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the 'Logjam' issue." - ^ Ronen, Eyal; Shamir, Adi (October 2015). "Critical Review of Imperfect Forward Secrecy" (PDF). Archived (PDF) from the original on 2021-12-11. Retrieved 2022-04-30.
- Microsoft Corporation. 2015-05-12. Archivedfrom the original on 2015-07-03. Retrieved 2015-07-02.
This security update resolves a vulnerability in Microsoft Windows that facilitates exploitation of the publicly disclosed Logjam technique, [...] The security update addresses the vulnerability by increasing the minimum allowable DHE key length to 1024 bits.
- ^ Perry, Mike (2015-06-16). "Tor Browser 4.5.2 is released". The Tor Project. Archived from the original on 2015-06-20. Retrieved 2015-06-20.
- ^
"About the security content of OS X Yosemite v10.10.4 and Security Update 2015-005". Apple Inc. 23 January 2017.
This issue, also known as Logjam, [...] was addressed by increasing the default minimum size allowed for DH ephemeral keys to 768 bits.
- ^
"About the security content of iOS 8.4". Apple Inc. 18 August 2020.
This issue, also known as Logjam, [...] was addressed by increasing the default minimum size allowed for DH ephemeral keys to 768 bits.
- ^ "Mozilla Foundation Security Advisory 2015-70 - NSS accepts export-length DHE keys with regular DHE cipher suites". Mozilla. Archived from the original on 2015-07-07. Retrieved 2015-07-04.
FIXED IN Firefox 39.0 [...] This attack [...] is known as the "Logjam Attack." This issue was fixed in NSS version 3.19.1 by limiting the lower strength of supported DHE keys to use 1023 bit primes.
- ^ Zhi, Vivian (2015-09-01). "Stable Channel Updates". Chrome Releases. Archived from the original on 2015-10-16. Retrieved 2015-11-06.