HAL will be down for maintenance from Friday, June 10 at 4pm through Monday, June 13 at 9am. More information
Skip to Main content Skip to Navigation
Journal articles

Imperfect forward secrecy: How Diffie-Hellman fails in practice

Abstract : We investigate the security of Diffie-Hellman key exchange as used in popular Internet protocols and find it to be less secure than widely believed. First, we present Logjam, a novel flaw in TLS that lets a man-in-the-middle downgrade connections to "export-grade" Diffie-Hellman. To carry out this attack, we implement the number field sieve discrete logarithm algorithm. After a week-long precomputation for a specified 512-bit group, we can compute arbitrary discrete logarithms in that group in about a minute. We find that 82% of vulnerable servers use a single 512-bit group, and that 8.4% of Alexa Top Million HTTPS sites are vulnerable to the attack. a In response, major browsers have changed to reject short groups. We go on to consider Diffie-Hellman with 768-and 1024-bit groups. We estimate that even in the 1024-bit case, the computations are plausible given nation-state resources. A small number of fixed or standardized groups are used by millions of servers; performing precomputation for a single 1024-bit group would allow passive eavesdropping on 18% of popular HTTPS sites, and a second group would allow decryption of traffic to 66% of IPsec VPNs and 26% of SSH servers. A close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break. We conclude that moving to stronger key exchange methods should be a priority for the Internet community.
Document type :
Journal articles
Complete list of metadata

Cited literature [26 references]  Display  Hide  Download

https://hal.inria.fr/hal-01982426
Contributor : Pierrick Gaudry Connect in order to contact the contributor
Submitted on : Tuesday, January 15, 2019 - 4:20:30 PM
Last modification on : Friday, February 4, 2022 - 3:13:49 AM
Long-term archiving on: : Tuesday, April 16, 2019 - 4:01:23 PM

File

p106-adrian.pdf
Files produced by the author(s)

Identifiers

Citation

David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, et al.. Imperfect forward secrecy: How Diffie-Hellman fails in practice. Communications of the ACM, Association for Computing Machinery, 2018, 62 (1), pp.106-114. ⟨10.1145/3292035⟩. ⟨hal-01982426⟩

Share

Metrics

Record views

282

Files downloads

229