Logjam (computer security)

Logjam is a security vulnerability against a Diffie–Hellman key exchange ranging from 512-bit (US export-grade) to 1024-bit keys.^[1] It was discovered by a group of computer scientists and publicly reported on May 20, 2015.^[2]^[3]^[4]

Diffie–Hellman key exchange depends for its security on the presumed difficulty of solving the discrete logarithm problem. The authors took advantage of the fact that the number field sieve algorithm, which is generally the most effective method for finding discrete logarithms, consists of four large computational steps, of which the first three depend only on the order of the group G, not on the specific number whose finite log is desired. If the results of the first three steps are precomputed and saved, they can be used to solve any discrete log problem for that prime group in relatively short time. It turns out that much Internet traffic only uses one of a handful of groups that are of order 1024-bits or less.

One vulnerability demonstrated by the authors was using a man-in-the-middle network attacker to downgrade a Transport Layer Security (TLS) connection to use 512 bit DH export-grade cryptography, allowing him to read the exchanged data and inject data into the connection. It affects the HTTPS, SMTPS, and IMAPS protocols, among others. The authors needed several thousand CPU cores for a week to precompute data for a single 512-bit prime. Once that was done, however, individual logarithms could be solved in about a minute using two 18-core Intel Xeon CPUs.^[5] Its CVE ID is CVE-2015-4000.^[6]

The authors also estimated the feasibility of the attack against 1024 bit Diffie–Hellman primes. By design, many Diffie–Hellman implementations use the same pregenerated prime for their field. This was considered secure, since the discrete log problem is still considered hard for big-enough primes even if the group is known and reused. The researchers calculated the cost of creating logjam precomputation for one 1024-bit prime at hundreds of millions of USD, and noted that this was well within range of the FY2012 $10.5 billion U.S. Consolidated Cryptologic Program (which includes NSA). Because of the reuse of primes, generating precomputation for just one prime would break two-thirds of VPNs and a quarter of all SSH servers globally. The researchers noted that this attack fits claims in leaked NSA papers that NSA is able to break much current crypto. They recommend using primes of 2048 bits or more as a defense or switching to Elliptic curve Diffie–Hellman (ECDH).^[1]

Responses

On May 12, 2015, Microsoft released a patch for Internet Explorer.^[7]
On June 16, 2015, the Tor Project provided a patch for Logjam to the Tor Browser.^[8]
On June 30, 2015, Apple released a patch for both OS X Yosemite and iOS 8 operating system.^[9]^[10]
On June 30, 2015, the Mozilla project released a fix for the Firefox browser.^[11]
On September 1, 2015, Google released a fix for the Chrome browser.^[12]

References

↑ ^1.0 ^1.1 Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ http://www.wsj.com/articles/new-computer-bug-exposes-broad-security-flaws-1432076565
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
"The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the 'Logjam' issue."
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ https://blog.torproject.org/blog/tor-browser-452-released
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.

External links

This cryptography-related article is a stub. You can help Wikipedia by expanding it.

This Internet-related article is a stub. You can help Wikipedia by expanding it.

[paper-1] 1.0 ^1.1 Lua error in package.lua at line 80: module 'strict' not found.

[2] Lua error in package.lua at line 80: module 'strict' not found.

[3] Lua error in package.lua at line 80: module 'strict' not found.

[4] ttp://www.wsj.com/articles/new-computer-bug-exposes-broad-security-flaws-1432076565

[5] Lua error in package.lua at line 80: module 'strict' not found.

[CVE-2015-4000-6] Lua error in package.lua at line 80: module 'strict' not found.
"The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the 'Logjam' issue."

[7] Lua error in package.lua at line 80: module 'strict' not found.

[8] ttps://blog.torproject.org/blog/tor-browser-452-released

[9] Lua error in package.lua at line 80: module 'strict' not found.

[10] Lua error in package.lua at line 80: module 'strict' not found.

[11] Lua error in package.lua at line 80: module 'strict' not found.

[12] Lua error in package.lua at line 80: module 'strict' not found.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

Logjam (computer security)

Contents

Responses

See also

References

External links

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Tools