back to article 'Logjam' crypto bug could be how the NSA cracked VPNs

A team led by Johns Hopkins crypto researcher Matthew Green* thinks they might have an explanation for how the NSA attacked VPN services: flaws in how TLS implements Diffie-Hellman crytography. In what's bound to be the next big branded bug, Green says servers that support 512-key “export-grade” Diffie-Hellman (DH) can be …

  1. Lee D Silver badge

    Ouch.

    This is getting silly now.

    Why are we finding so many bugs related to limits on the level of encryption / rounds etc. used harking back to an export restriction for one country that ended nearly two decades ago?

    This is highly suggestive that NOBODY is paying attention to TLS security in any sensible way whatsoever.

    1. James 47

      Because crypto is hard, and any research that uncovers flaws in a protocol or cipher is likely to be pounced upon by the government and the researcher silenced. Or they'll sell it to the highest bidder

    2. Daniel B.

      Because...

      People are setting up their crypto with the default options, which include the EXPORT crap from decades ago. Which is why everyone is asking why they're still enabled by default. Interestingly, some SSL/TLS products have a "FIPS Compliant" switch; if you enable it, EXPORT ciphers are disabled to comply with FIPS, so that's an option as well.

  2. Anonymous Coward
    Anonymous Coward

    What is unbelievable..

    .. is that they are STILL pushing for weakened crypto, even in the light of just how long term the damage is that it causes.

    1. JimmyPage Silver badge
      Big Brother

      Re: What is unbelievable..

      Actually it makes good sense.

      By pushing for weaker crypto, the alphabet agencies are suggesting that current crypto is beyond them. Whereas I suspect, it isn't. Just they'd rather we didn't know.

    2. Koconnor100

      Re: What is unbelievable..

      They're still pushing for weakenned security because they believe they are in the right , they are justified, they are the white knight protecting us ,and they have absolutly no intention of stopping.

      We must write our own encryption. They will continue to sabatage their own, this much has been made obvious in the post snowden era. Our own encryption , our own hardlware ... anything they could get their hands on they tainted , we cannot trust anything made in the USA .

      They even added extra hardware to their own routers (Cisco) before shipping them out of country. If you aint a US Citizen ..forget about it ! Buy local. Make local.

      Good thing those rasberry computers are only 25$ a pop. I see a lot of use for them coming up.

      1. Charles 9

        Re: What is unbelievable..

        But as others have noted, proper crypto is HARD, as in too many things can go wrong. And it need not be obvious like a double-XOR or double-Caesar. Just look at the stories of programs that use homebrew schemes that turn out to have more holes than a wheel of Emmentaler. Meanwhile, even the most-vetted systems out there aren't without a few chinks in their armor. I guess you can say good crypto is like an inverted pendulum: inherently easy to break unless you can get everything exactly right. The government has a boatload of experts to draw on, Who do WE have to make sure we don't screw up?

      2. cray74

        Re: What is unbelievable..

        "They're still pushing for weakenned security because they believe they are in the right , they are justified, they are the white knight protecting us ,and they have absolutly no intention of stopping."

        Regardless of motivation, it's also a low-cost option with high payout for a big gubmint agency to pursue legal / regulatory courses of defeating encryption.

        1) They have legal staff that will either bill equally for sitting around checking Facebook or for trying to convince the relevant legislature to change the law.

        2) There's little social cost to individuals - managers or lawyers - in a large agency for pushing an unpopular law. People generally rage at acronyms, not the people behind them. (You read, "The NSA is such a meanie!" not "Sub-Director 3rd Grade Bob Jones' initiative to hinder superior encryption offends me.")

        3) Lawyers are a fiscally sound option: a small army of them is still cheaper than a new code-cracking supercomputer.

      3. John Smith 19 Gold badge
        Unhappy

        "We must write our own encryption. "

        Very bad idea

        I think as many holes have been created in crypto by bad implementation as by bad standards.

        What's needed is source code that's actually being read by implementors rather than just running it through their local compiler.

        AFAIK only the US had this "export grade" BS.

        1. This post has been deleted by its author

    3. tom dial Silver badge

      Re: What is unbelievable..

      If "FIPS Compliant" means what it appears (and ought) the US government (a) certainly is not pushing weak encryption and (b) forbids its use by any federal agency. Any statement to the contrary requires strong evidence.

      One wonders, though, how many federal agencies (e. g., OPM, Department of State, White House) actually are FIPS compliant with respect to any of the FIPS publications. It is not terribly difficult technically, but quite a chore given that in most agencies IT is not part of the primary mission and accordingly tends to be sqeezed for staffing and budge and outsourced to low bidding contractors.

  3. Frank Bitterlich

    "Export" grade...

    See... and you thought prohibiting the export of <del>working</del> strong encryption in the 1990s would never pay off...

  4. nematoad
    Joke

    Whoa!

    "...and generate a new and unique 2048-bit Diffie-Hellman group.

    Steady on. This could be construed as encouraging terrorist activities. Just like the spooks have warned us. After all, they only have our best interests at heart.

    Joke alert icon used as there isn't a sarcasm one.

  5. Anonymous Coward
    Anonymous Coward

    Why?

    Why is TLS so fucking complicated? Why is, out of the box, a webserver not configured with the most secure configuration possible that doesn't allow all this downgrading bollocks? Why don't Google, Microsoft, Mozilla, Apple, Apache and nginx get together, decree that ONE SINGLE SECURE ENCRYPTION ALGORITHM is going to be used, and ditch the rest of this steaming NSA-trojaned horseshit? Screw centralised certification authorities, that's a pile of pants too. Get for fucks sake get DNSSEC working... how many decades is it going to take?

    1. TRT Silver badge

      Re: Why?

      Because a flaw in one single strong secure encryption algorithm could expose 90% of the internet to eavesdropping? Eggs, baskets etc.

      1. choleric

        Re: Why?

        @TRT is spot on. Every time someone tries to "do it properly this time, not like those idiots before" then there are problems discovered later. Maybe it's an implementation problem, maybe it's a cipher vulnerability. But what happens every time is that the person who "does it properly this time" turns out to be just as much an "idiot" as the rest.

        And that's a problem because back in the day SSLv2 was absolutely cutting edge and to be taken seriously every product had to have it, and quick. But now it's a liability, but if your product has it hardcoded in then you can't do much about it except write it off.

        Also, encryption obsolescence is generally a gradual thing. RC4 was known to be getting gradually more and more vulnerable for years before the recently released RFC officially banned it. At what point should you have chosen to say "no RC4"?

        What is needed is a way to upgrade the encryption mechanisms in products without obsoleting everything else. But that's easier said than done when certain vulnerabilities depend on the way in which data is handled or prepared before encryption.

        There is no single good or perfect method, only a continual process of attack - improvement - attack - improvement - attack.

        1. TRT Silver badge

          Re: Why?

          Like encrypted satellite TV cards which have a small amount of circuitry within the card?

        2. Charles 9

          Re: Why?

          "What is needed is a way to upgrade the encryption mechanisms in products without obsoleting everything else. But that's easier said than done when certain vulnerabilities depend on the way in which data is handled or prepared before encryption."

          Plus consider computational limitations. Computing power may be approaching a plateau point but not 10 years ago a 1 or 2GHz Intel CPU was pretty novel. You really can't future-proof a device for more than the short term because the pace of technology means eventually a leap will come along that makes everything before it obsolete...rapidly if not instantly.

          Trying to make an embedded secure device is essentially a siege or last stand. You can only configure it once against all threats present and future, fixed and flexible. Given enough time, the outcome is universal.

          1. razorfishsl

            Re: Why?

            The plane.... The Plane........

    2. Michael Wojcik Silver badge

      Re: Why?

      the most secure configuration possible that doesn't allow all this downgrading bollocks

      That breaks interoperability with old clients. Some site owners are willing to accept that restriction of their market, but many are not.

      Similarly, if hosting providers and the like go with a "more secure" configuration by default, they have to field more support issues when site owners complain that users are complaining that they can't connect (or "get weird warning messages", or whatever). And support is expensive, whereas leaving your customers vulnerable to security attacks that they don't understand is largely an externality that doesn't cost the providers anything.

    3. Thrud61
      Flame

      Re: Why?

      I really wish everyone would update to more secure systems, twice in recent months I have had to revert a security measure made to the product, in the first instance allow weaker ciphers because of all of the old systems that only support LOW and MEDIUM level ciphers and in the second we had to re-enable support for SSLv23 because in both cases our customers complained that none of their customers could now send them email. It is bad enough that these systems are restricting the levels of security that others can employ but it also reflected badly on us when customers raised concerns that our product didn't support this or that standard email system, and some subsequently ran Pen tests and pointed out the vulnerabilities that they had re-enabled on our product to support their customers.

      Its all a huge pain in the ass.

      1. TRT Silver badge

        Re: Why?

        Something about penetration testing being a huge pain in the arse...

  6. Anonymous Coward
    Anonymous Coward

    Downgrade Blues

    The NSA loves the downgrade path. If an encryption standard can't use it's maximum protocol, it goes to the next lower one, and the next lower one ... often all the way down to no encryption at all.

    NSA approved = worthless. People, heck countries, need to start writing encryption that gives you the middle finger if you don't have the correct level of security , not weaken all communications security and not bother telling the user you're running on half encryption , maybe a quarter encryption , heck maybe it automatically turned the encryption all the way off.

    This is why no one wants USA equipment or software anymore.

    1. Anonymous Coward
      Anonymous Coward

      Re: Downgrade Blues

      "NSA approved = worthless. People, heck countries, need to start writing encryption that gives you the middle finger if you don't have the correct level of security , not weaken all communications security and not bother telling the user you're running on half encryption , maybe a quarter encryption , heck maybe it automatically turned the encryption all the way off."

      And what about all the complaints they'll get of "My Internet doesn't work!". If you tell them to bugger off, they'll respond, "Bugger you back! I'm going somewhere where they treat me right!" Many of them aren't willing (or aren't able) to get with the times. So if your business is dependent on recalcitrant customers that leave you vulnerable, you're caught between Scylla and Charybdis and stand to lose the lot either way.

  7. naive

    Is the bug about VPN's, SSL websites or bith ?.

    The article starts with compromised VPN implementations, but it also seems to apply to SSL based encryption in general. Further I can not remember that my browser ever asked something about Diffie-Hellman key lengths.

    It seems something hard to fix by the average John Doe, but well, it seems security does not exist anymore since Snowdon started publishing things. There is always another bug, on another level in another component we need to send our keystrokes from A to B. Why bother anyway with it ?.

    1. Michael Wojcik Silver badge

      Re: Is the bug about VPN's, SSL websites or bith ?.

      It applies to SSL/TLS in general.

      There are actually two related issues. One is an attack against the protocol (SSL or TLS) that allows downgrading a strong EDH suite to a weak "export" suite, if the latter is supported by the server. That's what the team is calling "Logjam".

      The fix for that is to not support the export-grade EDH suite.

      The second issue they're warning about is the fact that nearly everyone uses the same small set of DH primes (because generating new ones is relatively expensive and was believed to be unnecessary). They point out that much of the setup work for NFS factoring can be done when you know the prime, so an attacker with considerable resources can do the preliminary setup for the well-known primes and make it feasible to attack individual sessions.

      The fix for that is to generate your own prime, or set of primes of various sizes you want to support. (You do this once, and use those primes for all future sessions. It won't be necessary to generate new ones unless your threat model includes ongoing, active attacks targeting you specifically by state-level attackers. And at that point they're probably just going to suborn or compel someone in your organization anyway.)

  8. Sebby

    Postfix Paranoia

    The Postfix docs only suggest generating your own DH parameters as a purely optional step, to provide protection against precomputation attacks.

    Good thing I went for it. I'm already set. :)

    If you need TLS server configuration advice, then there's this book. No, no affiliation, just a happy customer. It really is comprehensive. He's also got some freebies for you, if you just need the recipes.

    1. Anonymous Coward
      Big Brother

      Re: Postfix Paranoia

      Now the NSA is going to monitor anyone who buys that book :)

  9. choleric
    Thumb Up

    And you can set your DH parameters to regenerate every set period of time too, which makes you a moving target, not just a tough target.

    1. Michael Wojcik Silver badge

      Regeneration is really unnecessary under pretty much all reasonable threat models. If there's a threat you need to defend against by periodically creating new DH primes, you have bigger problems.

      But, hey, go for it if it makes you happy. I'm just saying it's probably cargo-cult security.

  10. Michael Wojcik Silver badge

    Terrible disclosure practice

    Unfortunately, and surprisingly, the team did a terrible job disclosing this one.

    There was no embargoed pre-announcement - they just published with no forewarning to affected vendors. There's still no CVE. They've announced two issues, but only given the first one a name, so expect tons of confusion. They've riled up the tech media and it's just a matter of time before the mainstream media pick it up and garble the story further.

    Wildly irresponsible. And these are people who know better - INRIA, Microsoft Research, U Michigan, Matt freakin' Green.

    Very disappointing.

    1. Richard 26

      Re: Terrible disclosure practice

      "they just published with no forewarning to affected vendors There's still no CVE."

      Say what? There is a disclosure section in the paper and Microsoft already has an initial patch out: MS15-055 for which the CVE number is CVE-2015-1716.

  11. Anonymous Coward
    Anonymous Coward

    Or they could...

    ...ignore the hype and just get on with life unless they have something actually worthy of encryption.

    1. Anonymous Coward
      Anonymous Coward

      Re: Or they could...

      The simple answer is that encrypting links by default helps to defeat all sorts of nefarious activity.

      We're where we are because the early internet was never designed to be secure and it's taken a long time to realise how much risk this has opened everyone up to.

  12. thrman

    I'm quoting this from an article I recently came across. "Russia institutionalized cyber warfare because they know the economic benefits. It was Russia that knew about Monica Lewinsky by tapping Bill Clinton's phone. As a result, Bill Clinton endorsed a payment of $4.6 billion to Russia from the International Monetary Fund. Putin, by his own admission, said, "If I had a mobile phone, it would never stop ringing. More than that, when my home phone rings, I don't even answer." Putin doesn't have a cell phone for Americans to attack. The only way that Putin can play this economic chess game so masterly is through tapping Obama's cell phone. It is easier to encrypt messages by targeting national leaders as they travel in the airspace due to stronger satellite signals. If Russia and China know about sensitive economic deals, then they can adapt counter-measures to benefit their own economies."

    To see the full article check out this link: http://seekingalpha.com/instablog/19748661-michael-ambrozewicz/4018646-google-at-1000-in-the-golden-age-of-information-in-the-nsa-world

    1. Crazy Operations Guy

      What a load of bullshit.

      First off, Putin wasn't in charge of Russia during the Monica Lewinsky Scandal, that would be Medvedev... Second, Putin does own a cell phone, there are plenty of pictures of him using one, plus numerous videos of him doing so as well. Third, there would be no way in hell that Bill would have been able to transfer any sort of money to Russia without a so much scrutiny to make it impossible, let alone an internationally controlled organization such as the IMF.

      1. Anonymous Coward
        Anonymous Coward

        Could've sworn it was Yeltsin who was in charge of Russia during the Clinton years. The Scandal was only a few years after the fall of the Soviet Union, after all, and Yeltsin was first to lead the splintered Russia.

      2. thrman

        Read the sentence the Author made no claim about Putin getting the 4.6 billion or who was in charge in Russia at that time.The second sentence stipulates Putin as no cell phone. Admiral James “Ace” Lyons (U.S. Navy, Ret.) -- a four-star admiral and former Commander in Chief of the U.S. Pacific Fleet, Senior U.S. Military Representative to the United Nations, and Deputy Chief of Naval Operations -- was speaking in the context of Hillary Clinton’s infamous e-mails when he made the following statement about Russia potentially blackmailing Bill Clinton over his affair with Monica Lewinsky:

        One more thing I want to cover. Hillary's e-mails. Hillary, the pathological liar. Now, you gotta understand, you heard all about cyber warfare and so forth. Every one of our enemies, Russia, China, Cuba, Iran, everybody. They've hacked in to that unsecured server. She's totally compromised. She's damaged goods. There's no way she can be allowed to get in that White House.

        I'll tell you one other thing. You know the Russians are the best in the world at this. They tapped in to Bill Clinton's phone lines and they knew about Monica long before you did. Now let me tell you the way they used it. Russia was in desperate financial shape. They needed 26 billion dollars out of the IMF. Larry Summers of our National Archives fame was our Treasury Secretary, dead set against it, everybody was set against it, until suddenly -- through Strobe Talbott -- who the Russians let Strobe know that they knew about Monica, Bill Clinton found it within himself to approve the transfer, and what got transferred was 4.6 billion dollars in hard cash that disappeared.

        1. thrman

          Putin, a "former spymaster himself "During one of the rare instances when state TV showed him using what appeared to be a cell phone in 2013, it was not the type of smartphone that the NSA has proved so adept at tapping. It was a bricklike device, black and clunky, which Putin held to his ear while standing in a forest of birch" Whatever cell phone Putin uses the line is always dead.

          1. thrman

            I bet you Brits don't know about this. But the beauty about original content is getting information that no one has. Canada possesses a unique position for Russia’s counter-intelligence. It provides Russian cryptologists with access to US corporate targets. Canada betrayed the member countries of the International Organization for Standardization by allowing the NSA to seize control of the crypto standards from Canada’s Communication Security Establishment (CSEC). By breaching this obligation, Canada allowed the NSA to spy and gather information on foreign companies and governments. This global standardization provides a false sense of security as most member nations fail to implement it. Russia’s ultimate goal is to have mole working undetected for the NSA. Russia has the most efficient spy working for them; Vladimir Putin. Any time Putin has a cellular device, American satellites hone in on him. It is precisely at that time that Russian satellites gain the capability to track US satellites.

          2. Anonymous Coward
            Anonymous Coward

            A warm welcome to our newest member of the tinfoil brigade

            > Putin, a "former spymaster himself"

            The guy used to be just a rank and file spy.

            In the context of a spy agency, such as let us the CIA, a "spymaster" would be its highest ranking person or Director, such as let us say George H.W. Bush.

            Yet funnily enough, I have never heard anyone in the West call Mr Bush "a former spymaster" despite him actually being one.

  13. Anonymous Coward
    Anonymous Coward

    Not that many primes

    this is something that always bothered me about this prime-factoring idea of cryptography - yes it's hard to factor primes, but out of the total keyspace, primes occupy a very very small space, so it would seem to me that the attacker would be able to just calculate large primes and store them in a database, then use the database as the search space when attacking the underlying math, which to my limited understanding is at least part of what has happened here.

    If millions of servers are sharing just a small set of these primes, then it seems to me it's a similar situation to having hardcoded keys, or using passwords that have been hacked elsewhere - the attacker's job is much much easier than what the theoretical probability would say.

    1. Charles 9

      Re: Not that many primes

      But according to mathematicians, there are a ton of numbers out there in the 1024-2048-bit range. Even if just a small percentage of them are primes, the end count is supposedly somewhere beyond the atom count of the known universe.

    2. Bill Gray

      Re: Not that many primes

      Not really a problem. We know roughly how many primes there would be to deal with :

      https://en.wikipedia.org/wiki/Prime_number_theorem

      For N=2^1024, only one number in ln(N) = 1420 (that's a natural base-e log) will be prime. Call it about N=2^1013 = 10^304 (roughly) primes. Store those on, say, ten-terabyte (10^16 byte) drives, with each prime consuming 1024/8 = 128 bytes, and you're looking at 10^(304-16)/10^2 = about 10^286 hard drives.

      If each hard drive weighs a kilogram (being optimistic here), we can use the fact that the sun masses about 2x10^30 kilograms to determine that we need 5x10^255 solar masses worth of hard drives. We'd have to turn a lot of observable universes worth of matter into hard drives to get this to work.

      On the other hand, we could rely on Moore's Law. If those hard drives double in capacity every 18 months, then in about 1400 years, you'll be able to fit all those primes on a single hard drive (or whatever equivalent storage medium our descendants are using at that point.) At that point, they'll have to move to 2048-bit primes, which will get them about another 1400 years.

      (Which is not to say prime-number cryptography should be assumed to be "ultimately secure". I think it has a better theoretical justification than anything else out there, unless you're counting one-time pads and similar exotica.)

      -- Bill

      1. Queasy Rider

        Re: Not that many primes

        Thank you for that calculation. I also thought, in my innocence, it would be simple to store all the known primes in an ordinary text file, albeit a very long one. They say ignorance is bliss, but I don't feel that way anymore. Thank you E. Snowdon.

  14. gc1

    How many modern server programs even support export ciphers any more ?

    In Apache, for example, there is no difference between configuring with SSLCipherSuite ALL and SSLCipherSuite ALL:!EXPORT, i.e. the EXPORT list appears to be empty, probably just there for historic reasons and not doing anything.

  15. This post has been deleted by its author

    1. This post has been deleted by its author

      1. This post has been deleted by its author

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like