legal contact
 

Logjam

 

The Logjam research paper discusses the following issues related to weak DH keys:

  1. The use of DHE_EXPORT cipher suites in the TLS protocol, or DHE keys with export-grade cipher strength: these keys are 512 bits in size and given enough computing power and time, they can be broken. This is especially a problem with perfect-forward secrecy because an attacker could record traffic and later decrypt it.

  2. The use of pre-computed primes that are provided with certain widely-used packages, such as certain versions of Apache httpdand sshd: this weakness allows an attacker to pre-compute such primes once, and use them to decrypt any traffic that uses those primes to establish a TLS connection.

  3. A flaw in the TLS protocol, which can lead to a downgrade from DHE to DHE_EXPORT: this issue has been assigned CVE-2015-4000.

Impact

The following attack scenarios are possible using the issues noted above:

  1. Offline decryption of weak DHE connections
    This attack requires that the server defaults to using a Diffie-Hellman key exchange with 512-bit parameters. This allows a passive network adversary who is able to record the communication between a client and a server to then decrypt this communication.

  2. DHE_EXPORT downgrade and offline decryption of the TLS False Start extension
    This attack requires that a server supports DHE_EXPORT cipher suites or uses 512-bit parameters in non-export DHE ciphers. The client must be using the TLS False Start extension. Under these circumstances, an attacker could record the communication between a client and a server and then decrypt that communication.

  3. DHE_EXPORT downgrade and man-in-the-middle server impersonation
    This is a similar attack to the previous attack, but does not require the TLS False Start extension to be enabled. Instead, the attacker has to rely on the client to wait a significant amount of time for the handshake to complete. This is because the attacker must compute the connection key during the handshake process, computing of which takes several minutes.

Resolution

SSL/TLS Servers

In the MITM attack, the attacker tries to connect to the server using DHE_EXPORT cipher suites on behalf of the client. This is achieved by a flaw in the TLS protocol in the way DHE and DHE_EXPORT cipher suites are composed. Using this protocol flaw, an active MITM attack can be conducted provided the server supports DHE_EXPORT cipher suites.

This issue does not affect the current versions of openssl packages as shipped with Red Hat Enterprise Linux 6 and 7 as they do not include DHE_EXPORT cipher suites or any other export-grade cipher suite in its DEFAULT cipher list. (Applications that use the DEFAULT cipher preference will not use export-grade cipher suites. However, application-specific configuration may re-enable the use of export ciphers.) Please note this is only the case when openssl is used by a network server. For information on client issues please see below.

The openssl packages in Red Hat Enterprise Linux 7 excluded export-grade cipher suites from the DEFAULT when used as a server since their initial release. In Red Hat Enterprise Linux 6, the change was made via the RHBA-2014:1525 advisory released as part of Red Hat Enterprise Linux 6.6.

Red Hat Enterprise Linux 5 does support the export-grade cipher suite in its default cipher list. Red Hat does not plan to change the default cipher list in Red Hat Enterprise Linux 5 because this CVE is rated as Moderate Impact. For more information on which Security Advisories are addressed in Production Phase 3, please visit the Red Hat Enterprise Linux Life Cycle page.

SSL/TLS Clients

Since clients do not control the cipher suites controlled by the SSL/TLS server, the only defense is to reject small primes in the DHE handshake. Requiring larger primes can prevent the above mentioned downgrade attacks.

OpenSSL upstream addresses the remaining two issues, by increasing the minimum size of DH parameters which a client can accept to 768 bits. This way even if a MITM attacker downgrades the connection, the client will reject if less than 768 bits are used, which is deemed to be easily breakable.