Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice

@article{Adrian2015ImperfectFS,
  title={Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice},
  author={David Adrian and Karthikeyan Bhargavan and Zakir Durumeric and Pierrick Gaudry and Matthew Green and J. Alex Halderman and Nadia Heninger and Drew Springall and Emmanuel Thom{\'e} and Luke Valenta and Benjamin VanderSloot and Eric Wustrow and Santiago Zanella-B{\'e}guelin and Paul Zimmermann},
  journal={Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security},
  year={2015},
  url={https://api.semanticscholar.org/CorpusID:347988}
}
Logjam, a novel flaw in TLS that lets a man-in-the-middle downgrade connections to "export-grade" Diffie-Hellman, is presented and a close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved a break.
View on ACM
dl.acm.org
479 Citations
Highly Influential Citations
46
Background Citations
227
Methods Citations
97
Results Citations
4

479 Citations

An Internet-Wide Analysis of Diffie-Hellman Key Exchange and X.509 Certificates in TLS

It is discovered that discrete logarithm implementations have poor parameter validation, and a deniable backdoor is mathematically constructed to exploit this flaw in the finite field Diffie-Hellman key exchange.

Measuring small subgroup attacks against Diffie-Hellman

It is observed that many Diffie-Hellman implementations do not properly validate key exchange inputs, which can radically decrease security, and over 20 open-source cryptographic libraries and applications are examined.

Indiscreet Logs: Persistent Diffie-Hellman Backdoors in TLS

The potential for TLS backdoors is systematic and will persist until either until better parameter hygiene is taken up by the community, or finite field based cryptography is eliminated altogether.

Breakdown Resilience of Key Exchange Protocols and the Cases of NewHope and TLS 1.3

This work introduces an extension to the common Bellare–Rogaway model that can provide security guarantees in what is called the breakdown scenario and describes the resulting security notion breakdown resilience, which allows to make security claims even in case of unexpected failure of primitives in the protocol.

Indiscreet Logs: Diffie-Hellman Backdoors in TLS

This paper investigates groups for which the order is unknown and not easily determined, and explores the scenario in which the modulus is trapdoored to make computing discrete logarithms efficient for an entity with knowledge of the trapdoor, while simultaneously leaving its very existence as matter of speculation to everyone else.

How to Backdoor Diffie-Hellman

Two ways of building a Nobody-But-Us (NOBUS) Diffie-Hellman backdoor are presented: a composite modulus with a hidden subgroup (CMHS) and a composite modulus with a smooth order (CMSO) that is able to subtly implement and exploit in a local copy of an open source library using the TLS protocol.

Intermundium-DL: Assessing the Resilience of Current Schemes to Discrete-Log-Computation Attacks on Public Parameters

This work considers adversaries able to perform a nonzero but small number of discrete logarithm computations, as would be expected with near-term quantum computers, and finds that classical schemes with public parameters consisting of a few group elements are now at risk.

Diffie Hellman Stand the Test of Time (Protocol’s Limitations, Applications and Functional Divergence)

The major intend of this research is to examine both empirical and theoretical vulnerabilities of DHKE protocol, to determine true rationales behind different variations ofDHKE protocol.

Raccoon Attack: Finding and Exploiting Most-Significant-Bit-Oracles in TLS-DH(E)

This work shows that due to a subtle issue in the key derivation of all TLS-DH(E) cipher suites in versions up to TLS 1.2, the premaster secret of a TLS-DH(E) session may, under certain circumstances, be leaked to an adversary, and describes a fully feasible remote attack against an otherwise-secure TLS configuration: OpenSSL with a 1032-bit DH modulus.

RSA, DH, and DSA in the Wild

This chapter outlines techniques for breaking cryptography by taking advantage of implementation mistakes made in practice, with a focus on those that exploit the mathematical structure of the most widely used public-key primitives.
...

93 References

A cross-protocol attack on the TLS protocol

The attack enables an adversary to successfully impersonate a server to a random client after obtaining 240 signed elliptic curve keys from the original server and proposes a fix that renders the protocol immune to this family of cross-protocol attacks.

On Diffie-Hellman Key Agreement with Short Exponents

A new divide-and-conquer algorithm for discrete logarithms is presented, combining Pollard's lambda method with a partial Pohlig-Hellman decomposition, which allows recovery of short exponents in many cases, while the new technique dramatically extends the range.

Diffie-Hellman is as Strong as Discrete Log for Certain Primes

It is proven that both the discrete log problem and the Diffie-Hellman key exchange scheme are (probabilisticly) polynomial-time equivalent if the totient of P-l has only small prime factors with respect to a (fixed)Polynomial in 2logP.

One Bad Apple: Backwards Compatibility Attacks on State-of-the-Art Cryptography

This work shows the less obvious fact that even if users have the best of intentions to use only the most upto-date, vulnerability-free version of a system, the mere existence of support for old versions can have a catastrophic effect on security.

Harvesting verifiable challenges from oblivious online sources

This paper describes a framework for deriving "harvested challenges" by mixing data from various pre-existing online sources by providing a policy language that allows application developers to specify combinations of sources that meet their security needs.

A Messy State of the Union: Taming the Composite State Machines of TLS

This work systematically test popular open-source TLS implementations for state machine bugs and discovers several critical security vulnerabilities that have lain hidden in these libraries for years, and have now finally been patched due to the disclosures.

An Experimental Study of TLS Forward Secrecy Deployments

The authors compared the server throughput of various TLS setups, and measured real-world client-side latencies using an advertisement network to indicate that using forward secrecy is no harder, and can even be faster using elliptic curve cryptography (ECC), than no forward secrecy.

Diffie-Hellman Oracles

Several new conditions for the polynomial-time equivalence of breaking the Diffie-Hellman protocol and computing discrete logarithms in G are derived which extend former results by den Boer and Maurer.

Towards the Equivalence of Breaking the Diffie-Hellman Protocol and Computing Discrete Logarithms

It is proved that breaking the Diffie-Hellman protocol for G and base g is equivalent to computing discrete logarithms in G to the base g when a certain side information string S is given.

Security Analysis of IKE's Signature-Based Key-Exchange Protocol

A security analysis of the Diffie-Hellman key-exchange protocol authenticated with digital signatures used by the Internet Key Exchange (IKE) standard is presented, based on an adaptation of the key-Exchange model to the setting where peers identities are not necessarily known or disclosed from the start of the protocol.
...