On May 20, 2015, researchers from the University of Michigan announced a new vulnerability in the Diffie-Hellman key exchange, called LogJam.
The vulnerability resides in the basic design of TLS itself, exposing both clients and servers, including mail servers, to a MitM attack, in which a malicious attacker can downgrade SSL-based connections to 512-bit export-grade cryptography, thus bypassing the basic security mechanism and allowing the attacker to read and modify any exposed traffic.
According to the official publication in weakdh.org, “The attack affects any server that supports DHE_EXPORT ciphers, and affects all modern web browsers. 8.4% of the Top one million domains were initially vulnerable.” Moreover, the flaw exploits a vulnerability in the Diffie-Hellman TLS key-exchange protocol, rather than the RSA key exchange exploited by the FREAK vulnerability.
When a client requests a DHE_EXPORT cipher-suite instead of DHE, the server (if it supports DHE_EXPORT) will pick a small, breakable 512-bit parameter for the secret exchange.
According to a CloudFlare publication, this is the protocol flaw at the heart of LogJam “downgrade attack”:
- A MitM attacker intercepts a client connection and replaces all the accepted cipher-suites with only the DHE_EXPORT ones.
- The server picks weak 512-bits parameters, does its half of the computation, and signs the parameters with the certificate’s private key. Neither the Client Hello, the client cipher-suites, nor the chosen cipher-suite are signed by the server.
- The client is led to believe that the server picked a DHE Key Exchange and just willingly opted for small parameters. From its point of view, it has have no way to know that the server was tricked by the MitM into doing so.
- The attacker would then break one of the two weak DH shares, recover the connection key, and proceed with the TLS connection with the client.
Moreover, the researchers have speculated that the LogJam vulnerability provides an explanation for how the NSA cracked VPN connections, saying “a close reading of published NSA leaks shows that the agency’s attacks on VPNs are consistent with having achieved such a break.”
Further to the publication of the LogJam vulnerability, SenseCy monitored its popularity among known hacker groups and cyber hacktivist. A general interest was noted, with some questions on the vulnerability.
So how should you approach this vulnerability?
The researchers provided some simple answers to this question:
If you run a server:
If you have a web or mail server, you should disable support for export cipher suites and generate a unique 2048-bit Diffie-Hellman group. Step-by-step instructions can be found here.
If you use a browser:
Make sure you have the most recent version of your browser installed, and check for updates frequently (including smartphones).
If you are a system administrator or developer:
Make sure any TLS libraries you use are up-to-date and that you reject Diffie-Hellman Groups smaller than 1024-bit.
You can check if your browser is vulnerable here.
You can download the complete research document from here.