Wednesday, 20 May 2015

Logjam attack - Diffie-Hellman key exchange weakness (a quick and brief explanation)

A study was published regarding the security of the Diffie-Hellman key exchange. This popular cryptographic algorithm can be found among many protocols such as HTTPS, SSH, IPsec, SMTPS and it is used for sharing a key and establishing a secure connection. 

The weaknesses uncovered affect websites, mail servers, and other TLS-dependent services that support DHE_EXPORT ciphers. The exploitation of this vulnerability  was given the name Logjam attack [1] and depends on how Diffie-Hellman key exchange has been deployed in each case. 

The Logjam attack against TLS can be performed by downgrading vulnerable TLS connections to 512-bit export-grade cryptography, allowing the man-in-the-middle (MiTM) attacker to read and modify any data passed over the connection. At the moment, this attack affects all modern web browsers. 

The published study demonstrates that the Logjam attack can be used to downgrade the 80% of TLS DHE_EXPORT servers when run against the most common 512-bit prime being used. On the other hand, breaking the single most common 1024-bit prime being used by web servers would allow passive eavesdropping on connections up to 18% of the Top 1 Million HTTPS domains. Consider that breaking also the second most common prime may allow passive decryption of connections up to 66% of VPN servers and 26% of SSH servers. 

In order to provide a rough idea on the extent of this vulnerability consider the following numbers:
  Protocol                                 Vulnerable to Logjam
  HTTPS – Top 1 million domains ..................... 8.4%
  HTTPS – Browser Trusted sites ..................... 3.4%
  SMTP+StartTLS – Ipv4 Address Space ................ 14.8%
  POP3S – IPv4 Address Space ........................ 8.9%
  IMAPS – IPv4 Address Space ........................ 8.4%

What should you do?
For every web and/or mail servers that you might have, consider disabling support for export cipher suites and generate a unique 2048-bit Diffie-Hellman group. When SSH is being used, both server and client installations need to be upgraded to the most recent version of OpenSSH, which prefers Elliptic-Curve Diffie-Hellman Key Exchange.

Currently all browsers are affected by this vulnerability. However, all browser implementations have scheduled releases that will address this issue. Check for any browser updates frequently and consider this another opportunity to stop supporting old browser versions. 

System administrators and developers should review all the TLS libraries being used are up-to-date and do not accept Diffie-Hellman Groups smaller than 1024-bit. 

If you would like to do a quick test to see if you have correctly deployed Diffie-Hellman for TLS you may use the following form by entering your domain name. (Find out more at:

If you would like to read more about Logjam, you may visit:

No comments:

Post a Comment