Logjam (computer security): Difference between revisions
m Reverted edits by 23.30.249.129 (talk) to last version by Leotohill |
1024 update |
||
Line 1: | Line 1: | ||
'''Logjam''' is a [[Vulnerability (computing)|security vulnerability]] against a [[Diffie–Hellman key exchange]] ranging from 512-bit ([[export of cryptography from the United States|US export-grade]]) to 1024-bit keys.<ref>{{cite web |url=https://weakdh.org |title=The Logjam Attack |website=weakdh.org |date=2015-05-20}}</ref> It was discovered by a group of computer scientists and publicly reported on May 20, 2015.<ref>{{cite web |url=http://arstechnica.com/security/2015/05/https-crippling-attack-threatens-tens-of-thousands-of-web-and-mail-servers/ |title=HTTPS-crippling attack threatens tens of thousands of Web and mail servers |author=Dan Goodin |publisher=[[Ars Technica]] |date=2015-05-20}}</ref><ref>{{cite web |url=http://www.zdnet.com/article/logjam-security-flaw-leaves-tens-of-thousands-of-https-websites-vulnerable/ |title=Logjam security flaw leaves top HTTPS websites, mail servers vulnerable|author=Charlie Osborne |publisher=[[ZDNet]] |date=2015-05-20}}</ref><ref>http://www.wsj.com/articles/new-computer-bug-exposes-broad-security-flaws-1432076565</ref> |
'''Logjam''' is a [[Vulnerability (computing)|security vulnerability]] against a [[Diffie–Hellman key exchange]] ranging from 512-bit ([[export of cryptography from the United States|US export-grade]]) to 1024-bit keys.<ref name="paper">{{cite web |url=https://weakdh.org |title=The Logjam Attack |website=weakdh.org |date=2015-05-20}}</ref> It was discovered by a group of computer scientists and publicly reported on May 20, 2015.<ref>{{cite web |url=http://arstechnica.com/security/2015/05/https-crippling-attack-threatens-tens-of-thousands-of-web-and-mail-servers/ |title=HTTPS-crippling attack threatens tens of thousands of Web and mail servers |author=Dan Goodin |publisher=[[Ars Technica]] |date=2015-05-20}}</ref><ref>{{cite web |url=http://www.zdnet.com/article/logjam-security-flaw-leaves-tens-of-thousands-of-https-websites-vulnerable/ |title=Logjam security flaw leaves top HTTPS websites, mail servers vulnerable|author=Charlie Osborne |publisher=[[ZDNet]] |date=2015-05-20}}</ref><ref>http://www.wsj.com/articles/new-computer-bug-exposes-broad-security-flaws-1432076565</ref> |
||
The version of the vulnerability reported in May 2015 used a man-in-the-middle network attacker to downgrade a [[Transport Layer Security]] (TLS) connection to use 512 bit DH export-grade cryptography, allowing him to read the exchanged data and inject data into the connection. It affects the [[HTTPS]], [[SMTPS]], and [[IMAPS]] protocols, among others.<ref>{{cite web |last1=Adrian |first1=David |last2=Bhargavan |first2=Karthikeyan |last3=Durumeric |first3=Zakir |last4=Gaudry |first4=Pierrick |last5=Green |first5=Matthew |last6=Halderman |first6=J. Alex |last7=Heninger |first7=Nadia |last8=Springall |first8=Drew |last9=Thomé |first9=Emmanuel |last10=Valenta |first10=Luke |last11=VanderSloot |first11=Benjamin |last12=Wustrow |first12=Eric |last13=Zanella-Béguelin |first13=Santiago |last14=Zimmermann |first14=Paul |title=Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice |url=https://weakdh.org/imperfect-forward-secrecy.pdf |date=May 2015}}</ref> Its CVE ID is CVE-2015-4000.<ref>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000</ref> |
|||
In October 2015, researched published another paper, estimating the feasibility of the attack against 1024 bit Diffie-Hellman primes. By design, many Diffie-Hellman implementations use the same pregenerated prime for their field. This was considered secure, since the [[discrete log problem]] is still consider hard even if the field is known and reused. The researchers calculated the cost of creating logjam precomputation for one 1024-bit prime at hundreds of millions of USD, and noted that this was well within range of the FY2012 $10.5 billion U.S. Consolidated Cryptologic Program (which includes NSA). Because of the reuse of primes, generating precomputation for just one prime would break two-thirds of VPNs and a quarter of all SSH servers globally. The researchers noted that this attack fits claims in leaked NSA papers that NSA is able to break much current crypto.<ref name="paper" /> |
|||
== Responses == |
== Responses == |
Revision as of 18:59, 15 October 2015
Logjam is a security vulnerability against a Diffie–Hellman key exchange ranging from 512-bit (US export-grade) to 1024-bit keys.[1] It was discovered by a group of computer scientists and publicly reported on May 20, 2015.[2][3][4]
The version of the vulnerability reported in May 2015 used a man-in-the-middle network attacker to downgrade a Transport Layer Security (TLS) connection to use 512 bit DH export-grade cryptography, allowing him to read the exchanged data and inject data into the connection. It affects the HTTPS, SMTPS, and IMAPS protocols, among others.[5] Its CVE ID is CVE-2015-4000.[6]
In October 2015, researched published another paper, estimating the feasibility of the attack against 1024 bit Diffie-Hellman primes. By design, many Diffie-Hellman implementations use the same pregenerated prime for their field. This was considered secure, since the discrete log problem is still consider hard even if the field is known and reused. The researchers calculated the cost of creating logjam precomputation for one 1024-bit prime at hundreds of millions of USD, and noted that this was well within range of the FY2012 $10.5 billion U.S. Consolidated Cryptologic Program (which includes NSA). Because of the reuse of primes, generating precomputation for just one prime would break two-thirds of VPNs and a quarter of all SSH servers globally. The researchers noted that this attack fits claims in leaked NSA papers that NSA is able to break much current crypto.[1]
Responses
- On May 12, 2015, Microsoft released a patch for Internet Explorer.[7]
- On June 16, 2015, the Tor Project provided a patch for Logjam to the Tor Browser.[8]
- On June 30, 2015, Apple released a patch for both OS X Yosemite and iOS 8 operating system.[9][10]
- On June 30, 2015, the Mozilla project released a fix for the Firefox browser.[11]
- On September 1, 2015, Google released a fix for the Chrome browser.[12]
See also
References
- ^ a b "The Logjam Attack". weakdh.org. 2015-05-20.
- ^ Dan Goodin (2015-05-20). "HTTPS-crippling attack threatens tens of thousands of Web and mail servers". Ars Technica.
- ^ Charlie Osborne (2015-05-20). "Logjam security flaw leaves top HTTPS websites, mail servers vulnerable". ZDNet.
- ^ http://www.wsj.com/articles/new-computer-bug-exposes-broad-security-flaws-1432076565
- ^ Adrian, David; Bhargavan, Karthikeyan; Durumeric, Zakir; Gaudry, Pierrick; Green, Matthew; Halderman, J. Alex; Heninger, Nadia; Springall, Drew; Thomé, Emmanuel; Valenta, Luke; VanderSloot, Benjamin; Wustrow, Eric; Zanella-Béguelin, Santiago; Zimmermann, Paul (May 2015). "Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice" (PDF).
- ^ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000
- ^
"Microsoft Security Bulletin MS15-055. Vulnerability in Schannel Could Allow Information Disclosure (3061518)". Microsoft Corporation. 2015-05-12.
This security update resolves a vulnerability in Microsoft Windows that facilitates exploitation of the publicly disclosed Logjam technique, [...] The security update addresses the vulnerability by increasing the minimum allowable DHE key length to 1024 bits.
- ^ https://blog.torproject.org/blog/tor-browser-452-released
- ^
"About the security content of OS X Yosemite v10.10.4 and Security Update 2015-005". Apple Inc.
This issue, also known as Logjam, [...] was addressed by increasing the default minimum size allowed for DH ephemeral keys to 768 bits.
- ^
"About the security content of iOS 8.4". Apple Inc.
This issue, also known as Logjam, [...] was addressed by increasing the default minimum size allowed for DH ephemeral keys to 768 bits.
- ^
"Mozilla Foundation Security Advisory 2015-70 - NSS accepts export-length DHE keys with regular DHE cipher suites". Mozilla.
FIXED IN Firefox 39.0 [...] This attack [...] is known as the "Logjam Attack." This issue was fixed in NSS version 3.19.1 by limiting the lower strength of supported DHE keys to use 1023 bit primes.
- ^
http://googlechromereleases.blogspot.com/2015/09/stable-channel-update.html.
{{cite web}}
: Missing or empty|title=
(help)
External links
- The Logjam Attack
- Logjam server checker for HTTPS only
- Another logjam server scanner for HTTPS and other services