Yesterday, an international group of researchers revealed a set of attacks on Diffie-Hellman, on one of the fundamental cryptographic protocols that protect all our communication. They disclosed two attacks, one which allows anyone to break the secrecy on your web browsing by forcing it into an old “export” mode and one which potentially explains a mystery: why the NSA enjoys great success in breaking some encrypted communications.
The former vulnerability, dubbed “Logjam”, dates back twenty years to the first “Crypto Wars”, a conflict between the security community (which, generally speaking, wanted to protect communications) and the U.S. government (which wanted the ability to spy on anyone, at any time, for whatever reason they might deem “legal”). For a while there was a compromise: “export grade encryption”—encryption weak enough for the U.S. government to crack, but strong enough to keep everyone else out.
At least, that was the plan. But as computing improves, so does the ability to crack digital protections. Eventually, “export grade” encryption was dropped by most credible people in the security field.
Yet these bad ideas lived on, lurking like land-mines in unknown bits of code across the network. So if an attacker can trick your computer into using one of these “export” modes, they can intercept and modify your communications—reading your email, hijacking your social network profiles, even intercepting your online banking transactions.
In this case, the vulnerability involved tricking the browser to use “export grade” Diffie-Hellman, a technique used to enable your browser and the server to agree on a secret key. By forcing the browser to run in this insecure mode, the attacker can easily break the connection. This is not the first such attack; members of the same research team that uncovered Logjam previously discovered FREAK, another technique to trick your browser into using export-weakened cryptography. Be sure to update your browser in the next week to take advantage of upcoming patches.
This is one of the main reasons why the security community is aghast at calls by some in the U.S. government to, once again, deliberately weaken cryptography. We are still dealing with the fallout of the first Crypto War, having to patch systems containing vulnerabilities that the U.S. government forced onto us. This is why a huge coalition of companies, civil society groups, and individuals (including myself) have called on the President (PDF) to not repeat the same mistakes. Whether someone calls it a “front door,” a “back door,” or a “golden key,” it is simply sabotage—sabotage that affects everybody.
The story doesn’t end with a 20-year-old bug. In exploring the Logjam vulnerability, the researchers discovered more, revealing a method the NSA or hostile foreign intelligence services could use to break a large amount of encrypted Internet traffic.
Probably the most powerful technique for breaking encryption is simply stealing the encryption keys, jokingly referred to as “applied kleptography.” Yet IPSec, a common encryption protocol for corporate Virtual Private Networks (VPNs), uses Diffie-Hellman to provide “forward secrecy.”
Forward secrecy means that someone who is simply listening in can’t decrypt the communication: the attacker must insert himself into the communication stream as a “man in the middle” to decrypt it. So even if an intelligence service stole the server’s key, they shouldn’t be able to simply observe and decrypt the communication but must instead insert themselves into the traffic and risk detection. Diffie-Hellman is designed to resist passive kleptography.
Yet slides in the Snowden documents revealed the NSA’s astonishing success in exploiting IPSec. The researchers outlined an approach which, although requiring the construction of a dedicated supercomputer, lies within the NSA’s grasp. Diffie-Hellman uses a prime number in its computation, and although there are an astonishing number of usable primes, most systems use a standard prime number.
The basic idea is to do a nearly astronomical amount of work precomputing partial answers needed to break any connection associated with a given prime number and then, because most systems use a common prime number, perform only a little more work to crack any given connection. So with a huge amount of initial work and money, but only a modest amount of work per connection, the NSA could break 2/3rds of the IPSec connections on the planet—opening up an untold number of corporate VPNs.
The researchers have no direct evidence that the NSA did this, but I believe their suspicions are well founded. The NSA is not made up of magicians, and all their successes must have a prosaic explanation. If the NSA did indeed discover this technique unnoticed, their failure to disclose is yet more evidence that the NSA does not care about the security of non-classified systems; they would rather spend hundreds of millions of dollars developing a cracking system than simply notifying the world how to secure US businesses before some other foreign intelligence service discovers the same thing.
And whether or not the NSA discovered this, now all our adversaries know this technique. If China now wants to build a massive crypto-cracker, we are now in a race with them: can we fix our systems before they spend a few hundred million dollars building their own dedicated supercomputer?
Weakening encryption is a dangerous game, and this is yet another case of it subverting everybody’s security. We must take attempts by the government to weaken security as personal attacks. Because that’s exactly what they are.