期刊
出版社
ASSOC COMPUTING MACHINERY
DOI: 10.1145/2810103.2813707
关键词
-
类别
资金
- U.S. National Science Foundation [CNS-1345254, CNS-1409505, CNS-1518741, EFRI-1441209]
- Office of Naval Research [N00014-11-1-0470]
- ERC [259639]
- French ANR [ANR-12-BS02-001-01]
- NSF [DGE-1256260]
- Mozilla Foundation
- Google Ph.D. Fellowship in Computer Security
- Morris Wellman Faculty Development Assistant Professorship
- Alfred P. Sloan Foundation
- INRIA
- CNRS
- RENATER
- European Research Council (ERC) [259639] Funding Source: European Research Council (ERC)
We investigate the security of Diffie-Hellman key exchange as used in popular Internet protocols and find it to be less secure than widely believed. First, we present Logjam, a novel flaw in TLS that lets a man-in-the-middle downgrade connections to export-grade Diffie-Hellman. To carry out this attack, we implement the number field sieve discrete log algorithm. After a week-long precomputation for a specified 512-bit group, we can compute arbitrary discrete logs in that group in about a minute. We find that 82% of vulnerable servers use a single 512-bit group, allowing us to compromise connections to 7% of Alexa Top Million HTTPS sites. In response, major browsers are being changed to reject short groups. We go on to consider Diffie-Hellman with 768- and 1024-bit groups. We estimate that even in the 1024-bit case, the computations are plausible given nation-state resources. A small number of fixed or standardized groups are used by millions of servers; performing precomputation for a single 1024-bit group would allow passive eavesdropping on 18% of popular HTTPS sites, and a second group would allow decryption of traffic to 66% of IPsec VPNs and 26% of SSH servers. A close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break. We conclude that moving to stronger key exchange methods should be a priority for the Internet community.
作者
我是这篇论文的作者
点击您的名字以认领此论文并将其添加到您的个人资料中。
推荐
暂无数据