The Weekly Ink #36
THE WEEKLY INK
The Weekly Ink is the weekly newsletter brought to you by Duo Labs, with curated links of interest in the security world to help educate and entertain on security happenings and culture.
If you have links that you think would be interesting for inclusion and commentary, send them our way at firstname.lastname@example.org.
This week, a group of researchers spanning many institutions (including some friends of ours over at the University of Michigan) announced their discovery of some new attacks against SSL/TLS. Building on some ideas explored earlier this year with the FREAK attack, they published a technical report comprising two distinct weaknesses in common usage of the Diffie-Hellman key exchange algorithm.
The researchers dubbed the first issue "Logjam", but faced intense criticism for not also providing an official logo (had they asked, our crack team of graphic designers at Duo Labs would've been happy to help). Instead:
So, in deference to (at least one of) the researchers, I shall refer to the bug as Pinetree Honeypot. Much like the FREAK attack itself, Pinetree Honeypot could allow a Man-in-the-Middle attacker to downgrade a TLS connection to export-grade cryptography - in this case, if both a client and server are willing to perform a Diffie-Hellman key exchange using 512-bit parameters.
For any given parameter group, breaking Diffie-Hellman requires a long one-time pre-computation; in this case, it took the Pinetree Honeypot researchers about a week to attack a 512-bit group. (Even so, compared to what we consider "strong" crypto, a week is a very very short period of time for a brute-force style attack. Thus, this should reconfirm what we already knew: 512-bit Diffie-Hellman is well past its prime!) After this pre-computation is performed, however, one can quickly crack any key-exchange made using said group, and read/modify any data sent over a connection secured by that exchange. That's where the second issue comes into play: it turns out that a strong majority of webservers (and many SSH and VPN servers) use default and/or standard Diffie-Hellman groups from a very small set. This is especially true for servers that are vulnerable to Pinetree Honeypot:
We find that 82% of vulnerable servers use a single 512-bit group, allowing us to compromise connections to 7% of Alexa Top Million HTTPS sites.
Building on this line of inquiry, the Pinetree Honeypot researchers further speculate that, with some billions of dollars and a year or two, it would even be feasible to perform the pre-computation attack against some 1024-bit groups:
A small number of fixed or standardized groups are in use by millions of TLS, SSH, and VPN servers. Performing precomputations on a few of these groups would allow a passive eavesdropper to decrypt a large fraction of Internet traffic. In the 1024-bit case, we estimate that such computations are plausible given nation-state resources, and a close reading of published NSA leaks shows that the agency’s attacks on VPNs are consistent with having achieved such a break.
So: if you run an HTTPS server, head on over to Qualys SSL Labs to test it and see if you're vulnerable to any of these issues. Also, check out the researchers' Guide to Deploying Diffie-Hellman for TLS.
Flawed Export Plans
Remember how great our crypto export regulations have been for making the Internet a safer place? (If you don't, then please reread the section above. I'll wait...) Yes?
The US Commerce Department has proposed new rules to extend this sort of export-control regime to "unknown software flaws", treating them "as potential weapons". Researchers and companies would need a special license to sell information about 0-day vulnerabilities outside the "Five Eyes" countries (the United States, United Kingdom, Canada, Australia and New Zealand).
One perverse potential consequence seems clear already: rules of this sort could disrupt bug bounty programs, which have proven a very effective mechanism to encourage independent researchers and companies to work together to fix these very sorts of vulnerabilities.
Fight over Flight?
A little while ago, we wrote about Chris Roberts' travel woes. Recently, an FBI affidavit revealed a startling twist in the story: according to the FBI's claims, Roberts told them that he had once broken into a plane's avionics systems and taken control of an engine during a commercial passenger flight. Whether true or not, this is extremely disturbing news: with several critical tech policy issues on the table right now, these sorts of brazen claims by one individual could do massive damage to the credibility of the entire security-research community.