The NSA’s Thirst to Break Your Encrypted Connections

New UK server for BBC access!
October 18, 2015
Cyber-Attacks Increasing – Are You the One in Four Who’s Been Hacked?
October 23, 2015
Show all

The NSA’s Thirst to Break Your Encrypted Connections

The majority of servers often share common, built-in Diffie-Hellman parameters to encrypt and secure your Internet communication. However, due to revelations made by former National Security Agency (NSA) subcontractor and whistle-blower Edward Snowden, documents leaked exposed how NSA was able to observe encrypted VPN connections, pass intercepted data to supercomputers which then hack away at the math until the key is derived to decrypt the communications.

“The design of the system goes to great lengths to collect particular data that would be necessary for an attack on Diffie-Hellman but not for alternative explanations, like a break in AES or other symmetric crypto.”– Halderman & Heninger.

“While the documents make it clear that NSA uses other attack techniques, like software and hardware ‘implants,’ to break crypto on specific targets, these don’t explain the ability to passively eavesdrop on VPN traffic at a large scale.” – Halderman & Heninger.

(Read their full post here).

The most common form of the Diffie-Hellman key used is the 1024-bit. According to computer scientists and researchers Alex Halderman and Nadia Heninger, it would cost a few hundred million dollars and a year to crack merely one of the extremely large prime numbers. However, because only a handful of prime numbers are commonly and widely used, the payoff in terms of connections able to be decrypted would be huge, and well-within the NSA’s $11-billion-per-year resources allocated towards “ground-breaking cryptanalytic capabilities”, as stated in their 2013 black budget. This means that the attacker can leverage the expensive one-time cryptanalytic computation on all these servers at once.

The source of the problem? The flaw in the way the Diffie-Hellman key exchange is implemented.

 

But what is a “Diffie-Hellman”?

The Diffie-Hellman is a form of encryption, specifically an asymmetric cryptography (aka. Public-key cryptography). Diffie-Hellman is well suited for use in data communication but is less often used for data stored or archived over long periods of time. This method of encryption uses two different but mathematically linked keys (one public & one private). The public key can be shared with everyone, whereas the private key must be kept secret. Diffie-Hellman is used extensively in protocols such as SSL/TLS and IPSec to transport data. For traditional (‘mod p’) Diffie-Hellman, both parties must agree on a set of parameters; a large prime number p, and a ‘generator’ g.

1280px-Diffie-Hellman-Schlüsselaustausch.svg

Picture: Two parties exchanging keys (Source)

Cryptographically strong groups (when p is of size 2048 bits or more) make precomputation harder and more secure.

 

The Logjam vulnerability

Nonetheless, the Diffie-Hellman encryption can be vulnerable to attacks. Communications using Diffie-Hellman lack authentication and when operated on its own are still susceptible to man-in-the-middle (MITM) attacks. Hence, it is advisable for the Diffie-Hellman to be utilized in conjunction with a recognized authentication method such as digital signatures to verify the identities of the users over the public communications medium.

The Logjam vulnerability allows a man-in-the-middle (MITM) attacker to downgrade any secure SSL/TLS connections to a weak 512-bit key in order for the attacker to observe and manipulate the data passed between a browser and a server. This weakness arises from back in the 1990s when the US Government banned export of strong encryption software to be sold overseas. Dubbing them ‘weapons of war’, only ‘export-grade’ encryption products (asymmetric keys with no longer than 512-bits) were allowed to be sold. These watered-down encryptions opened the doorway for the US Government to spy on their counterparts.

With that knowledge, it makes it possible for the NSA to decrypt communications on a mass scale. However, this also gives the same capability to attackers with nation-state-sized budgets to passively decrypt the 1024-bit Diffie-Hellman key sizes.

“Our findings illuminate the tension between NSA’s two missions, gathering intelligence and defending U.S. computer security. If our hypothesis is correct, the agency has been vigorously exploiting weak Diffie-Hellman, while taking only small steps to help fix the problem. On the defensive side, NSA has recommended that implementors should transition to elliptic curve cryptography, which isn’t known to suffer from this loophole, but such recommendations tend to go unheeded absent explicit justifications or demonstrations. This problem is compounded because the security community is hesitant to take NSA recommendations at face value, following apparent efforts to backdoor cryptographic standards.” – Halderman & Heninger.

(Use this site to test if your web browser is vulnerable to the Logjam attack).

logjam-attack-good

logjam-attack-bad

 

How big is your key?

A few 1024-bit groups, the most common strength of Diffie-Hellman, are used by millions of servers, making them ideal targets for precomputation, and potential eavesdropping. Server operators should disable DHE_EXPORT and configure DHE ciphersuites to use ‘safe’ primes of 2048 bits or larger. Primes of less than 1024-bit DHE (and 1024-bit RSA) should not be considered secure, even against an attacker with moderate resources and must be phased out in the near term. Stronger and bigger key sizes take more time for computation & breaking. Precomputation for a 2048-bit non-trapdoored group is around 109 times harder than for a 1024-bit group, so 2048-bit Diffie-Hellman will remain secure barring a major algorithmic improvement.

On the topic of cryptography strength, although it is possible to design and implement your own cryptosystem, it still remains rather difficult and is extremely unadvisable to trust essential data and information to an experimental, self-designed cryptology. Without the right tools and knowledge, it is safer to leave the protection of your valuable information to cryptosystems developed by experts.

xkcd_crypto_wrench_security

Picture source: XKCD.com

Rest assured, BolehVPN’s encryption systems are all equipped with the 2048-bit Diffie-Hellman exchange to continuously provide you security and speed to the best of our abilities.

 

Sources:

[1] Imperfect forward secrecy: How Diffie-Hellman fails in practice

[2] Halderman & Heninger – How is NSA breaking so much crypto

[3] Arstechnica – NSA breaks trillions of encrypted Web and VPN connections

[4] Hacker News – How NSA successfully broke trillions of encrypted connections

[5] Entrust

0 Comments

  1. krasnal says:

    The article is fine, as far as it goes but IMO bolehvpn security is still lagging, though I commend your use of keys instead of passwords (though that has itself created its own problems – below).

    As you know only too well, we’ve been waiting for over half a year for you to get your new portal up and running and, equally important IMO, to get the keys and certificates upgraded to a higher standard [the boleh CA configuration files are based on a key length of only 1024 bits and use the MD5 hashing algorithm!]. Nothing important should be using MD5 by now and your CA configuration files need to be based on a key at least 2048 bits long. (But you knew that already.)

    Sorry to bang on about this again but I’m increasingly disappointed with the pace of progress in this area.

Leave a Reply

Your email address will not be published. Required fields are marked *