Me­a­su­ring small sub­group at­tacks against Dif­fie-Hell­man

Luke Va­len­ta, David Adri­an, An­to­nio Sanso, Shaan­an Coh­ney, Jos­hua Fried, Mar­cel­la Has­tings, J. Alex Hal­der­man, Nadia He­nin­ger

In NDSS Sym­po­si­um 2017

Ab­stract

Se­ver­al re­cent stan­dards, in­clu­ding NIST SP 800- 56A and RFC 5114, ad­vo­ca­te the use of DSA pa­ra­me­ters for Dif­fie-Hell­man key ex­chan­ge. While it is pos­si­ble to use such pa­ra­me­ters se­cu­re­ly, ad­di­tio­nal va­li­da­ti­on checks are ne­cessa­ry to prevent well-known and po­ten­ti­al­ly de­va­s­ta­ting at­tacks. In this paper, we ob­ser­ve that many Dif­fie-Hell­man im­ple­men­ta­ti­ons do not pro­per­ly va­li­da­te key ex­chan­ge in­puts. Com­bined with other pro­to­col pro­per­ties and im­ple­men­ta­ti­on choices, this can ra­di­cal­ly de­crea­se se­cu­ri­ty. We me­a­su­re the pre­va­lence of these pa­ra­me­ter choices in the wild for HTTPS, POP3S, SMTP with STARTTLS, SSH, IKEv1, and IKEv2, fin­ding mil­li­ons of hosts using DSA and other non- safe pri­mes for Dif­fie-Hell­man key ex­chan­ge, many of them in com­bi­na­ti­on with po­ten­ti­al­ly vul­nerable be­ha­vi­ors. We ex­ami­ne over 20 open-sour­ce cryp­to­gra­phic li­b­ra­ries and ap­p­li­ca­ti­ons and ob­ser­ve that until Ja­nu­a­ry 2016, not a sin­gle one va­li­da­ted sub­group or­ders by de­fault. We found fe­a­si­ble full or par­ti­al key re­co­very vul­nerabi­li­ties in OpenSSL, the Exim mail ser­ver, the Un­bound DNS cli­ent, and Ama­zon s load ba­lan­cer, as well as sus­cep­ti­bi­li­ty to wea­ker at­tacks in many other ap­p­li­ca­ti­ons.

[NDSS Web­site] [Paper] [Sli­des] [Youtu­be Video]

Tags: