Security
Logjam: Diffie-Hellman, discrete logs, the NSA, and you
December 28, 2015
9:45 PM – 10:45 PM Add to calendar
9:45 PM – 10:45 PM Add to calendar
Hall 1
Earlier this year, we discovered that Diffie-Hellman key
exchange – cornerstone of modern cryptography – is less
secure in practice than the security community believed. In this
talk, we’ll explain how the NSA is likely exploiting this weakness to
allow it to decrypt connections to at least 20% of HTTPS websites, 25% of SSH servers, and 66% of IPsec VPNs.
Unlike the NSA, most of us don’t have a billion-dollar budget, but thanks to 1990s-era U.S. crypto backdoors, even attackers with much more modest resources can break the crypto for a sizable fraction of web sites. We’ll explain these flaws and how to defend yourself, and we’ll demonstrate how you too can experiment with Diffie-Hellman cryptanalysis from the comfort of your local hacker space.
Diffie-Hellman key exchange lets two parties negotiate a shared secret key in the presence of an eavesdropper who can see every message they exchange. This bit of cryptographic magic underlies the security of the Internet, from TLS to SSH, IPsec, Tor, OTR, and beyond.
Diffie-Hellman is widely believed to offer „perfect forward secrecy“ – after you’re done communicating, you can „forget" your
secret key and not even the NSA can later reconstruct it. In recent
years, this property led to the security community (us included!)
promoting Diffie-Hellman over other crypto techniques as a defense
against mass surveillance.
We were wrong. We’re really sorry.
In this talk, we’ll explain how a confluence of number theory, lazy
implementations, and aging protocols has created a world where anyone willing to spend a few hundred million dollars is likely able to
passively decrypt a huge fraction of Internet traffic. We’ll then go
back for a close reading of the Snowden documents that were published at 31C3 and show how such a cryptanalytic exploit lines up exactly with several of the NSA’s most powerful known decryption capabilities.
For those who prefer a more hands-on approach, we’ll tell you how you too can experiment with breaking Diffie-Hellman for the „export-grade“ 512-bit key sizes that were mandated in the 1990s by U.S. crypto regulations. About 8% of popular HTTPS sites still support these weakened keys for use with legacy browsers, but we discovered a TLS protocol flaw, which we named the Logjam attack, that allowed a man-in-the-middle to trick all modern browsers into accepting them.
We’re pretty sure your browser has shipped a security update to fix
this by now...
We’ll conclude the talk by discussing what went wrong with
communication between mathematical cryptographers and security
practitioners, how we can prevent this from happening again, and what flavors of cryptography you should really be using to defend yourself.
(Hint: It starts with „elliptic“ and ends with „curve“.)
Additional information
| Type | lecture |
|---|---|
| Language | English |
More sessions
| 12/27/15 |
Can we build trustworthy client systems on x86 hardware? What are the main challenges? What can we do about them, realistically? Is there anything we can?
|
| 12/27/15 |
Unser Vortrag demonstriert einen PLC-only Wurm. Der PLC-Wurm kann selbstständig ein Netzwerk nach Siemens Simatic S7-1200 Geräten in den Versionen 1 bis 3 durchsuchen und diese befallen. Hierzu ist keine Unterstützung durch PCs oder Server erforderlich. Der Wurm „lebt“ ausschließlich in den PLCs.
|
| 12/27/15 |
Dr. Peter Laackmann und Marcus Janke zeigen mit einem tiefen Einblick in die Welt der Hardware-Trojaner, auf welchem Wege „Institutionen“ versuchen können, sich versteckten Zugang zu Sicherheits-Hardware zu verschaffen.
|
| 12/27/15 |
Key-Loggers are cool, really cool. It seems, however, that every conceivable aspect of key-logging has already been covered: from physical devices to hooking techniques. What possible innovation could be left in this field?
|
| 12/27/15 |
This presentation covers windows kernel driver security issues. It'll discuss some background, and then give an overview of the most common issues seen in drivers, covering both finding and fixing issues.
|
| 12/27/15 |
Did you ever want to have access to a few hundred thousand network end points? Or a few hundred thousand phone numbers? A short look behind the curtains of how not to do network security.
|
| 12/27/15 |
For years SCADA StrangeLove team speaks about vulnerabilities in Industrial Control Systems. Now we want to show by example of railway the link between information security and industrial safety and demonstrate how a root access gained in a few minutes can bring to naught all the years of efforts that were devoted to the improvement of fail-safety and reliability of the ICS system. Railroads is a complex systems and process automation is used in different areas: to control power, switches, ...
|
