A novel encryption bug has surfaced recently, which could pose a threat to online privacy. Dubbed “LogJam,” the bug occurs in the TSL (the Transport Security Layer), an encryption protocol used to authenticate servers and conceal the contents of secure web activity (like your bank login).
The bug allows a man-in-the-middle attacker to force your browser, and the server it’s connected to, to use a weak form of encryption which is vulnerable to brute-force attacks. This is related to the ‘FREAK’ vulnerability discovered and patched earlier this year. These bugs come on the heels of more catastrophic security issues like Heartbleed and ShellShock.
While patches are in the works for most major browsers, the fix may leave thousands of web-servers inaccessible until they’re upgraded with corrected code.
A Military Legacy
Unlike most security vulnerabilities, which are caused simply by programmer oversight, this vulnerability is at least partially intentional. Back in the early 1990’s, when the PC revolution got underway, the federal government was concerned that the export of strong encryption technology to foreign powers could compromise its ability to spy on other nations. At the time, strong encryption technology was considered, legally, to be a form of weaponry. This allowed to federal government to put limitations on its distribution.
As a result, when SSL (the Secure Socket Layer, predecessor to TSL) was developed, it was developed in two flavors – the US version, which supported full length keys 1024 bits or larger, and the international version, which topped out at 512-bit keys, which are exponentially weaker. When the two different versions of SSL talk, they fall back to the more easily broken 512-bit key. The export rules were changed due to a civil rights backlash, but for backwards-compatibility reasons, modern versions of TSL and SSL still have support for 512 bit keys.
Unfortunately, there’s a bug in the portion of the TSL protocol that determines which key-length to use. This bug, LogJam, allows a man-in-the-middle attacker to trick both clients into thinking they’re talking to a legacy system which wants to use a shorter key. This degrades the strength of the connection, and makes it easier to decrypt the communication. This bug has been hidden in the protocol for about twenty years, and has only recently been uncovered.
The bug currently affects about 8% of the top one million HTTPS-enabled websites, and a large number of mail servers, which tend to run outdated code. All major web browsers are affected except internet explorer. Affected websites would show the green https lock at the top of the page, but would not be secure against some attackers.
Browser makers have agreed that the most robust fix to this problem is to remove all legacy support for 512-bit RSA keys. Unfortunately, this will render some portion of the Internet, including many mail servers, unavailable until their firmware is updated. To check if your browser has been patched, you can visit a site set up by the security researchers who discovered the attack, at weakdh.org.
So how vulnerable is a 512-bit key these days, anyway? To find out, we first have to look at exactly what’s being attacked. Diffie-Hellman key exchange is an algorithm used to allow two parties to agree on a shared symmetric encryption key, without sharing it with a hypothetical snooper. The Diffie-Hellman algorithm relies on a shared prime-number, built into the protocol, which dictates its security. The researchers were able to crack the most common of these primes within one week, allowing them to decrypt about 8% of Internet traffic which was encrypted with the weaker 512-bit prime.
This puts this attack within reach for a “coffee shop attacker” – a petty thief snooping on sessions via public WiFi, and brute-forcing keys after the fact to recover financial information. The attack would be trivial for corporations and organizations like the NSA, who might go to considerable lengths to set up a man in the middle attack for espionage. Either way, this does represent a credible security risk, both for ordinary people and anyone who might be vulnerable to snooping by more powerful forces. Certainly, someone like Edward Snowden should be very careful about using unsecured WiFi for the forseeable future.
More worryingly, the researchers also suggest that standard prime-lengths which are considered secure, like 1024-bit Diffie-Hellman, might be vulnerable to brute-force attack by powerful government organizations. They suggest migrating to substantially larger key sizes to avoid this problem.
Is Our Data Secure?
The LogJam bug is an unwelcome reminder of the dangers of regulating cryptography for purposes of national security. An effort to weaken the United States’ enemies has wound up hurting everyone, and making all of us less safe. It comes at a time when the FBI is making efforts to force tech companies to include backdoors in their encryption software. There’s a very good chance that if they win, the consequences for the coming decades will be just as serious.
What do you think? Should there be restrictions on strong cryptography? Is your browser secure against LogJam? Let us know in the comments!