'Logjam' crypto bug could be how the NSA cracked VPNs

[Batu69]

Johns Hopkins crypto boffin spots FREAK-like protocol bug

Updated A team led by Johns Hopkins crypto researcher Matthew Green* thinks they might have an explanation for how the NSA attacked VPN services: flaws in how TLS implements Diffie-Hellman crytography.

In what's bound to be the next big branded bug, Green says servers that support 512-key “export-grade” Diffie-Hellman (DH) can be forced to downgrade a connection to that weak level. The server – and therefore the client – will both still believe they're using stronger keys such as 768-bit or 1024-bit.

Like so many things – including the similar FREAK flaw – the bug is ancient: a 20-year-old SSL bug that was inherited by TLS.

Green has hosted a site discussing what's being called "Logjam", Weakdh.org, with a detailed academic paper here (PDF).

Green's already been in touch with the major browser vendors, and says they're in the process of implementing a more restrictive policy on the size of Diffie-Hellman groups they will accept.

Logjam is another exploit of the 1990s-era crypto-wars: “To comply with 1990s-era U.S. export restrictions on cryptography, SSL 3.0 and TLS 1.0 supported reduced-strength DHE_EXPORT ciphersuites that were restricted to primes no longer than 512 bits”, the paper notes.

Because “export grade” hangs around in ciphersuites, “a man-in-the-middle can force TLS clients to use export strength DH with any server that allows DHE_EXPORT.”

“The attack affects any server that supports DHE_EXPORT ciphers, and affects all modern web browsers. 8.4% of the Top 1 Million domains were initially vulnerable,” Green writes at the Logjam site.

Where 512-bit keys are supported, after an initial long computation, Green writes that “an academic team can break a 768-bit prime and that a nation-state can break a 1024-bit prime. Breaking the single, most common 1024-bit prime used by web servers would allow passive eavesdropping on connections to 18 per cent of the Top 1 Million HTTPS domains. A second prime would allow passive decryption of connections to 66 per cent of VPN servers and 26 per cent of SSH servers.”

That's where the spooks come in: “A close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break.”

Anyone running a Web or mail server need to disable export-grade cipher suites and generate a new and unique 2048-bit Diffie-Hellman group. Users need to watch for browser upgrades, and developers need to use the latest libraries and reject Diffie-Hellman groups shorter than 1024 bits. ®

http://www.theregister.co.uk/2015/05/20/logjam_johns_hopkins_cryptoboffin_ids_next_branded_bug/

[steven36]

If NSA used crypto boffin a bug that's been around 20 years .

In order for the attacker to successfully trick the Web server into opting for a weaker key, the attacker should be on the same network that the targeted victim is in. For example, if the victim is in a coffee shop and using the place's Wi-Fi network, the attacker should also use the same Wi-Fi network.

They would have to be on the same network you are to began with in the case of the vpn they would need to be on the exact ip your using are maybe even your own internet and chances of them figuring witch one you used is very slim . On a good vpn service one ip could have up to 100 users . As far as them being on the same ip as your real one you must have done something to make NSA suspect you for them to be on your network . :lol:

I never heard of NSA ever being able to use anything they ever found though taping in a court of law . Only reason there allowed to do it anyways is because of the patriot act and 911 . Witch is about to expire soon and if its not renewed it will become illegal again . This same kind of stuff got Richard Nixon impeached from the Office . Now they have a whole organization doing the same kind of things . My My how times have changed . :P