Are Secure Communications Really Secure? Government Sites Affected by Weak DHE
How secure is online public communication? Last May, a paper was published that discusses about the Diffie-Helman (DH) crypto-strength deployment, which gives strong evidence that the current DH usage is weak and suggests that 1024-bit size parameters can be broken with a nation state’s computing power resources.
The paper presents possible scenarios where such an incident could occur. They found, for example, that 17.9% of HTTPS connections to sites that are part of the Alexa Top 1M sites can be eavesdropped without the traffic being modified by the attacker. Additionally, they found that 98.9% of SSH servers support 1024-bit Ephemeral Diffie-Hellman (DHE) parameters, 25.7% (or 3.6 million) of which they estimate can be passively eavesdropped in practice. Passive eavesdropping is when an attacker tries to break into encrypted traffic without modifying it.
Considering the diversity of the affected protocols and that the given numbers of sampled devices are only one small sample of Internet-connected devices, it is possible to conclude that the online secure public communication isn’t as secure as we all originally thought, assuming a nation state’s computing power resources can possibly break DHE.
Weaknesses in DHE are a problem because of how important it is to securing online traffic. Many crucial sites today use 1024-bit DHE. We decided to conduct our own scanning to look for sites that use DHE 1024 values. Our own results can hopefully give more information on weak website setups.
DHE weak parameters
The type of encryption key that will be used for communication relies on two parameters, G (a generator) and P (a large prime number). For example, a SSL/TLS connection will use a 1024-bit key size for DHE when the value of P on the SSL/TLS server key exchange is also 1024-bit.
Figure 1 below shows how the P parameter can be inspected inside one SSL/TLS session. The shown P value is 64 bytes in size, which means 512 bits. The value P is a random number generated on the server side.
Figure 1. DHE Parameters
The first step in the attacking DHE is the most expensive and can be done offline (pre-calculated) based on P. This means that the longer time P is reused more vulnerable is the encrypted communication. Almost all servers will reuse the same P all the time without change. This makes the job of an attacker much easier. Simply put, we can say there are three kinds of P values:
- Default P: The values hardcoded by the SSL/TLS implementation. These values are fixed on the server side and reused every time.
- Reused Generated P: The values are generated to avoid the default ones. However, they are configured one time and never changed afterwards.
- Non-reused Generated P: The values are re-generated with certain frequency and never reused.
It’s worth noting that Default P and Reused Generated P are vulnerable to a nation state’s computing power resources for cryptanalysis. The vulnerability of Non-reused Generated P will depend on the frequency of the generation.
Testing the parameters
In order to better inform users about these concerns, we decided to create a tool that would inspect the usage of DH, specifically ephemeral DH (DHE) protocol variant, parameters similar to the one used in the published entry.
The tool forces a site to use DHE cipher suite and inspects which parameters are used by default. The parameters are stored and the sites are then grouped by P value and size. Figure 2 shows the execution flow implemented by the tool.
Figure 2. Operation flow
We conducted a search on the following sites types:
- Sites containing “sign-in” in the URL. These sites are normally used for entering credentials to access systems
- Sites on GOV top level domains. Those are normally government sites supporting SSL/TLS
- Sites containing countries top level domains supporting SSL/TLS
Using the tool revealed that there are some commonly used 1024-bit P that were not mentioned in the paper and were found to be vulnerable. Table 1 shows some of the discovered, fixed 1024 bit values for P, the source code where we can find it as used by default, and some examples of websites using it.
Table 1. P values and source code, site relation (Click to enlarge)
From Table 1, the following details were observed:
- The DHE P 1024 bits values present in open source applications and used by internet sites.
- The use of weak DHE is affecting all sectors of the Internet, including government sites, commercial sites, and Internet device management sites.
- When sites are using SSL/TLS services from a provider, multiple unrelated sites will be using weak DHE configuration.
As mentioned earlier, passive eavesdropping is when an attacker tries to break into encrypted traffic without modifying it. In short, the attacker captures the traffic, stores it, and then decrypts it offline. This technique is useful only if the communication is using DHE 1024-bit (or weaker) in SSL/TLS by default. We found that only 17.9% of HTTPS connections to sites that are part of the Alexa Top 1M sites can be passively eavesdropped. The percentage appears low, but if we consider the amount of possible configurations on SSL/TLS communications supported by browsers and servers, this is still rather significant.
If an attacker wants to compromise more connections, then the attacks must not just capture the connections passively, but actively modify these so that they become less secure. In effect, a man-in-the middle (MITM) attack needs to be carried out.
In MITM attacks, a malicious device is placed between the client and server. In our example where the client and server are using HTTPS, the attack can be implemented by downgrading the DHE to 1024 bits. Figure 3 is a simplified diagram of the communication flow of such an attack.
Figure 3. Downgrade to DHE 1024 bits
The published article mentions about downgrading to DHE 512 bits but the mechanism to downgrade to 1024 bits is the same because the vulnerability is a protocol flaw and not an implementation one. As that same article pointed out, the only workaround is to reject small P values in the DHE handshake.
This was the idea behind the latest fix on OpenSSL. According to its official blog, OpenSSL now only allows DH key sizes that are 768 bits or greater, with plans of making 1024 bits the minimum “soon after.” However, this only means that sites are still vulnerable to potential DHE 1024-bit downgrades and nation states’ grade cryptanalysis. With that, the number of vulnerable top Alexa sites increases to 24.7%.
After using our tool, we arrived at several conclusions, mainly:
- The current security state of Internet secure communications is in a critical state assuming that a nation state can implement a successful cryptanalysis on DHE using 1024 bit parameters on secure communications.
- Servers that are not using a prefixed (hard coded) P parameters but are re-using 1024 bits size P are still vulnerable.
- Migration to more secure cryptographic configurations is required if you TLS/SSL server or devices allows DHE 1024.
- Site and server owners should review and monitor their usage of cryptography using a rigorous process, as they assess unpatched systems.
What can system administrators do?
Administrators can follow the configuration steps below and if possible, switch to more secure cipher suites.
- Switch to elliptic curves (ECDHE) as soon as possible instead of DHE.
- If this cannot done, use at least 2048-bit Diffie-Hellman key exchange.
- If 1024-bit DHE needs to be used for compatibility reasons, stop using common/default primes and fixed generated P 1024 P values should be regenerated with less than a month’s frequency.