Protocol flaws and new cryptanalysis in public key cryptography (CVE-2015-4000 aka LogJam)
The Ubuntu Security Team is aware of the recent paper that has raised issues about the safety of the Diffie-Hellman key negotiation protocol. The authors raise multiple points:
Many systems are still configured to allow use of "export-grade" ciphers, such as 512-bit Diffie-Hellman groups. A machine-in-the-middle attack could use a design flaw in the TLS protocol to downgrade connections to "export-grade" levels. This issue was assigned CVE-2015-4000.
- Researchers have demonstrated a successful attack against a 512-bit Diffie-Hellman shared parameter.
- Diffie-Hellman implementations often use standardized or commonly-used shared parameters. This use was considered safe until this paper, as the cost of breaking the cipher suite is expensive. However, this paper demonstrates a way to build a database of information for a given set of parameters that allows passive eavesdroppers to quickly and cheaply derive the negotiated keys for any specific connection. Amortizing the cost of computing the database across millions of potential targets makes this attack relatively affordable.
- It is suspected that researchers could perform these attacks against 768-bit shared parameters and that nation-state actors have the resources and abilities to perform these attacks against popularly-deployed 1024-bit shared parameters.
- Use of hard-coded parameters is so ubiquitous that a solution will necessarily be long-term.
Expected responses of upstream projects
A complete response to the issues raised here will require a gradual transition of protocols, services, and configurations:
The OpenSSL project has dropped support for export-grade cipher suites.
The NSS project has plans to drop support for export-grade cipher suites.
Other toolkits will probably also drop support for export-grade cipher suites.
The OpenSSL project has announced a plan to phase out support for 768 bit Diffie-Hellman parameters in future releases.
The NSS project has a plan to stop supporting 512 and 768 bit Diffie-Hellman parameters in future releases.
Other cryptographic toolkits will probably also phase out support for small parameters soon.
- Future versions of OpenJDK may allow Diffie-Hellman parameters larger than 1024 bits.
- Services and protocols that have hard-coded Diffie-Hellman parameters may be updated to either generate or negotiate parameters or allow specifying parameters at runtime.
Ubuntu's Response
The response to Logjam in Ubuntu is under review. This page will be updated as decisions are made. The following actions have already been taken:
Export-grade cipher suites have been disabled in OpenSSL for all supported Ubuntu releases. See USN-2624-1 for more information.
Added support for ECC keys and ECDH ciphers to Apache in 12.04 LTS. See USN-2625-1 for more information.
Mitigation
System administrators can react immediately:
- Disable support for export-strength cryptosystems in all services.
- Generating site-local Diffie-Hellman parameters. There is currently no need to generate these parameters afresh for every service in an organization; the most important part is to no longer use popular Diffie-Hellman parameters.
Instructions on these steps for popular services such as Apache, nginx, Lighttpd, Tomcat, Postfix, Sendmail, Dovecot, and HAProxy have been published on the official Logjam site. Note: Some of the instructions may rely on features added in newer versions of the software than packaged for Ubuntu; we may backport patches to enable using different Diffie-Hellman parameters.
Typical Ubuntu users will see most benefit from installing package updates as they are released. Updated browsers may cause some websites to be unavailable until affected websites start supporting stronger cipher suites.
More information
Logjam paper: https://weakdh.org/imperfect-forward-secrecy.pdf
Mitigations: https://weakdh.org/sysadmin.html
CVE-2015-4000 in the Ubuntu CVE Tracker: http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-4000.html
OpenSSL response: https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/
NSS response: https://bugzil.la/1138554
strongSwan IKEv2 cipher suites: https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites
OpenSSH hardening: https://stribika.github.io/2015/01/04/secure-secure-shell.html
Timeline
2015 May 20: Wide public disclosure via https://weakdh.org/ -- the first Ubuntu learned of the issue
2015 Jun 01: Ubuntu publishes OpenSSL updates (USN-2624-1) to disable export-grade cipher suites
2015 Jun 02: Apache update for Ubuntu 12.04 LTS (USN-2625-1) provided to add support for ECC keys and ECDH ciphers
2015 Jun 11: Ubuntu publishes OpenSSL updates (USN-2639-1) to require minimum 768 bit Diffie-Hellman parameters
2015 Jul 09: Ubuntu publishes NSS updates (USN-2672-1) to require minimum 768 bit Diffie-Hellman parameters
2015 Jul 30: Ubuntu publishes OpenJDK 7 updates (USN-2696-1) to require minimum 768 bit Diffie-Hellman parameters by default