Community hub
0 subscribers7 pages, 0 posts
Recent from talks
All channels
Be the first to start a discussion here.
Be the first to start a discussion here.
Be the first to start a discussion here.
Be the first to start a discussion here.
Contribute something
Welcome to the community hub built to collect knowledge and have discussions related to Logjam (computer security).
Nothing was collected or created yet.
Logjam (computer security)
View on Wikipediafrom Wikipedia
Logjam is a security vulnerability in systems that use Diffie–Hellman key exchange with the same prime number. It was discovered by a team of computer scientists and publicly reported on May 20, 2015.[1] The discoverers were able to demonstrate their attack on 512-bit (US export-grade) DH systems. They estimated that a state-level attacker could do so for 1024-bit systems, then widely used, thereby allowing decryption of a significant fraction of Internet traffic. They recommended upgrading to at least 2048 bits for shared prime systems.[2][3][4]
Details
[edit]Diffie–Hellman key exchange depends for its security on the presumed difficulty of solving the discrete logarithm problem. The authors took advantage of the fact that the number field sieve algorithm, which is generally the most effective method for finding discrete logarithms, consists of four large computational steps, of which the first three depend only on the order of the group G, not on the specific number whose finite log is desired. If the results of the first three steps are precomputed and saved, they can be used to solve any discrete log problem for that prime group in relatively short time. This vulnerability was known as early as 1992.[5] It turns out that much Internet traffic only uses one of a handful of groups that are of order 1024 bits or less.
One approach enabled by this vulnerability that the authors demonstrated was using a man-in-the-middle network attacker to downgrade a Transport Layer Security (TLS) connection to use 512-bit DH export-grade cryptography, allowing them to read the exchanged data and inject data into the connection. It affects the HTTPS, SMTPS, and IMAPS protocols, among others. The authors needed several thousand CPU cores for a week to precompute data for a single 512-bit prime. Once that was done, however, individual logarithms could be solved in about a minute using two 18-core Intel Xeon CPUs.[6] Its CVE ID is CVE-2015-4000.[7]
The authors also estimated the feasibility of the attack against 1024-bit Diffie–Hellman primes. By design, many Diffie–Hellman implementations use the same pre-generated prime for their field. This was considered secure, since the discrete logarithm problem is still considered hard for big enough primes even if the group is known and reused. The researchers calculated the cost of creating logjam precomputation for one 1024-bit prime at hundreds of millions of USD, and noted that this was well within range of the FY2012 $10.5 billion U.S. Consolidated Cryptologic Program (which includes NSA). Because of the reuse of primes, generating precomputation for just one prime would break two-thirds of VPNs and a quarter of all SSH servers globally. The researchers noted that this attack fits claims in leaked NSA papers that NSA is able to break much current cryptography. They recommend using primes of 2048 bits or more as a defense or switching to elliptic-curve Diffie–Hellman (ECDH).[1] Claims on the practical implications of the attack were however disputed by security researchers Eyal Ronen and Adi Shamir in their paper "Critical Review of Imperfect Forward Secrecy".[8]
Responses
[edit]- On May 12, 2015, Microsoft released a patch for Internet Explorer.[9]
- On June 16, 2015, the Tor Project provided a patch for Logjam to the Tor Browser.[10]
- On June 30, 2015, Apple released a patch for both OS X Yosemite and iOS 8 operating system.[11][12]
- On June 30, 2015, the Mozilla project released a fix for the Firefox browser.[13]
- On September 1, 2015, Google released a fix for the Chrome browser.[14]
- On December 6, 2017, IETF published RFC 8270 called "Increase the Secure Shell Minimum Recommended Diffie-Hellman Modulus Size to 2048 Bits".
See also
[edit]References
[edit]- ^ a b "The Logjam Attack". weakdh.org. 2015-05-20. Archived from the original on 2021-03-29. Retrieved 2015-05-20.
- ^ Dan Goodin (2015-05-20). "HTTPS-crippling attack threatens tens of thousands of Web and mail servers". Ars Technica. Archived from the original on 2017-05-19. Retrieved 2022-04-30.
- ^ Charlie Osborne (2015-05-20). "Logjam security flaw leaves top HTTPS websites, mail servers vulnerable". ZDNet. Archived from the original on 2015-05-23. Retrieved 2015-05-23.
- ^ Valentino-DeVries, Jennifer (2015-05-19). "New Computer Bug Exposes Broad Security Flaws". The Wall Street Journal. Archived from the original on 2022-02-24. Retrieved 2022-04-30.
- ^ Whitfield Diffie, Paul C. Van Oorschot, and Michael J. Wiener "Authentication and Authenticated Key Exchanges", in Designs, Codes and Cryptography, 2, 107–125 (1992), Section 5.2, available as Appendix B to Method and apparatus for enhancing software security and distributing software: "If q has been chosen correctly, extracting logarithms modulo q requires a precomputation proportional to though after that individual logarithms can be calculated fairly quickly."
- ^ Adrian, David; Bhargavan, Karthikeyan; Durumeric, Zakir; Gaudry, Pierrick; Green, Matthew; Halderman, J. Alex; Heninger, Nadia; Springall, Drew; Thomé, Emmanuel; Valenta, Luke; VanderSloot, Benjamin; Wustrow, Eric; Zanella-Béguelin, Santiago; Zimmermann, Paul (October 2015). "Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice" (PDF). Archived (PDF) from the original on 2020-02-27. Retrieved 2015-05-23. Originally published in Proc. 22nd Conf. on Computers and Communications Security (CCS). Republished, CACM, Jan. 2019, pp. 106-114, with Technical Perspective, "Attaching Cryptographic Key Exchange with Precomputation", by Dan Boneh, p. 105.
- ^ "CVE-2015-4000". Common Vulnerabilities and Exposures List. The MITRE Corporation. 2015-05-15. Archived from the original on 2015-08-11. Retrieved 2015-06-16.
"The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the 'Logjam' issue." - ^ Ronen, Eyal; Shamir, Adi (October 2015). "Critical Review of Imperfect Forward Secrecy" (PDF). Archived (PDF) from the original on 2021-12-11. Retrieved 2022-04-30.
- ^ "Microsoft Security Bulletin MS15-055. Vulnerability in Schannel Could Allow Information Disclosure (3061518)". Microsoft Corporation. 2015-05-12. Archived from the original on 2015-07-03. Retrieved 2015-07-02.
This security update resolves a vulnerability in Microsoft Windows that facilitates exploitation of the publicly disclosed Logjam technique, [...] The security update addresses the vulnerability by increasing the minimum allowable DHE key length to 1024 bits.
- ^ Perry, Mike (2015-06-16). "Tor Browser 4.5.2 is released". The Tor Project. Archived from the original on 2015-06-20. Retrieved 2015-06-20.
- ^
"About the security content of OS X Yosemite v10.10.4 and Security Update 2015-005". Apple Inc. 23 January 2017.
This issue, also known as Logjam, [...] was addressed by increasing the default minimum size allowed for DH ephemeral keys to 768 bits.
- ^
"About the security content of iOS 8.4". Apple Inc. 18 August 2020.
This issue, also known as Logjam, [...] was addressed by increasing the default minimum size allowed for DH ephemeral keys to 768 bits.
- ^ "Mozilla Foundation Security Advisory 2015-70 - NSS accepts export-length DHE keys with regular DHE cipher suites". Mozilla. Archived from the original on 2015-07-07. Retrieved 2015-07-04.
FIXED IN Firefox 39.0 [...] This attack [...] is known as the "Logjam Attack." This issue was fixed in NSS version 3.19.1 by limiting the lower strength of supported DHE keys to use 1023 bit primes.
- ^ Zhi, Vivian (2015-09-01). "Stable Channel Updates". Chrome Releases. Archived from the original on 2015-10-16. Retrieved 2015-11-06.
External links
[edit]Logjam (computer security)
View on Grokipediafrom Grokipedia
Background
Diffie-Hellman Key Exchange Fundamentals
The Diffie–Hellman key exchange protocol enables two parties, typically denoted as Alice and Bob, to compute a shared secret value over a public channel without directly transmitting it, forming the basis for secure key agreement in cryptographic systems. Invented by Whitfield Diffie and Martin E. Hellman, the method was introduced in their seminal 1976 paper, which outlined public-key distribution systems resistant to eavesdropping. The protocol's core innovation lies in leveraging asymmetric computations to derive symmetric keys, relying on one-way mathematical functions rather than symmetric encryption for the initial exchange. Public parameters consist of a large prime modulus p and a generator g, where g is typically a primitive root modulo p to ensure the order of the subgroup generated by g is sufficiently large (ideally p-1). These parameters are agreed upon in advance or negotiated, with p selected to resist known attacks on the underlying group structure. Alice generates a private exponent a (a random integer, 1 < a < p-1), computes the public value A = g^a mod p, and transmits A to Bob. Similarly, Bob selects private b, computes B = g^b mod p, and sends B to Alice. Both then derive the shared secret K = g^{ab} mod p, verifiable as B^a mod p for Alice and A^b mod p for Bob, since exponentiation is commutative in modular arithmetic.[4][5] Security stems from the computational intractability of the discrete logarithm problem (DLP) in the finite field: given p, g, and Y = g^x mod p, recovering x requires exponential time with current algorithms for large p (e.g., 2048 bits or more). The protocol's strength further assumes the hardness of the computational Diffie-Hellman problem: deriving g^{ab} mod p directly from g, g^a mod p, and g^b mod p without solving the DLP. No efficient classical algorithm solves these problems for properly chosen parameters, though quantum methods like Shor's algorithm pose threats, motivating post-quantum alternatives.[5][5] In implementations, ephemeral Diffie-Hellman (DHE) variants use per-session private keys for perfect forward secrecy, ensuring compromised long-term keys do not expose past sessions. Fixed parameters, like standardized moduli in protocols such as TLS, must be vetted for smoothness or subgroup weaknesses to prevent attacks like those exploiting small subgroups or precomputed logs.[4][5]Origins of Export-Grade Cryptography Restrictions
In the late Cold War era, the United States classified cryptographic technologies as munitions under the Arms Export Control Act (AECA) and International Traffic in Arms Regulations (ITAR), primarily to prevent proliferation to adversaries, with commercial export controls enforced by the State Department.[6] These restrictions intensified in the early 1990s amid the rise of public-key cryptography and internet software, as the Bush administration in 1991-1992 designated strong encryption exports as controlled items equivalent to military technology, shifting oversight partially to the Commerce Department's Bureau of Export Administration (now Bureau of Industry and Security).[6] This policy aimed to balance national security concerns—such as denying encryption tools to foreign intelligence or terrorist groups—with emerging commercial demands, leading to the requirement for "export-grade" variants of software like web browsers that incorporated weakened parameters to comply.[7] Specific limits emerged through proposed regulations in 1992, capping symmetric encryption at 40-bit keys for export (versus 56-bit domestic) and public-key systems, including Diffie-Hellman key exchange, at 512-bit moduli to render them crackable by U.S. intelligence capabilities within feasible computational bounds.[7] These thresholds were codified in Commerce Department rules finalized under the Clinton administration, mandating separate export-compliant ciphersuites in protocols like SSL (precursor to TLS), which embedded 512-bit Diffie-Hellman groups alongside stronger domestic ones.[7] The 512-bit limit for discrete logarithm-based schemes like Diffie-Hellman was explicitly tied to controlling computation of discrete logs in finite fields exceeding that size, reflecting assessments that such keys could be broken by supercomputers available to the NSA but not readily by others.[7] Pressure from the technology sector, citing billions in lost exports—such as Netscape's browser sales—prompted partial liberalization via President Clinton's 1996 executive order, which decontrolled certain non-military encryption and allowed limited 56-bit exports after review, though 512-bit public-key limits persisted until further easing in 1999-2000 under Wassenaar Arrangement influences.[6] [7] Despite relaxations, legacy export-grade implementations remained in protocols, as vendors retained compatibility for global markets, inadvertently creating long-term vulnerabilities exploitable decades later.[7] The policy's rationale, articulated in government statements, prioritized law enforcement access and intelligence advantages over unrestricted commerce, though critics argued it undermined U.S. competitiveness without enhancing security, given widespread foreign development of strong crypto.[6]Discovery
Research Timeline and Key Contributors
The Logjam vulnerability was publicly disclosed on May 20, 2015, by a multinational team of researchers who demonstrated a man-in-the-middle downgrade attack exploiting weak Diffie-Hellman (DH) parameters in TLS implementations.[1] This work built on prior analyses of export-grade cryptography weaknesses, such as the FREAK attack reported in March 2015, but introduced a novel protocol-level downgrade mechanism targeting DHE_EXPORT cipher suites to force 512-bit DH keys, which the team broke using precomputed discrete logarithm tables derived via the number field sieve.[8] The researchers scanned over 3.4 million HTTPS servers, finding that 8.4% of the top one million domains supported vulnerable export ciphers, enabling practical decryption of sessions.[9] Key contributors included David Adrian and J. Alex Halderman from the University of Michigan, who led scanning and attack demonstration efforts; Nadia Heninger from the University of Pennsylvania, focusing on discrete logarithm computations for weak primes; Karthikeyan Bhargavan and Santiago Zanella-Béguelin from Inria, analyzing TLS protocol flaws; Matthew Green from Johns Hopkins University, contributing to forward secrecy implications; and Pierrick Gaudry, Emmanuel Thomé, and Paul Zimmermann from CNRS and Inria Nancy-Grand Est, advancing number-theoretic attacks on DH groups up to 1024 bits.[8] Additional team members comprised Zakir Durumeric, Eric Wustrow, Drew Springall, and Benjamin VanderSloot from the University of Michigan; and Luke Valenta from the University of Pennsylvania, with support from Microsoft Research.[9] Their collaborative effort, spanning academic and research institutions, emphasized empirical measurement of real-world DH deployments alongside theoretical breaks, revealing that 7% of servers reused standardized weak primes vulnerable to nation-state computation.[1] The findings were formalized in the peer-reviewed paper "Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice," presented at the 22nd ACM Conference on Computer and Communications Security (CCS) on October 13, 2015, in Denver, Colorado.[9] This timeline reflects coordinated responsible disclosure, with the team notifying affected vendors like browser developers and TLS libraries prior to public release, prompting rapid mitigations such as disabling export ciphers and enforcing minimum DH group sizes of 2048 bits.[3] No earlier internal research milestones were detailed publicly, but the work leveraged open-source tools for internet-wide scans and high-performance computing for log computations, underscoring interdisciplinary expertise in cryptography, systems security, and number theory.[8]Initial Announcement and Public Disclosure
The Logjam vulnerability was publicly disclosed on May 20, 2015, by an international team of researchers from institutions including Microsoft Research, Johns Hopkins University, Inria, CNRS, and the University of Michigan.[1] The announcement detailed a man-in-the-middle downgrade attack exploiting Diffie-Hellman key exchange weaknesses in TLS implementations, particularly those supporting export-grade 512-bit keys, allowing attackers to decrypt connections after computationally feasible precomputation.[1] Key contributors included David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J. Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel Thomé, Luke Valenta, Benjamin VanderSloot, Eric Wustrow, Santiago Zanella-Béguelin, and Paul Zimmermann.[1] The researchers released their findings via the dedicated website weakdh.org, which included a comprehensive analysis, demonstration of the attack on real-world servers, and deployment guides for stronger Diffie-Hellman parameters.[1] This disclosure coincided with the publication of their peer-reviewed paper, "Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice," which was presented at the ACM Conference on Computer and Communications Security (CCS) later that year.[1] The paper quantified the vulnerability's scope, estimating that 8.4% of the top one million HTTPS domains initially supported vulnerable export cipher suites, with broader risks from common 1024-bit primes potentially affecting 18% of such domains under state-level computational resources.[1] Disclosure was coordinated with major vendors and browser developers to facilitate rapid mitigations, including disabling export-grade ciphers and preferring stronger key sizes.[2] The announcement highlighted not only the immediate exploitability of weak keys but also systemic issues in TLS protocol design and historical export restrictions that perpetuated support for insecure cryptography in legacy systems.[1] No prior public warnings had been issued, though the research built on earlier analyses of Diffie-Hellman weaknesses, emphasizing proactive scanning and reconfiguration to prevent passive eavesdropping by nation-state actors.[10]Technical Mechanism
Downgrade Attack on TLS Handshake
In the TLS handshake, the client initiates negotiation by sending a ClientHello message containing a list of supported cipher suites, ordered by preference. Servers supporting ephemeral Diffie-Hellman (DHE) key exchange may offer both strong suites using large prime moduli (typically 2048 bits or more) and legacy export-grade DHE_EXPORT suites restricted to 512-bit moduli, a holdover from U.S. cryptography export controls in the 1990s that mandated weak parameters for international software shipments.[1][2] A man-in-the-middle (MitM) attacker exploiting Logjam intercepts the ClientHello and selectively removes all non-export cipher suites before forwarding it to the server. If the server prefers stronger suites but falls back to export-grade ones when unavailable—and retains support for them for backward compatibility—it selects a DHE_EXPORT suite in its ServerHello response. The attacker relays this modified response to the client, which proceeds if it supports the weak suite, completing the handshake with compromised parameters.[1][2][11] This downgrade evades TLS version checks or downgrade sentinels (like those in TLS 1.2's fallback signaling) because it targets cipher strength rather than protocol version, and export suites were not explicitly deprecated in early TLS standards. The resulting 512-bit DH group uses one of approximately 40 standardized weak primes, enabling attackers to precompute discrete logarithms offline using the number field sieve, thus deriving the premaster secret within minutes on consumer hardware for popular moduli.[1][12][2] The attack's feasibility hinged on widespread server support for export ciphers—scanning in May 2015 revealed over 8% of HTTPS servers vulnerable—and client acceptance of fallbacks, though modern clients increasingly reject export suites. It required active MitM positioning, such as via compromised networks or forged certificates, but succeeded against unpatched systems without alerting endpoints during negotiation.[1][11][13]Exploitation of Weak DH Parameters
Weak Diffie-Hellman (DH) parameters, typically consisting of a small prime modulus p (such as 512 bits) and a generator g, undermine the security of the DH key exchange by making the discrete logarithm problem (DLP) computationally tractable.[1] The DLP requires finding an exponent x such that gx ≡ y (mod p), where y is a public DH value; its hardness underpins DH's resistance to key recovery. For export-grade 512-bit p, mandated by U.S. restrictions in the 1990s, the general number field sieve (GNFS) algorithm achieves subexponential time complexity Lp[1/3, (64/9)1/3] ≈ exp(√(ln p ⋅ ln ln p)), rendering solutions feasible with dedicated resources.[1][2] Attackers exploit these parameters through precomputation tailored to fixed weak primes commonly embedded in software, such as the 512-bit primes in Apache mod_ssl (prime "mod_ssl") and Oracle JDK (prime "Sun").[12] Precomputing a DLP "oracle" for a specific p—involving sieving and linear algebra over a database of relations—costs significant upfront effort (e.g., thousands of core-years for full tables) but enables near-real-time log computations (milliseconds to seconds per query) on consumer hardware thereafter.[14] Researchers in 2015 demonstrated GNFS-based DLP solving for a 512-bit prime in 70 hours using a cluster of ~200 GPUs for sieving and CPUs for descent, highlighting that nation-state actors could amass such capabilities for widespread primes.[1] In a man-in-the-middle (MITM) scenario enabled by cipher suite downgrade, the attacker intercepts the server's ephemeral public key gs (mod p) from the signed ServerKeyExchange message, recovers s via the precomputed oracle, and awaits the client's gc (mod p). The premaster secret gs c (mod p)—used in TLS to derive session keys—is then computed as (gc)s (mod p), allowing decryption of application data without breaking the signing RSA key.[15][14] This per-connection DLP solve suffices for active impersonation, as the weak parameters' signature by a strong key permits relaying authentic ServerKeyExchange messages while covertly extracting secrets.[15] Precomputation's scalability amplifies impact, as a single oracle covers all connections using the targeted p, affecting servers from major vendors like Apache and Java runtimes.[12] Beyond export grades, Logjam extends to any sufficiently weak or reused parameters (e.g., 768-bit p or common non-export primes), where GNFS feasibility grows with smaller bit lengths—512-bit breaks in days, 768-bit in months on large clusters—emphasizing the need for unique, large (≥2048-bit) safe primes.[1] Fixed parameters exacerbate risks, as attackers prioritize prevalent ones; scans post-disclosure revealed millions of hosts vulnerable to such precomputation.[2]Breaking Export-Grade Keys
The core of breaking export-grade keys in the Logjam attack centers on solving the discrete logarithm problem (DLP) within the multiplicative group modulo a 512-bit prime , where the server transmits a public key and the attacker seeks the private exponent .[8] This computation yields the shared secret once the client's exponent is observed, enabling decryption or impersonation in a man-in-the-middle scenario.[8] The 512-bit modulus size renders the DLP feasible due to its vulnerability to advanced algorithms, unlike larger secure parameters exceeding 2048 bits.[1] The primary algorithm employed is the number field sieve for discrete logarithms (NFS-DL), an adaptation of the general number field sieve that exploits the subexponential complexity L_p[1/3, 1.923] \approx e^{\sqrt{{grok:render&&&type=render_inline_citation&&&citation_id=3&&&citation_type=wikipedia}}{(\ln p)^2 \ln \ln p}} for solving the DLP in prime fields.[8] NFS-DL proceeds in phases: polynomial selection to identify suitable ring homomorphisms, sieving to collect relations between smooth ideals in the rational and algebraic number fields, linear algebra over GF(2) to compute a kernel basis for the relation matrix, and finally individual logarithm descent using precomputed databases for small primes.[8] The initial phases (precomputation) depend solely on the fixed prime and generator , while the descent phase targets the specific public value .[8] A critical optimization exploits the reuse of standardized 512-bit primes across implementations, such as those in historical TLS libraries compliant with export restrictions.[1] Researchers precomputed NFS-DL databases for the two most common such primes, covering 92.3% of vulnerable servers observed in scans of the Alexa Top 1 Million HTTPS sites.[8] Each precomputation required approximately 89,000 core-hours, comprising 7,600 for polynomial selection, 21,400 for sieving, and 60,000 for linear algebra, executed over 7 days on 2,000 to 3,000 Intel Sandy Bridge cores.[8] Post-precomputation, solving an individual DLP instance averaged 70 seconds (ranging 34 to 206 seconds), rendering real-time attacks viable during TLS handshakes.[8] This feasibility underscores the inadequacy of 512-bit parameters against moderately resourced adversaries, as the one-time precomputation amortizes costs across numerous targets sharing the same prime.[8] Demonstrations confirmed breaks on actual TLS connections, with attackers able to forge responses before legitimate servers reply, exploiting the short DH parameter negotiation window in export cipher suites.[3] Such computations remain accessible via cloud resources; for instance, equivalent efforts have been estimated at under $100 and 12 hours on platforms like Amazon EC2 for non-precomputed instances, though precomputation dominates for widespread primes.[16]Scope and Impact
Affected Protocols and Systems
The Logjam attack specifically exploits vulnerabilities in the TLS protocol by enabling a man-in-the-middle downgrade to 512-bit export-grade Diffie-Hellman (DHE_EXPORT) cryptography, compromising the security of encrypted connections. This primarily affects HTTPS websites where servers advertise support for these weak ciphers, allowing attackers to intercept and decrypt traffic after breaking the reduced key size. Internet-wide scans revealed that 8.4% of the top one million HTTPS domains were vulnerable to this downgrade, with an additional 17.9% at risk from discrete logarithm attacks on common 1024-bit Diffie-Hellman groups used in stronger configurations.[1] Other TLS-dependent services, including SMTP with StartTLS (14.8% of IPv4 servers vulnerable), POP3S (8.9%), and IMAPS (8.4%), face similar risks if they rely on weak or common Diffie-Hellman parameters.[1] Beyond TLS, the underlying flaws in widely reused Diffie-Hellman primes extend to protocols like SSH and IPsec VPNs employing IKEv1, where precomputed attacks on 1024-bit groups could enable key recovery. Scans indicated 25.7% of IPv4 SSH servers and 66.1% of IPv4 IPsec servers were susceptible to such state-level threats.[1] Any system supporting DHE_EXPORT ciphers in TLS, such as Apache or Nginx servers with default or legacy configurations, amplifies exposure, as these ciphers persist in some implementations despite deprecation.[12] Client-side vulnerabilities impacted major web browsers at the time of disclosure, including Google Chrome, Mozilla Firefox, Microsoft Internet Explorer (on Windows 8.1 and earlier), Opera, and Apple Safari, all of which negotiated export-grade Diffie-Hellman during vulnerable handshakes.[1] TLS libraries like OpenSSL were also affected if they permitted these weak parameters, necessitating updates to enforce minimum key sizes and disable export ciphers.[2]Computational Resources Required for Attacks
The Logjam attack exploits weak Diffie-Hellman (DH) parameters, primarily 512-bit export-grade primes, by computing discrete logarithms using the number field sieve (NFS) algorithm, which requires significant precomputation for a specific prime followed by faster individual logarithm solutions.[8] For the most common 512-bit prime used in vulnerable TLS servers, precomputation involves polynomial selection (3 hours, approximately 7,600 core-hours), sieving (15 hours, approximately 21,400 core-hours), and linear algebra (120 hours, approximately 60,000 core-hours), totaling about 7 days of wall-clock time on 2,000–3,000 Intel Sandy Bridge cores.[8] Once precomputed, solving an individual 512-bit discrete logarithm takes a median of 70 seconds (ranging from 34 to 206 seconds) on dual 18-core Intel Xeon E5-2699 CPUs with 128 GB RAM, enabling real-time decryption after a man-in-the-middle downgrade.[8] For larger but still vulnerable parameters, such as 768-bit primes found in some non-export DH implementations, precomputation demands around 36,500 core-years, with sieving accounting for about 8,000 core-years and linear algebra 28,500 core-years; individual solutions require roughly 2 core-days thereafter.[8] These costs render 768-bit breaks feasible for well-resourced academic teams but impractical for casual attackers without pre-shared computations.[1] Extending to 1024-bit primes, common in legacy systems, escalates to approximately 45 million core-years for precomputation (10 million for sieving, potentially achievable with 3 million ASICs costing around $8 million over one year, and 35 million for linear algebra requiring further massive ASIC investment), followed by 30 core-days per individual logarithm.[8] Such resources align with nation-state capabilities, particularly when targeting reused primes across multiple servers, amplifying the attack's efficiency.[1] These estimates, derived from 2015 implementations using tools like CADO-NFS, highlight how shared weak primes across protocols (e.g., TLS, VPNs, SSH) reduce per-target costs after initial investment, but optimizations in hardware and algorithms since then could lower barriers further for determined adversaries.[8] The NFS complexity, scaling subexponentially as where is the prime size, underscores why smaller parameters collapse rapidly while larger ones demand exponential resource growth.[8]Potential Real-World Consequences
A successful Logjam attack permits man-in-the-middle adversaries to downgrade TLS handshakes to 512-bit export-grade Diffie-Hellman cryptography, enabling decryption of session keys and subsequent interception of plaintext traffic, including sensitive data such as authentication tokens, personal identifiers, and financial transactions.[1] This compromises the confidentiality of HTTPS connections, allowing attackers to eavesdrop on unencrypted content post-decryption without altering the apparent security indicators in browsers.[2] Roughly 8.4% of the top one million HTTPS domains supported the vulnerable export ciphersuites, exposing millions of daily sessions to active downgrade attacks and potential data exfiltration by entities capable of real-time key recovery.[1] For passive attacks leveraging precomputed discrete logarithms on widely used 1024-bit primes, up to 17.9% of these domains could be retroactively decrypted from captured traffic, facilitating bulk surveillance of web activity, email exchanges, and API calls across affected servers.[1] In virtual private network (VPN) contexts, exploitation of common 1024-bit Diffie-Hellman groups in IKEv1 protocols could decrypt traffic from 66.1% of the IPv4 address space, disrupting secure remote access for enterprises and governments by revealing proprietary data, intellectual property, or classified communications.[1] Similarly, SSH servers using weak parameters risked exposure for 25.7% of IPv4 hosts, enabling unauthorized access to remote systems and command execution under the guise of legitimate sessions.[1] Nation-state actors, with access to resources sufficient to break 1024-bit groups—as demonstrated by academic computation of 768-bit primes scaled to state-level parallelism—could conduct undetected intelligence operations, mirroring tactics attributed to agencies in prior leaks involving Diffie-Hellman weaknesses.[1] While no public exploits confirmed widespread Logjam usage by 2015 disclosure, the vulnerability's feasibility amplified risks for cloud services (potentially 575 affected providers) and legacy systems, potentially leading to identity theft, ransomware precursors via stolen credentials, or strategic sabotage through modified traffic.[17][12]Mitigations and Responses
Disabling Vulnerable Ciphers
Disabling vulnerable cipher suites represents a foundational mitigation strategy against the Logjam attack, as it prevents the downgrade to export-grade Diffie-Hellman (DH) key exchange mechanisms that enable the vulnerability. Export cipher suites, restricted to 512-bit DH parameters under historical U.S. export controls from the 1990s, allow attackers to force connections into weakly parameterized exchanges during the TLS handshake.[3][12] By configuring servers and clients to exclude these suites—such asDHE_EXPORT variants like EXP-DHE-RSA-DES-CBC-SHA—systems eliminate the primary vector for Logjam exploitation, where precomputed attacks on common weak primes (e.g., those standardized in RFC 3526 or RFC 2409) could decrypt sessions with feasible computational effort estimated at around $75,000 on cloud resources as of 2015.[14][18]
Server administrators typically achieve this by modifying TLS configuration files to filter out export ciphers. For Apache HTTP Server, this involves setting the SSLCipherSuite directive to exclude export suites, such as HIGH:!EXPORT:!aNULL, ensuring only strong ciphers like AES-GCM with 2048-bit or larger DH groups remain enabled.[19] Similarly, OpenSSL configurations append !EXPORT to cipher strings, rejecting suites vulnerable to Logjam's number field sieve-based attacks on small primes.[3] In enterprise environments, tools like F5 BIG-IP or Cisco appliances implement iRules or cipher lists to block DHE_EXPORT negotiation, with post-2015 updates from vendors like Red Hat recommending immediate disabling of these in RHEL systems to comply with updated TLS best practices.[20][12] Client-side browsers, including Firefox and Chrome, responded by default-disabling export ciphers in versions released shortly after the May 20, 2015 disclosure, reducing exposure for end-users without manual intervention.[14]
Beyond export suites, disabling non-export DH ciphers with moduli under 2044 bits provides additional protection against related weak parameter attacks, though Logjam's core exploit targeted the export downgrade path.[21] Guidelines from cryptographic experts emphasize prioritizing elliptic curve variants (ECDHE) over finite-field DH where possible, as ECDHE resists Logjam due to the computational infeasibility of cracking secp256r1 or similar curves with current resources.[22] Verification tools like Qualys SSL Labs confirm mitigation by scanning for absent weak DH support, with full compliance requiring both server-side exclusion and client rejection to block man-in-the-middle downgrades comprehensively.[3] This approach, while narrowing the cipher suite repertoire, aligns with broader TLS hardening post-Logjam, balancing security against compatibility for legacy clients that comprised less than 1% of traffic by 2016.[23]
Strengthening DH Implementations
To mitigate vulnerabilities exposed by the Logjam attack, implementations of the Diffie-Hellman (DH) key exchange were strengthened by enforcing larger prime moduli, typically at least 2048 bits, which significantly increases the computational cost of discrete logarithm attacks via methods like the number field sieve.[1][24] This recommendation arose from analysis showing that 1024-bit groups, while previously considered adequate, could be precomputed and broken with resources feasible for nation-state actors, estimated at around $100 million in 2015 for number field sieve setup on 1024-bit primes.[8] Server-side enhancements included generating custom 2048-bit or larger DH parameter sets per server to avoid reuse of compromised common primes, such as those standardized in RFC 5114 or Oakley groups, which Logjam exploited through precomputation.[3][25] Alternatively, implementations adopted vetted standardized groups like those in RFC 7919 (for 3072-bit MODP groups) while ensuring they are safe primes (where the modulus and is also prime) to resist subgroup attacks like Pohlig-Hellman.[26] Libraries such as OpenSSL responded by raising the minimum acceptable DH parameter size for clients to 1024 bits initially, later aligning with 2048-bit minima in configurations to prevent downgrade acceptance.[12] Client-side protections were bolstered by rejecting DH groups below 2048 bits during TLS handshakes, with protocols updated to prioritize ephemeral DH (DHE) over static DH and favor elliptic curve variants (ECDHE) for equivalent security at lower computational overhead—ECDHE uses curves like NIST P-256, providing roughly 128 bits of security without the precomputation risks of finite-field DH.[1][2] These changes, implemented in TLS 1.2 and later via cipher suite preferences, reduced reliance on vulnerable DHE by promoting forward secrecy with ephemeral keys generated per session.[23] Overall, such hardening shifted DH from a default to a supplementary mechanism, emphasizing hybrid approaches with RSA or ECDH for key establishment.[27]Updates in Browsers and Servers
Major web browsers addressed the Logjam vulnerability by updating their TLS implementations to reject Diffie-Hellman (DH) key exchanges using primes shorter than 1024 bits and by disabling support for export-grade cipher suites, which employ 512-bit parameters.[14] These changes prevented clients from negotiating vulnerable ephemeral DH (DHE) handshakes. For instance, Mozilla Firefox version 39.0, released on June 30, 2015, incorporated fixes to mitigate Logjam by enforcing stricter DH parameter validation and cipher restrictions derived from core TLS improvements.[28] Similarly, Google Chrome began deploying mitigations, building on prior adjustments in version 42 (April 2015) that disabled TLS False Start for DHE suites to block downgrade attacks, with further updates ensuring rejection of weak DH groups across platforms including Android Browser.[14] Microsoft Internet Explorer on Windows 10 rejected primes under 1024 bits natively, while earlier versions received patches to align with this threshold.[14] Apple Safari followed suit with updates enforcing minimum DH strengths compatible with modern TLS libraries like Secure Transport. Server-side responses focused on configuration hardening rather than solely software patches, as Logjam exploited legacy defaults in TLS deployments. Administrators for Apache HTTP Server disabled DHE_EXPORT ciphers in SSLCipherSuite directives and generated custom 2048-bit or stronger DH parameters using OpenSSL'sdhparam tool, with Apache 2.4.8 (released July 2014) and later supporting explicit DH parameter loading via SSLOpenSSLConfCmd when paired with OpenSSL 1.0.2 or newer.[3] Nginx configurations similarly excluded export suites from ssl_ciphers lists and incorporated DH parameters via the ssl_dhparam directive, often reloading services post-update to apply changes without downtime.[3] OpenSSL-based servers, common in many deployments, required explicit cipher suite filtering to eliminate vulnerable options, as the library itself did not default to blocking them until guided by application-level configs. These updates, recommended immediately after the May 20, 2015 disclosure, emphasized preferring elliptic curve DH (ECDHE) for forward secrecy where possible, reducing reliance on finite-field DH entirely in some setups.[3] By mid-2015, major providers like Cloudflare and government sites (e.g., fbi.gov) had implemented these, disabling weak DHE entirely to ensure compatibility with patched clients.[14]