[cabfpub] Extended logjam on 1024 bit primes

Phillip Hallam-Baker philliph at comodo.com
Thu Oct 15 13:34:35 UTC 2015


https://freedom-to-tinker.com/blog/haldermanheninger/how-is-nsa-breaking-so-much-crypto/ <https://freedom-to-tinker.com/blog/haldermanheninger/how-is-nsa-breaking-so-much-crypto/>

The blog post is speculating on how the NSA could use a massive computer to calculate the equivalent of rainbow tables for breaking the ephemeral DH keys used in about 2/3rds of VPNs.


There are a number of reasons we got to this point. One of them is that the TLS ephemeral key negotiation is broken. I would ask people here to pressure IETF to fix it.

The reason we have a problem is that as things stand in TLS, the long term RSA-2048 credentials are only used to calculate a master secret which is then used to authenticate the parameters for the ephemeral DH key negotiation. And only the result of the ephemeral key negotiation is used to derive the session keys. So if the ephemeral key negotiation is weak, the traffic can be read.

A much stronger approach would be to use the master secret and the ephemeral secret to derive session keys. Feeding both into a hash function ensures that an attacker has to break both the long term RSA2048 credentials and the short term DH1024 key to decrypt the traffic.


A good time to fix this will be when CFRG announces its new cryptographic algorithms for ECC.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151015/f02a88de/attachment-0002.html>


More information about the Public mailing list