Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice

Link: https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf
Summary:

This paper looks at the popular Diffie-Hellman key exchange protocol and find that it is less secure than most people assume it to be. This lack of security to the researcher's credit is a TLS protocol flaw rather than a vulnerability meaning that it is at the core of the protocol and cannot be easily patched overnight. The study figures that modern security standards should be above the 1024 bit standard that can reasonably be cracked by the national security agency and other nation states. The paper goes so far as to even pull up leaked NSA diagrams detailing how the agency might have possibly used a similar method in order to decrypt VPN traffic in a passive manner.

 

What I liked:

  1. The paper is really pertinent given its widespread use and the NSA disclosures post Snowden

  2. The paper does a good job of explaining the process - I especially liked the visual diagram which put a picture in my head

  3. The attack focuses on an inherent flaw in the protocol compared to a quick patch which makes the paper more impressive

  4. The level of collaboration between all the different authors. This is probably the most diverse group of researchers that I've seen reading papers this year.

  5. I like how the paper specifically went into the breakdown of which percentage of servers are vulnerable ie 82% apache 10% ssl etc

 

What I didn't like:

  1. The paper focuses a lot on nation state level attacks, I don't think its possible to really defend against a nation state

  2. It would have been interesting to compare servers by company, and see if Akamai or Cisco or whatever company is more vulnerable and why. But the paper didn't really dig too much into this

  3. The paper never really conceptualized the scale of the attack in terms of user traffic only saying like 7% of 1000000 top trafficked websites instead of 1.2 million users a day which I think is a worst way to describe the scale of the problem

  4. I think it was useless going into the NSA documents, there a lot of different ways they could have broken into the VPN networks

  5. I think a major flaw of this study is that it completely neglects a Diffie-Hellman exchange over elliptic curve groups, which are a lot more secure to these types of attacks

  6. I really would have liked the paper to go more into the optimization techniques to find a more efficient way to reduce the time it takes to do this attack -- I think that's where the academic value of this paper lies

Points for Discussion:

  1. What might be an alternative short term fix in order to keep the current networking methods? Moving over to different cypher suites?

  2. When is the industry planning to update to the new standard of 2048 bits?

  3. Under the assumptions made in this paper -- for how long could the NSA have been passively listening into VPN networks

  4. What defines an academic team that is able to break 768 bit groups - computing powers? How's this different from the enthusiast hacker out there?

  5. How hard would it be to patch the 512 bit group vulnerability caused by the flaw in TLS?

New Ideas:

  1. Explore possible cases where this attack may have been implemented by nation states? Are there any symptoms this type of attack gives off?

  2. Study the rollout of past internet protocols and their subsequent adoption

  3. Make a better data visualization of how many users are vulnerable to this type of attack in order to get a better view of the issue

  4. How does this vulnerability affect specific industry - we can see which industries are more proactive about these types of attacks

  5. Explore the possible economic impacts in monetary terms in a cost benefit analysis for a possible attacker. What type of data will they steal, how much is it worth to them if they sold it