How the NSA can break trillions of encrypted Web and VPN connections

CHEF-KOCH · Oct 16, 2015

Researchers show how mass decryption is well within the NSA's $11 billion Budget.

Halderman and Heninger say their theory fits what's known about the NSA's mass decryption capabilities better than any competing explanation. Documents leaked by former NSA subcontractor Edward Snowden, for instance, showed the agency was able to monitor encrypted VPN connections, pass intercepted data to supercomputers, and then obtain the key required to decrypt the communications.

"The design of the system goes to great lengths to collect particular data that would be necessary for an attack on Diffie-Hellman but not for alternative explanations, like a break in AES or other symmetric crypto," the researchers wrote. "While the documents make it clear that NSA uses other attack techniques, like software and hardware 'implants,' to break crypto on specific targets, these don’t explain the ability to passively eavesdrop on VPN traffic at a large scale."

The blog post came as Halderman, Heninger, and a raft of other researchers formally presented their academic paper detailing their findings to the 22nd ACM Conference on Computer and Communications Security in Denver on Wednesday. The paper, titled "Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice," received extensive media coverage in May when the paper was first released. Besides exposing the likely secret behind the NSA's mass interception of encrypted communications, the paper also revealed a closely related attack that left tens of thousands of HTTPS-protected websites, mail servers, and other widely used Internet services open to less sophisticated eavesdroppers.

The attack, which was dubbed Logjam, was extremely serious because it required just two weeks to generate data needed to attack the two most commonly called prime numbers 512-bit Diffie-Hellman uses to negotiate ephemeral keys. It affected an estimated 8.4 percent of the top 1 million Web domains and 3.4 percent of HTTPS-supported websites overall. E-mail servers that support simple mail transfer protocol with StartTLS, secure POP3, and IMAP were estimated to be vulnerable in 14.8 percent, 8.9 percent, and 8.4 percent of the cases respectively. To exploit vulnerable connections, attackers used the number field sieve algorithm to precompute data. Once they had completed that task, they could perform man-in-the-middle attacks against vulnerable connections in real time.

The Logjam weakness was the result of export restrictions the US government mandated in the 1990s on US developers who wanted their software to be used abroad. The regimen was established by the Clinton administration so that the FBI and other agencies could break the encryption used by foreign entities. In the five months since the paper was released, most widely used browsers, VPNs, and server apps have removed support for 512-bit Diffie-Hellman, making Logjam much less of a threat. But a similar vulnerability can still be exploited by attackers with nation-state-sized budgets to passively decrypt the 1024-bit Diffie-Hellman key sizes that many implementations still use by default.
Click to expand...

Orig. Source:
* http://arstechnica.com/security/201...illions-of-encrypted-web-and-vpn-connections/

Research and to understand the article:
* https://www.lawfareblog.com/nsa-and-weak-dh
* https://weakdh.org/sysadmin.html
* http://en.wikipedia.org/wiki/Perfect_forward_secrecy
* https://en.wikipedia.org/wiki/Dual_EC_DRBG
* http://en.wikipedia.org/wiki/Internet_Message_Access_Protocol
* http://en.wikipedia.org/wiki/General_number_field_sieve
* http://arstechnica.com/security/201...ns-tens-of-thousands-of-web-and-mail-servers/
* http://www.sigsac.org/ccs/CCS2015/
* https://freedom-to-tinker.com/blog/haldermanheninger/how-is-nsa-breaking-so-much-crypto/
* http://arstechnica.com/security/201...-into-groundbreaking-crypto-cracking-program/
* http://en.wikipedia.org/wiki/Diffie–Hellman_key_exchange
* http://www.theatlantic.com/technolo...-nsa-tracks-peoples-physical-location/283745/

Papers:
* https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf

Protection:
* Stay tuned I will write several guides on my gist how to avoid most of all fingerprints.

CHEF-KOCH · Oct 17, 2015

Seems I was already to slow on it, eff already gave some tips to protect against such attacks. Since this isn't a full protection I still think about it to write a small guide which will explain the following topics, DNS attacks, DOS, chiper attacks via side-channel and how to really use SSH keys to protect against DDOS and Login attacks.

Edit:
The user.js script I'm working with/on is to harden the Linux/Windows Firefox Version, and also hardens the root certificates. Instead of addons this is much better do the fact it works directly on the first start, which means that this is an benefit over all existent config, besides this aspect it also works for all FF versions and all OS right out-of-the-box by placing this file in your profile folder.

wmh · Nov 14, 2015

Hello CHEF-KOCH!

Should I put this user.js of yours along prefs.js, addons.json, logins.json, etc.?

I found these under /home/user/.mozilla/firefox/xxxxx.default

CHEF-KOCH said: ↑

Seems I was already to slow on it, eff already gave some tips to protect against such attacks. Since this isn't a full protection I still think about it to write a small guide which will explain the following topics, DNS attacks, DOS, chiper attacks via side-channel and how to really use SSH keys to protect against DDOS and Login attacks.

Edit:
The user.js script I'm working with/on is to harden the Linux/Windows Firefox Version, and also hardens the root certificates. Instead of addons this is much better do the fact it works directly on the first start, which means that this is an benefit over all existent config, besides this aspect it also works for all FF versions and all OS right out-of-the-box by placing this file in your profile folder.
Click to expand...

CHEF-KOCH · Nov 18, 2015

Hello, no need to full qoute me.

Yes, the user.js file is, as the name said an user own preferences file which belongs in your profile folder. The benefit of using it is that you can drop that file into your profile folder even before you started the browser the first time. So compared to the addons/plugins it hardens your preferences just from the beginning. Also another benefit is that it works OS independent (except FF on Android since this mostly use other preferences for W-Lan and so on).

I think it's a good start especially because the addons/extensions/plugins possible also leaking sensitive information, while such a small .js file doesn't sent anything back.

Please enjoy.

How the NSA can break trillions of encrypted Web and VPN connections

CHEF-KOCH MDL Expert

CHEF-KOCH MDL Expert

wmh MDL Member

CHEF-KOCH MDL Expert