The TLS protocol is the current standard for secure communication over the Internet and until now had been considered to be highly secure. A recent discovery of Logjam, a vulnerability that spawns results similar to that of FREAK (Factoring Attack on RSA-EXPORT Keys) affects 8.4% of the top one million web domains. Like FREAK, Logjam downgrades encrypted connections to a weak 512-bit encryption using the "export-grade" option. Once downgraded, the encryption key can be factored in less than twelve hours using Amazon EC2, and it will only cost the attacker about $100. This vulnerability impacts SMTP, StartTLS, secure POP3, IMAP, and of course SSL and TLS.
RSA-EXPORT was purposefully included in SSL and TLS to introduce a cryptographic weakness into the protocols. It was included in an effort to comply with U.S. cryptography export regulations from the 1990s. These regulations required developers who wanted their software to be used abroad to limit the cryptographic strength of "secure" communications so the FBI, NSA and other U.S. agencies could more easily break foreign entities' encryptions. At the time, only organizations with a lot of computing power could hope to crack even 512-bit encryption, but by the early 2010s cloud-based solutions could more than handle it.
RSA-EXPORT was originally intended to only exist in software that was being exported, but software companies grew tired of designing two copies of the same applications. Instead, they started making only the one copy that included RSA-EXPORT, but had it disabled by default and enabled it if exported.
The FREAK attack vulnerability was announced in March 2015, and was quickly patched by all the popular web browsers. These patches were not made to remove the RSA-EXPORT functionality, however, but merely to prevent the FREAK attack from gaining access to it.
How is Logjam different?
Logjam differs from FREAK in that it doesn't use the same straight-on approach. Instead, it attempts to force RSA-EXPORT by targeting the Diffie-Hellman key exchange or "handshake." The "handshake" is the initial communication between client and server where protocol negotiations are performed. In other words, Logjam attacks before the client and server have even agreed on which protocol to use. Again, Diffie-Hellman is not inherently weak but was weakened by the use of RSA-EXPORT. Once the encryption has been downgraded to 512-bit encryption, the attacker needs only to use the number field sieve algorithm to crack the key. At this point, the attacker can use the cracked key to monitor traffic in real-time using a Man-in-the-Middle attack.
What can be done?
The threat level for this attack is high in that if successfully implemented, an attacker can gain access to any transmitted data. For most entities, however, the actual level of risk is low for the following reasons:
- ? Man-in-the-Middle (MITM) attacks are still difficult.
- ? The value of the data would need to exceed the cost, time, effort, and risk involved.
- ? Both the server and client would have to support RSA-EXPORT.
Ultimately, as is the case for most encryption vulnerabilities or threats, a high level of risk only exists for high-profile targets such as government agencies, educational institutions, and large corporations.
In order to limit the likelihood of a successful attack, the following mitigations should be implemented:
- ? Ensure all software that implements SSL/TLS is updated regularly.
- ? If you are a server administrator, ensure DHE_EXPORT ciphersuites support is disabled.
- ? Further instruction for securely deploying Diffie-Hellman in TLS is available here.