Imperfect forward secrecy: How diffie-hellman fails in practice

Proceedings of the ACM Conference on Computer and Communications Security

Volumn 2015-October, Issue , 2015, Pages 5-17

  Adrian, David ^f   Bhargavan, Karthikeyan ^a   Durumeric, Zakir ^f   Gaudry, Pierrick ^b   Green, Matthew ^e   Halderman, J Alex ^f   Heninger, Nadia ^d   Springall, Drew ^f   Thomé, Emmanuel ^b   Valenta, Luke ^d   VanderSloot, Benjamin ^f   Wustrow, Eric ^f   Zanella Béguelin, Santiago ^c   Zimmermann, Paul ^b  

^a INRIA ROCQUENCOURT   (France)

^b CNRS   (France)

^c UNIVERSITÉ DE LORRAINE   (France)

^d MICROSOFT RESEARCH   (United States)

^e UNIVERSITY OF PENNSYLVANIA   (United States)

^f JOHNS HOPKINS UNIVERSITY   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

INTERNET; INTERNET PROTOCOLS; VIRTUAL PRIVATE NETWORKS;

DIFFIE HELLMAN; DIFFIE-HELLMAN KEY EXCHANGE; FORWARD SECRECY; INTERNET COMMUNITIES; LOG ALGORITHMS; MAN IN THE MIDDLE; NUMBER FIELD SIEVE; PRE-COMPUTATION;

HTTP;

EID: 84954137569     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2810103.2813707     Document Type: Conference Paper

References (71)

1. S. Bai, C. Bouvier, A. Filbois, P. Gaudry, L. Imbert, A. Kruppa, F. Morain, E. Thomé, and P. Zimmermann. cado-nfs, an implementation of the number field sieve algorithm, 2014. Release 2.1.1.
2. R. Barbulescu. Algorithmes de logarithmes discrets dans les corps finis. PhD thesis, Université de Lorraine, France, 2013.
3. R. Barbulescu, P. Gaudry, A. Joux, and E. Thomé. A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic. In Eurocrypt, 2014.
4. E. Barker, W. Barker, W. Burr, W. Polk, and M. Smid. NIST Special Publication 800-57: Recommendation for Key Management, 2007.
5. D. J. Bernstein. How to find smooth parts of integers, 2004. http://cr.yp.to/factorization/smoothparts-20040510.pdf.
6. D. J. Bernstein and T. Lange. Batch NFS. In Selected Areas in Cryptography, 2014.
7. B. Beurdouche, K. Bhargavan, A. Delignat-Lavaud, C. Fournet, M. Kohlweiss, A. Pironti, P.-Y. Strub, and J. K. Zinzindohoue. A messy state of the union: Taming the composite state machines of TLS. In IEEE Symposium on Security and Privacy, 2015.
8. C. Bouvier, P. Gaudry, L. Imbert, H. Jeljeli, and E. Thomé. New record for discrete logarithm in a prime finite field of 180 decimal digits, 2014. http://caramel.loria.fr/p180.txt.
9. R. Canetti and H. Krawczyk. Security analysis of IKE's signature-based key-exchange protocol. In Crypto, 2002.
10. A. Commeine and I. Semaev. An algorithm to solve the discrete logarithm problem with the number field sieve. In PKC, 2006.
11. D. Coppersmith. Solving linear equations over GF(2) via block Wiedemann algorithm. Math. Comp., 62(205), 1994.
12. R. Crandall and C. B. Pomerance. Prime Numbers: A Computational Perspective. Springer, 2001.
13. B. den Boer. Diffie-Hellman is as strong as discrete log for certain primes. In Crypto, 1988.
14. W. Diffie and M. E. Hellman. New directions in cryptography. IEEE Trans. Inform. Theory, 22(6):644-654, 1976.
15. Z. Durumeric, E. Wustrow, and J. A. Halderman. ZMap: Fast Internet-wide scanning and its security applications. In Usenix Security, 2013.
16. M. Friedl, N. Provos, and W. Simpson. Diffie-Hellman group exchange for the secure shell (SSH) transport layer protocol. RFC 4419, Mar. 2006.
17. W. Geiselmann, H. Kopfer, R. Steinwandt, and E. Tromer. Improved routing-based linear algebra for the number field sieve. In Information Technology: Coding and Computing, 2005.
18. W. Geiselmann and R. Steinwandt. Non-wafer-scale sieving hardware for the NFS: Another attempt to cope with 1024-bit. In Eurocrypt, 2007.
19. D. Gillmor. Negotiated finite field Diffie-Hellman ephemeral parameters for TLS. IETF Internet Draft, May 2015.
20. D. M. Gordon. Designing and detecting trapdoors for discrete log cryptosystems. In Crypto, 1992.
21. D. M. Gordon. Discrete logarithms in GF(p) using the number field sieve. SIAM J. Discrete Math., 6(1), 1993.
22. D. Harkins and D. Carrel. The Internet key exchange (IKE). RFC 2409, Nov. 1998.
23. T. Jager, K. G. Paterson, and J. Somorovsky. One bad apple: Backwards compatibility attacks on state-of-the-art cryptography. In NDSS, 2013.
24. A. Joux and R. Lercier. Improvements to the general number field sieve for discrete logarithms in prime fields. A comparison with the Gaussian integer method. Math. Comp., 72(242):953-967, 2003.
25. C. Kaufman, P. Hoffman, Y. Nir, P. Eronen, and T. Kivinen. Internet key exchange protocol version 2 (IKEv2). RFC 7296, Oct. 2014.
26. S. Kent. IP authentication header. RFC 4302, Dec. 2005.
27. S. Kent. IP encapsulating security payload (ESP). RFC 4303, Dec. 2005.
28. T. Kleinjung. Cofactorisation strategies for the number field sieve and an estimate for the sieving step for factoring 1024 bit integers, 2006. http://www.hyperelliptic.org/tanja/ SHARCS/talks06/thorsten.pdf.
29. T. Kleinjung, K. Aoki, J. Franke, A. K. Lenstra, E. Thomé, J. W. Bos, P. Gaudry, A. Kruppa, P. L. Montgomery, D. A. Osvik, H. te Riele, A. Timofeev, and P. Zimmermann. Factorization of a 768-bit RSA modulus. In Crypto, 2010.
30. A. Langley, N. Modadugu, and B. Moeller. Transport layer security (TLS) false start. IETF Internet Draft, 2010.
31. A. K. Lenstra and H. W. Lenstra, Jr., editors. The Development of the Number Field Sieve. Springer, 1993.
32. M. Lipacis. Semiconductors: Moore stress = structural industry shift. Technical report, Jefferies, 2012.
33. U. M. Maurer. Towards the equivalence of breaking the Diffie-Hellman protocol and computing discrete logarithms. In Crypto, 1994.
34. U. M. Maurer and S. Wolf. Diffie-Hellman oracles. In Crypto, 1996.
35. N. Mavrogiannopoulos, F. Vercauteren, V. Velichkov, and B. Preneel. A cross-protocol attack on the TLS protocol. In ACM CCS, pages 62-72, 2012.
36. C. Meadows. Analysis of the Internet key exchange protocol using the NRL protocol analyzer. In IEEE Symposium on Security and Privacy, 1999.
37. Microsoft Security Bulletin MS15-055. Vulnerability in Schannel could allow information disclosure, May 2015.
38. NIST. FIPS PUB 186-4: Digital signature standard, 2013.
39. Oak Ridge National Laboratory. Introducing Titan, 2012. https://www.olcf.ornl.gov/titan.
40. H. Orman. The Oakley key determination protocol. RFC 2412, Nov. 1998.
41. S. C. Pohlig and M. E. Hellman. An improved algorithm for computing logarithms over GF(p) and its cryptographic significance (corresp.). Trans. Inform. Theory, 24(1), 1978.
42. J. M. Pollard. A Monte Carlo method for factorization. BIT Numerical Mathematics, 15(3):331-334, 1975.
43. O. Schirokauer. Virtual logarithms. J. Algorithms, 57(2):140-147, 2005.
44. I. A. Semaev. Special prime numbers and discrete logs in finite prime fields. Math. Comp., 71(237):363-377, 2002.
45. D. Shanks. Class number, a theory of factorization, and genera. In Proc. Sympos. Pure Math., volume 20. 1971.
46. Spiegel Staff. Prying eyes: Inside the NSA's war on Internet security. Der Spiegel, Dec 2014. http://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet-security-a-1010361.html.
47. W. Stein et al. Sage Mathematics Software (Version 6.5). The Sage Development Team, 2015. http://www.sagemath.org.
48. stud: The scalable TLS unwrapping daemon, 2012. https://github.com/bumptech/stud/blob/19a7f19686bcdbd689c6fbea31f68a276e62d886/stud.c#L593.
49. E. Thomé. Subquadratic computation of vector generating polynomials and improvement of the block Wiedemann algorithm. J. Symbolic Comput., 33(5):757-775, 2002.
50. P. C. Van Oorschot and M. J. Wiener. Parallel collision search with application to hash functions and discrete logarithms. In ACM CCS, 1994.
51. P. C. Van Oorschot and M. J. Wiener. On Diffie-Hellman key agreement with short exponents. In Eurocrypt, 1996.
52. D. Wagner and B. Schneier. Analysis of the SSL 3.0 protocol. In 2nd Usenix Workshop on Electronic Commerce, 1996.
53. J. Wagnon. SSL profiles part 5: SSL options, 2013. https://devcentral.f5.com/articles/ssl-profiles-part-5-ssl-options.
54. P. Zimmermann et al. GMP-ECM, 2012. https://gforge.inria.fr/projects/ecm.
55. APEX active/passive exfiltration. Media leak, Aug. 2009. http://www.spiegel.de/media/media-35671.pdf.
56. Fielded capability: End-to-end VPN SPIN 9 design review. Media leak. http://www.spiegel.de/media/media-35529.pdf.
57. FY 2013 congressional budget justification. Media leak. http://cryptome.org/2013/08/spy-budget-fy13.pdf.
58. GALLANTWAVE@scale. Media leak. http://www.spiegel.de/media/media-35514.pdf.
59. Innov8 experiment profile. Media leak. http://www.spiegel.de/media/media-35509.pdf.
60. Intro to the VPN exploitation process. Media leak, Sept. 2010. http://www.spiegel.de/media/media-35515.pdf.
61. LONGHAUL - WikiInfo. Media leak. http://www.spiegel.de/media/media-35533.pdf.
62. POISONNUT - WikiInfo. Media leak. http://www.spiegel.de/media/media-35519.pdf.
63. SIGINT strategy. Media leak. http://www.nytimes.com/interactive/2013/11/23/us/politics/23nsa-sigint-strategy-document.html.
64. SPIN 15 VPN story. Media leak. http://www.spiegel.de/media/media-35522.pdf.
65. TURMOIL/APEX/APEX high level description document. Media leak. http://www.spiegel.de/media/media-35513.pdf.
66. TURMOIL IPsec VPN sessionization. Media leak, Aug. 2009. http://www.spiegel.de/media/media-35528.pdf.
67. TURMOIL VPN processing. Media leak, Oct. 2009. http://www.spiegel.de/media/media-35526.pdf.
68. VALIANTSURF (VS): Capability levels. Media leak. http://www.spiegel.de/media/media-35517.pdf.
69. VALIANTSURF - WikiInfo. Media leak. http://www.spiegel.de/media/media-35527.pdf.
70. VPN SigDev basics. Media leak. http://www.spiegel.de/media/media-35520.pdf.
71. What your mother never told you about SIGDEV analysis. Media leak. http://www.spiegel.de/media/media-35551.pdf.