Logjam: How to Solve a Newly Discovered Vulnerability

17 Jul 2015 | Jindřich Zechmeister

From the discovery and description of Heartbleed vulnerability, more and more concepts of attacks on SSL/TLS protocol and related cryptography have been appearing regularly. This article focuses on the latest described vulnerability Logjam, which is related to weak keys in Diffie-Hellman key-exchange (further just DHE and DH).

The Diffie-Hellman Key-Exchange Protocol

The DH protocol is not used for asymmetric cryptography such as RSA but it is used to safely establish safe keys or a shared secret. This is why it is called Diffie–Hellman key exchange algorithm. It was invented as early as 1976 by Whitfield Diffie and Martin Hellman. It relies on the complexity of the solution to a discrete algorithm.

Logjam Vulnerability Principle

In principle, Logjam is a so called downgrade attack, which tries to weaken a server's security to a level which can be cracked. We have encountered this principle especially in the FREAK vulnerability, which exploited the support of weak export encryptions on servers. Logjam is a similar legacy of cryptography downgrading in the 1990s. A scientific article describing the Logjam vulnerability and the so called proof of concept is called Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice. This is the same as is the case of the FREAK vulnerability, the problem is 512b DH export codes called DHE_EXPORT, to which the attacker can downgrade and – with necessary equipment – complete the sum of the encryption codes.

You might think that export codes are not used by any properly secured servers anymore and therefore there is no need to worry. However, experts warn that this vulnerability has one more aspect – a frequent repetition of the same prime numbers and the possibility of eavesdropping on the 1024b DH codes. Scholars have not been able to break 768b prime numbers but they believe that the NSA can, thanks to its equipment count of up to 1024b prime numbers (according to their simplified research results).

They also claim that 18% websites from Alexa's list called "Top One Million" use the same and the most common 1024b prime numbers for DH operations. If the computing performance were strong enough, NSA could passively eavesdrop on these websites. They therefore recommend switching to longer 2048b keys and generating new, stronger DH parameters (a group of prime numbers).

Vulnerability Testing

This is the same as in cases of any other vulnerability, it is good to test your server to check if it is vulnerable or to test the security repairs in place.

You can test your server for Logjam vulnerability on a web dedicated to Logjam and this Server test will show you if your server is vulnerable or not (anymore).

The most well known test SSLlabs has quickly modified its methodology, the new tests get a lower mark (B) for Logjam vulnerability. The search engine Google Chrome can apparently also correctly detect the possibility of Logjam flaw and announces old encrypting to its visitors.

Logjam Prevention on Server

The steps to secure a server are similar to the ones in case of FREAK vulnerability.
  1. First disable weak export encryptions if it has not already happened due to FREAK vulnerability (instructions in the link).
  2. Use ECDHE (Diffie-Hellman protocol with use of elliptical curves). Modern browsers will prefer it to an older DH protocol.
  3. Generate a new, strong DH group (a group of prime numbers). Many servers on the Internet now use a pre-prepared group of prime numbers, which makes them ideal targets for potential eavesdropping. The administrator should therefore generate new and secure (2048b+) prime numbers for each server or website.

On a server with OpenSSL it is enough to put in this command, which then generates a unique 2048b DH group: openssl dhparam -out dhparams.pem 2048 Then activate the use of generated parameters on server. Add into configuration (/mods-available/ssl.conf) for Apache and reload: SSLOpenSSLConfCmd DHParameters "{path to dhparams.pem}" Parameter SSLOpenSSLConfCmd is supported in the Apache version 2.4.8 (and newer) if you use OpenSSL 1.0.2 (and newer).

Put this into configuration and restart server for Nginx: ssl_dhparam {path to dhparams.pem}

Instructions for other servers such as IIS, Lighttpd, Tomcat, Sendmail, Dovecot, OpenSSH are here.

After the repair, test your server again and make sure that it does not use weak DH encryptions.

Conclusion

The new Logjam vulnerability will probably not be as serious as the one-year-old Heartbleed. If you want to offer maximal security to your visitors, we recommend running the above mentioned vulnerability test and – in the case of a positive result – adjusting server settings according to our instructions. The problem can then be solved within minutes.

Sources and more information:
  1. Diffie-Hellmanov key exchange on Wikipedia
  2. Website dedicated to vulnerability - The Logjam Attack
  3. Diffie-Hellman protocol using elliptical curves on Wikipedia

Ing. Jindřich Zechmeister
TLS certificate specialist
Certificated Sales Expert Plus
e-mail: jindrich.zechmeister(at)zoner.com