How To Avoid A Log Jam: Diffie-Hellman and OpenSSL

The Diffie-Hellman (DH) method is perhaps one of the greatest inventions in Cybersecurity and was created by Whitfield Diffie and Marty…
ASecuritySite.com OpenSSL for the Diffie Hellman Method: [here]

How To Avoid A Log Jam: Diffie-Hellman and OpenSSL

The Diffie-Hellman (DH) method is perhaps one of the greatest inventions in Cybersecurity and was created by Whitfield Diffie and Marty Hellman. With the DH method, Bob creates a random value (b) and Alice also creates a random value (a). Next Bob computes B=g^b (mod p) and sends it to Alice. Alice computes A=g^a (mod p) and sends this to Bob. Bob raises the value of A to the power of b and takes (mod p), and Alice raises B to the power of a and takes (mod p). In the end, they will have the same shared value — g^{ab} (mod p). This can then be used to derive an encryption key that they can use for a secure tunnel (Figure 1). Overall, p is the large prime number, and also known as the shared modulus between Bob and Alice.

Figure 1

In the paper “Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice” [here][1], the authors define a range of prime numbers which are used for TLS key exchange for Diffie-Hellman key exchange:

If these are used, then an adversary can compile a list of keys for a range of random values (a and b), and then match these. This vulnerability was given the name of Logjam.

Avoiding a Log Jam

In order to avoid Logjam, a system should be set up with a random prime number. This can be achieved with OpenSSL. For “openssl dhparam -text -2 512”, we get a 512-bit prime number, and using g=2 [here]:

$ openssl dhparam -text -2 512
    DH Parameters: (512 bit)
    P:   
        00:f8:aa:01:d2:7d:e4:e4:bc:2f:ef:a6:7b:c3:fd:
        06:aa:10:4f:a1:ca:0a:09:68:fd:80:49:d6:39:0a:
        99:1a:eb:48:48:a4:40:31:6a:0c:34:2e:4e:a0:cf:
        6a:ae:21:66:ba:aa:7a:4b:cd:18:42:76:15:7f:20:
        d5:14:43:cf:7f
    G:    2 (0x2)
-----BEGIN DH PARAMETERS-----
MEYCQQD4qgHSfeTkvC/vpnvD/QaqEE+hygoJaP2ASdY5Cpka60hIpEAxagw0Lk6g
z2quIWa6qnpLzRhCdhV/INUUQ89/AgEC
-----END DH PARAMETERS-----

For “openssl dhparam -text -2 1024”, we get a 1024-bit prime number, and using g=2 [here]:

$ openssl dhparam -text -2 512
DH Parameters: (1024 bit)
    P:   
        00:8b:9b:88:28:e9:71:95:36:6b:a3:6f:a5:71:21:
        b7:ca:bc:3c:1e:db:24:e4:d3:f4:b8:df:d3:97:25:
        e9:fa:9c:88:89:c8:d1:f3:6c:40:2c:1f:d5:66:8a:
        42:b4:2f:95:f8:33:43:43:a2:57:dd:9f:5a:b7:b5:
        f7:b4:b2:9c:ca:eb:61:4a:99:49:71:c5:71:0a:bb:
        ce:03:6e:02:9e:16:02:ae:5f:14:54:47:dc:78:a0:
        36:cf:b4:bb:83:4a:36:fc:18:b1:79:a3:a2:c1:c4:
        e5:ea:4d:4d:c2:75:13:cf:df:8f:c0:6c:58:96:ea:
        2f:a9:a6:11:6f:42:a5:92:97
    G:    2 (0x2)
-----BEGIN DH PARAMETERS-----
MIGHAoGBAIubiCjpcZU2a6NvpXEht8q8PB7bJOTT9Ljf05cl6fqciInI0fNsQCwf
1WaKQrQvlfgzQ0OiV92fWre197SynMrrYUqZSXHFcQq7zgNuAp4WAq5fFFRH3Hig
Ns+0u4NKNvwYsXmjosHE5epNTcJ1E8/fj8BsWJbqL6mmEW9CpZKXAgEC
-----END DH PARAMETERS-----

For “openssl dhparam -text -5 768”, we get a 768-bit prime number, and using g=5 [here]:

$ openssl dhparam -text -5 768
DH Parameters: (768 bit)
    P:   
        00:bf:aa:af:b7:00:05:ca:a0:2b:fd:df:db:44:ed:
        52:29:32:96:25:a5:0f:bd:ab:1a:4e:6b:fc:e1:15:
        71:2c:5b:d5:4a:42:48:f9:a0:1c:b1:77:2f:8e:de:
        4b:6a:14:f1:11:88:02:c3:86:10:92:f1:8b:1b:1a:
        5a:58:f3:ec:6e:a6:8f:5e:77:64:d2:ca:f0:34:a5:
        9b:55:f4:37:74:03:9e:89:64:c9:1a:ee:88:fc:27:
        65:2b:9f:d7:5c:48:a7
    G:    2 (0x2)
-----BEGIN DH PARAMETERS-----
MGYCYQC/qq+3AAXKoCv939tE7VIpMpYlpQ+9qxpOa/zhFXEsW9VKQkj5oByxdy+O
3ktqFPERiALDhhCS8YsbGlpY8+xupo9ed2TSyvA0pZtV9Dd0A56JZMka7oj8J2Ur
n9dcSKcCAQI=
-----END DH PARAMETERS-----

The main DH groups are:

  • Group 1. Generated with a 768-bit prime number.
  • Group 2. Generated with a 1,024-bit prime number.
  • Group 5. Generated with a 1,536-bit prime number.
  • Group 14. Generated with a 2,048-bit prime number.

Conclusions

It should be noted that DH is hardly ever used these days, and has been largely replaced by elliptic curve methods (ECDH). But, as long is it is supported for a TLS connection, an intruder could select the method, and possibly discover the keys used for secure connections. Overall, just disable the DH method for secure tunnels. But, if you support them, remember to generate a random prime number for your usage.

References

[1] Adrian, D., Bhargavan, K., Durumeric, Z., Gaudry, P., Green, M., Halderman, J. A., … & Zimmermann, P. (2015, October). Imperfect forward secrecy: How Diffie-Hellman fails in practice. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (pp. 5–17).

ASecuritySite is provided free and without adverts. If you want to support its development and get full access to this blog, subscribe here:

Join Medium with my referral link - Prof Bill Buchanan OBE
Subscribe to support Asecuritysite.com Your membership fee directly supports Asecuritysite, and which has no…billatnapier.medium.com