Search the Community

The recently discovered Logjam encryption flaw proves that governments need to aid, not hinder, businesses' efforts to encrypt data, according to experts in the white hat community. Logjam is an encryption flaw that was uncovered on Wednesday by researchers at Inria Nancy-Grand Est, Inria Paris-Rocquencourt, Microsoft Research and the Johns Hopkins, Michigan and Pennsylvania universities. Its discovery sent ripples through the security community as in theory it leaves tens of thousands of web and mail servers open to man-in-the-middle attacks. CipherCloud chief trust officer Bob West said that Logjam should act as a cautionary tale to legislators considering weakening companies' ability to encrypt data. "Logjam is a cautionary tale for our lawmakers and leaders who are under pressure by government groups to weaken encryption," he said. "Diluting the strength of encryption for one group creates a vulnerability that can be exploited by any group. Human rights, privacy and the resilience of our economy will be the casualties if back doors are created in encryption solutions." Venafi vice president of security strategy Kevin Bocek agreed, arguing that Logjam proves that weakening encryption will aid cyber criminals. "With more sites using SSL/TLS keys and certificates, the target is getting bigger for the bad guys," he said. "The [bad guys'] interest in intercepting encrypted traffic, spoofing trusted sites, or hiding in encryption is only growing, and many out there predict that a crypto-apocalypse is on the horizon." Logjam's discovery follows widespread concerns about the UK government's intentions concerning encryption. The government indicated plans to force firms to make encrypted data accessible to law enforcement in its election manifesto. At a technical level, Logjam is a flaw in the Diffie-Hellman key exchange cryptographic algorithm used while creating encrypted HTTPS, SSH, IPsec, SMTPS and TLS connections. "We have uncovered several weaknesses in how Diffie-Hellman key exchange has been deployed," read the researchers' threat advisory. "The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and modify any data passed over the connection." The researchers added that the vulnerability is similar to the Freak and Poodle flaws and "affects any server that supports DHE_EXPORT ciphers and all modern web browsers". The advisory said that Logjam renders 8.4 percent of the top one million web domains open to exploitation, but warned that the flaw's reach is significantly higher. Freak is a cross-platform flaw in SSL/TLS protocols that could be exploited to intercept and decrypt HTTPS connections between vulnerable clients and servers. It was uncovered in March. Poodle is a flaw in SSL version 3.0 which could leave users' web data open to attack. It was uncovered by researchers at Google in October 2014. The researchers said that the flaw could be used to intercept data passing between VPN servers, and is consistent with the NSA-led attacks described in leaked PRISM documents. "We carried out this computation against the most common 512-bit prime used for TLS and demonstrated that the Logjam attack can be used to downgrade connections to 80 percent of TLS servers supporting DHE_EXPORT," read the paper. "We further estimate that an academic team can break a 768-bit prime, and that a nation-state can break a 1,024-bit prime. Breaking the most common 1,024-bit prime used by web servers would allow passive eavesdropping on connections to 18 percent of the top one million HTTPS domains. "A close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break," the researchers said. News that the NSA's specialist Office of Target Pursuit maintains a team of engineers dedicated to cracking the encrypted traffic of VPNs broke in December 2014. However, despite the seriousness of the Logjam flaw, experts have pointed out Logjam is more significant as a cautionary tale than game changing vulnerability. Rapid7 engineering manager Tod Beardsley explained that the high degree of sophistication required to mount a Logjam attack makes it unlikely that it will be widely targeted. "The only two groups really in a position to take advantage of this vulnerability are criminals on coffee shop WiFi networks, and state actors who already control a huge chunk of the local internet," he said. LogRhythm vice president Ross Brewer agreed, pointing out that patches for the flaw are already being rolled out. "The fact that Logjam can only be exploited when hackers and targets are on the same network, as well as patches being imminent, means that hype around it is likely to be a bit of a storm in a teacup," he said. "Organisations should, however, use flaws like this as an excuse to give themselves a security health check." The white hat community is one of many calling for an end to governments rethink their surveillance strategies. Over 140 big name companies sent a letter to US president Barack Obama on Tuesday urging him to cease the government's war on encryption. Source