Conference Proceedings
Measuring small subgroup attacks against Diffie-Hellman
L Valenta, D Adrian, A Sanso, S Cohney, J Fried, M Hastings, JA Halderman, N Heninger
24th Annual Network and Distributed System Security Symposium Ndss 2017 | INTERNET SOC | Published : 2017
Abstract
Several recent standards, including NIST SP 800-56A and RFC 5114, advocate the use of “DSA” parameters for Diffie-Hellman key exchange. While it is possible to use such parameters securely, additional validation checks are necessary to prevent well-known and potentially devastating attacks. In this paper, we observe that many Diffie-Hellman implementations do not properly validate key exchange inputs. Combined with other protocol properties and implementation choices, this can radically decrease security. We measure the prevalence of these parameter choices in the wild for HTTPS, POP3S, SMTP with STARTTLS, SSH, IKEv1, and IKEv2, finding millions of hosts using DSA and other non-“safe” primes..
View full abstractGrants
Awarded by National Science Foundation
Funding Acknowledgements
We would like to thank the exceptional sysadmin Jose Antonio Insua Fernandez for his support. This material is based upon work supported by the U.S. National Science Foundation under Grants No. CNS-1345254, CNS-1408734, CNS-1409505, CNS-1505799, CNS-1513671, and CNS-1518888, an Alfred P. Sloan Foundation Research Fellowship, and a gift from Cisco.