In a recent discovery that sent shock waves through the security community, Logjam, an encryption flaw uncovered by researchers at various institutes that include Inria Nancy – Grand Est, Microsoft Research, Inria Paris-Rocquencourt and Johns Hopkins, Michigan, and Pennsylvania universities.
In theory, Logjam leaves hundreds of thousands of servers catering to web and mail everywhere vulnerable and open to man in the middle attacks and is believed to be affecting 8% of the world’s biggest and most-used websites.
Users regularly rely on encryption for everyday tasks
LogJam, what is it?
Logjam effectively exploits a vulnerability with encryption.
Encryption is used by computers to secure data that is then transferred and stored online, in essence, to keep away intruders and hackers from intercepting the data or any communication stream. This is done by using a mathematical code, which translates the data into a tremendously huge cluster of numbers that only the recipient and indeed the source can decode.
Certain attackers target “Keys” which are responsible in coding and decoding encrypted data. These keys are long strings of numbers that cloak and protect the content of the data in transfer. Put simply, the longer the key, the more secure the code.
Logjam threatens these keys by changing these long, strong keys into short, weaker keys, rendering them much easier to crack for hackers. The added punch comes from the fact that web browsers being unable to even tell if the keys are being tampered with.
Better Encryption is needed not weakened
With Governments mulling over pushing the agenda for weakening encryption capabilities, the LogJam bug shows such moves are ill advised.
Bob West, the Chief Trust Officer at CipherCloud, a cloud security services company noted the serious implications of such a move.
He commented that state heads, policy makers, leaders and lawmakers in democracy ought to take a look at the case of the LogJam bug while contemplating to give into pressure by law enforcement groups and government authorities to weaken fundamental encryption capabilities.
Adding to the thought, he pointed out that bringing down the encryption parameters to appease one single group will inevitably create an endemic vulnerability that can then be taken advantage of and exploited by groups that include malicious operators. Fundamentally, he points to the privacy of people that is at stake, their human rights are bound to be violated as the causalities of intrusive back door operations if these are implemented in general encryption standards.
Kevin Bocek, the Vice President of security strategy at Venafi, a cyber security company also argues against weakening encryption.
He noted that more sites are using SSL/TLS keys in their foundations, along with similar certificates across the board, resulting in a bigger, easily noticeable target for hackers. They’re able to intercept encrypted traffic, spoof trusted websites by coming up with faux alternatives and he notes that an impending crypto-apocalypse isn’t too far away.
From a purely technical standpoint, Logjam is a flaw in the cryptographic algorithm exchange that’s deployed in order to create encrypted HTTPS, SSH, IPsec, SMTPS and TLS connections.
The researcher’s threat advisory references the Logjam attack which aids threats such as man-in-the-middle attackers to downgrade and weaken vulnerable TLS connections to 512-bit export-grade, lower standard cryptography. In lowering the encryption in such a way, attackers are now given the means to read and/or edit any of the information stream of data that’s passed through the weakened, encrypted connection, according to the report.
Matthew Green, a crypto researcher at Johns Hopkins led a research team to explain how the NSA was able to attack VPN services. Green states that servers that support 512-key “export grade” Diffie-Hellman cryptography (DH), were forced to downgrade a connection to a weaker level. Therefore, the server and the client are fooled into thinking they’re using stronger keys such as 768-bit or 1024-bit.
Web admins running web or mail servers are advised to disable export-grade cipher suites and generate new and unique 2048-bit DH group encryption.
Alternatively, VPN providers who are inherently using 2048 bit keys or greater such as IPVanish, VyprVPN and LiquidVPN are primarily recommended as they aren’t affected by the vulnerability.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net