Indiscreet Logs: Persistent Diffie-Hellman Backdoors in TLS

Kristen Dorey, Nicholas Chang-Fong, and Aleksander Essex

Abstract

Software implementations of discrete logarithm based cryptosystems over finite fields typically make the assumption that any domain parameters they are presented with are trustworthy, i.e., the parameters implement cyclic groups where the discrete logarithm problem is assumed to be hard. An informal and widespread justification for this seemingly exists that says validating parameters at run time is too computationally expensive relative to the perceived risk of a server sabotaging the privacy of its own connection. In this paper we explore this trust assumption and examine situations where it may not always be justified. We conducted an investigation of discrete logarithm domain parameters in use across the Internet and discovered evidence of a multitude of potentially backdoored moduli of unknown order in TLS and STARTTLS spanning numerous countries, organizations, and protocols. Although our disclosures resulted in a number of organizations taking down suspicious parameters, we argue the potential for TLS backdoors is systematic and will persist until either until better parameter hygiene is taken up by the community, or finite field based cryptography is eliminated altogether.

Available format(s)
Category
Public-key cryptography
Publication info
Preprint. MINOR revision.
Keywords
discrete logarithm problemdiffie-hellmansmall subgroup attack
Contact author(s)
aessex @ uwo ca
History
Short URL
https://ia.cr/2016/999

CC BY

BibTeX

@misc{cryptoeprint:2016/999,
author = {Kristen Dorey and Nicholas Chang-Fong and Aleksander Essex},
title = {Indiscreet Logs: Persistent Diffie-Hellman Backdoors in TLS},
howpublished = {Cryptology ePrint Archive, Paper 2016/999},
year = {2016},
note = {\url{https://eprint.iacr.org/2016/999}},
url = {https://eprint.iacr.org/2016/999}
}

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.