To ensure agreement on the negotiation messages,
and to prevent downgrade attacks, each party computes
the TLS master secret from gab and calculates a Message
Authentication Code (MAC) of its view of the handshake
transcript. These MACs are exchanged in a pair of Finished
messages and verified by the recipients.
To comply with 1990s-era U.S. export restrictions on cryptography, SSL 3.0 and TLS 1.0 supported reduced-strength
DHE_EXPORT ciphersuites that were restricted to primes
no longer than 512 bits. In all other respects, DHE_EXPORT
protocol messages are identical to DHE. The relevant export
restrictions are no longer in effect, but many servers maintain support for backward compatibility.
To understand how HTTPS servers in the wild use Diffie-Hellman, we modified the ZMap6 toolchain to offer DHE and
DHE_EXPORT ciphersuites and scanned TCP/443 on both
the full public IPv4 address space and the Alexa Top Million
domains. The scans took place in March 2015. Of 539,000
HTTPS sites among Top Million domains, we found that
68.3% supported DHE and 8.4% supported DHE_EXPORT.
Of 14.3mn IPv4 HTTPS servers with browser-trusted certificates, 23.9% supported DHE and 4.9% DHE_EXPORT.
While the TLS protocol allows servers to generate their
own Diffie-Hellman parameters, just two 512-bit primes
account for 92.3% of Alexa Top Million domains that support DHE_EXPORT (Table 1), and 92.5% of all servers with
browser-trusted certificates that support DHE_EXPORT. The
most popular 512-bit prime was hard-coded into many versions of Apache; the second most popular is the mod_ssl
default for DHE_EXPORT.
3. 2. Active downgrade to export-grade DHE
Given the widespread use of these primes, an attacker with
the ability to compute discrete logarithms in 512-bit groups
could efficiently break DHE_EXPORT handshakes for about
8% of Alexa Top Million HTTPS sites, but modern browsers
never negotiate export-grade ciphersuites. To circumvent
this, we show how an attacker can downgrade a regular
DHE connection to use a DHE_EXPORT group, and thereby
break both the confidentiality and integrity of application
The attack, which we call Logjam, is depicted in Figure 2
and relies on a flaw in the way TLS composes DHE and
Diffie-Hellman parameters. A prominent example is the
Oakley groups, 17 which give “safe” primes of length 768
(Oakley Group 1), 1024 (Oakley Group 2), and 1536 (Oakley
Group 5). These groups were published in 1998 and have
been used for many applications since, including IKE, SSH,
Tor, and Off-the-Record Messaging (OTR).
When primes are of sufficient strength, there seems to
be no disadvantage to reusing them. However, widespread
reuse of Diffie-Hellman groups can convert attacks that are
at the limits of an adversary’s capabilities into devastating
breaks, since it allows the attacker to amortize the cost of
discrete logarithm precomputation among vast numbers of
3. ATTACKING TLS
TLS supports Diffie-Hellman as one of several possible key
exchange methods, and prior to public disclosure of our
attack, about two-thirds of popular HT TPS sites supported it,
most commonly using 1024-bit primes. However, a smaller
number of servers also support legacy “export-grade” Diffie-Hellman using 512-bit primes that are well within reach of
NFS-based cryptanalysis. Furthermore, for both normal and
export-grade Diffie-Hellman, the vast majority of servers use
a handful of common groups.
In this section, we exploit these facts to construct a novel
attack against TLS, which we call the Logjam attack. First, we
perform NFS precomputations for the two most popular 512-
bit primes on the web, so that we can quickly compute the discrete logarithm for any key exchange message that uses one of
them. Next, we show how a man-in-the-middle, so armed, can
attack connections between popular browsers and any server
that allows export-grade Diffie-Hellman, by using a TLS protocol flaw to downgrade the connection to export-strength and
then recovering the session key. We find that this attack with
our precomputations can compromise connections to about
8% of HTTPS servers among Alexa Top Million domains.
3. 1. TLS and Diffie-Hellman
The TLS handshake begins with a negotiation to determine
the cryptographic algorithms used for the session. The client sends a list of supported ciphersuites (and a random
nonce cr) within the ClientHello message, where each ciphersuite specifies a key exchange algorithm and other primitives. The server selects a ciphersuite from the client’s list
and signals its selection in a ServerHello message (containing
a random nonce sr).
TLS specifies ciphersuites supporting multiple varieties of
Diffie-Hellman. Textbook Diffie-Hellman with unrestricted
strength is called “ephemeral” Diffie-Hellman, or DHE, and
is identified by ciphersuites that begin with TLS_DHE_*.c In
DHE, the server is responsible for selecting the Diffie-Hellman
parameters. It chooses a group ( p, g), computes gb, and sends
a ServerKeyExchange message containing a signature over the
tuple (cr, sr, p, g, gb) using the long-term signing key from its
certificate. The client verifies the signature and responds
with a ClientKeyExchange message containing ga.
c New ciphersuites that use elliptic curve Diffie-Hellman (ECDHE) are gaining
in popularity, but we focus exclusively on the traditional prime field variety.
Table 1. Top 512-bit Diffie-Hellman primes for TLSd.
Source Popularity Prime
Apache 82% 9fdb8b8a004544f0045f1737d0ba2e0b
mod_ssl 10% d4bcd52406f69b35994b88de5db89682
(others) 8% (463 distinct primes)
d 8.4% of Alexa Top Million HTTPS domains allow DHE_EXPORT, of which 92.3% use
one of the two most popular primes, shown here.