112 COMMUNICATIONS OF THE ACM | JANUARY 2019 | VOL. 62 | NO. 1
traffic are sent to the Cryptanalysis and Exploitation Services
(CES). 21, 23, 25 Within the CES enclave, a specialized “attack
orchestrator” attempts to recover the ESP decryption key with
assistance from high-performance computing resources as
well as a database of known PSKs (“CORALREEF”). 21, 23, 25 If
the recovery was successful, the decryption key is returned
from CES and used to decrypt the buffered ESP traffic such
that the encapsulated content can be processed. 21, 24
Evidence for a discrete logarithm attack. The ability to
decrypt VPN traffic does not necessarily indicate a defeat of
Diffie-Hellman. There are, however, several features of the
described exploitation process that support this hypothesis.
The IKE protocol has been extensively analyzed3, 15 and is not
believed to be exploitable in standard configurations under
passive eavesdropping attacks. Absent a vulnerability in the
key derivation function or transport encryption, the attacker
must recover the decryption keys. This requires the attacker to
calculate SKEYID generated from the Phase 1 Diffie-Hellman
shared secret after passively observing an IKE handshake.
While IKE is designed to support a range of Diffie-Hellman
groups, our Internet-wide scans (Section 4. 3) show that the
vast majority of IKE endpoints select one particular 1024-bit
Diffie-Hellman group even when offered stronger groups.
Conducting an expensive, but feasible, precomputation for
this single 1024-bit group (Oakley Group 2) would allow the
efficient recovery of a large number of Diffie-Hellman shared
secrets used to derive SKEYID and the subsequent KEYMAT.
Given an efficient oracle for solving the discrete logarithm problem, attacks on IKE are possible provided that the
attacker can obtain the following: ( 1) a complete two-sided
IKE transcript, and ( 2) any PSK used for deriving SKEYID in
IKEv1. The available documents describe both of these as
explicit prerequisites for the VPN exploitation process outlined above and provide the reader with internal resources
available to meet these prerequisites. 23
Of course, this explanation is not dispositive and the possibility remains that NSA could defeat VPN encryption using
alternative means. A published NSA document refers to the use
of a router “implant” to allow decryption of IPsec traffic, indicating the use of targeted malware is possible. However, this
implant “allows passive exploitation with just ESP” 23 without the prerequisite of collecting the IKE handshake messages. This indicates it is an alternative mechanism to the
attack described above.
The most compelling argument for a pure cryptographic
attack is the generality of NSA’s VPN exploitation process.
This process appears to be applicable across a broad swath
of VPNs without regard to endpoint’s identity or the ability
to compromise individual endpoints.
4. 3. Effects of a 1024-bit break
In this section, we use Internet-wide scanning to assess the
impact of a hypothetical DH-1024 break on IKE, SSH, and
HTTPS. Our measurements, performed in early 2015, indicate
that these protocols would be subject to widespread compro-
mise by a nation-state attacker who had the resources to invest
in precomputation for a small number of 1024-bit groups.
IKE. We measured how IPsec VPNs use Diffie-Hellman
in practice by scanning a 1% random sample of the pub-
lic IPv4 address space for IKEv1 and IKEv2 (the protocols
used to initiate an IPsec VPN connection) in May 2015. We
used the ZMap UDP probe module to measure support for
Oakley Groups 1 and 2 (two popular 768- and 1024-bit, built-
in groups) and which group servers prefer. Of the 80K hosts
that responded with a valid IKE packet, 44.2% were will-
ing to negotiate a connection using one of the two groups.
We found that 31.8% of IKEv1 and 19.7% of IKEv2 servers
supported Oakley Group 1 (768-bit) while 86.1% and 91.0%
respectively supported Oakley Group 2 (1024-bit). In our
sample of IKEv1 servers, 2.6% of profiled servers preferred
Internet Key Exchange (IKE) / Internet Security Association Key Management Protocol (ISAKMP)
TOP SECRET//COMINT//REL TO USA, FVEY
T: Socket Connection
C: Encrypted and Decrypted
T = Transport
C = Content
F = Format
T: Socket Connection
C: Selector Hit Query/Response
T: Secure Socket (SSL)
C: PIQ Blade Management
C: IKE Messages
C: ESP Key Req/Res
Authentication Header (AH) / Encapsulating Security Payload (ESP)
Figure 3. NSA’s VPN decryption infrastructure. This classified
illustration published by Der Spiegel25 shows captured IKE
handshake messages being passed to a high-performance
computing system, which returns the symmetric keys for ESP
session traffic. The details of this attack are consistent with an
efficient break for 1024-bit Diffie-Hellman.
Vulnerable servers, if the attacker can precompute for…
All 512-bit groups All 768-bit groups One 1024-bit group Ten 1024-bit groups
HTTPS Top Million w/ active downgrade 45, 100 ( 8.4%) 45, 100 ( 8.4%) 205,000 ( 37.1%) 309,000 ( 56.1%)
HTTPS Top Million 118 (0.0%) 407 (0.1%) 98,500 ( 17.9%) 132,000 ( 24.0%)
HTTPS Trusted w/ active downgrade 489,000 ( 3.4%) 556,000 ( 3.9%) 1,840,000 ( 12.8%) 3,410,000 ( 23.8%)
HTTPS Trusted 1,000 (0.0%) 46,700 (0.3%) 939,000 ( 6.56%) 1,430,000 ( 10.0%)
IKEv1 IPv4 – 64,700 ( 2.6%) 1,690,000 ( 66.1%) 1,690,000 ( 66.1%)
IKEv2 IPv4 – 66,000 ( 5.8%) 726,000 ( 63.9%) 726,000 ( 63.9%)
SSH IPv4 – – 3,600,000 ( 25.7%) 3,600,000 ( 25.7%)
Table 3. Estimated impact of Diffie-Hellman attacks in early 2015g.
g We used Internet-wide scanning to estimate the number of real-world servers for which typical connections could be compromised by attackers with various levels of
computational resources. For HT TPS, we provide figures with and without downgrade attacks on the chosen ciphersuite. All others are passive attacks.