堵塞漏洞分析报告.pdfVIP

Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice David Adrian¶ Karthikeyan Bhargavan∗ Zakir Durumeric¶ Pierrick Gaudry† Matthew Green§ J. Alex Halderman¶ Nadia Heninger‡ Drew Springall¶ Emmanuel Thomé† Luke Valenta‡ Benjamin VanderSloot¶ Eric Wustrow¶ Santiago Zanella-Béguelin Paul Zimmermann† ∗ INRIA Paris-Rocquencourt † INRIA Nancy-Grand Est, CNRS and Université de Lorraine Microsoft Research ‡ University of Pennsylvania § Johns Hopkins ¶ University of Michigan For additional materials and contact information, visit WeakDH.org. ABSTRACT logs in that group, amortizing the cost over all targets that We investigate the security of Diffie-Hellman key exchange as share this parameter. The algorithm can be tuned to reduce used in popular Internet protocols and find it to be less secure individual log cost even further. Although this fact is well than widely believed. First, we present a novel flaw in TLS known among mathematical cryptographers, it seems to have that allows a man-in-the-middle to downgrade connections been lost among practitioners deploying cryptosystems. We to “export-grade” Diffie-Hellman. To carry out this attack, exploit it to obtain the following results: we implement the number field sieve discrete log algorithm. Active attacks on export ciphers in TLS. We identify a new After a week-long precomputation for a specified 512-bit attack on TLS, in which a man-in-the-middle attacker can group, we can compute arbitrary discrete logs in this group downgrade a connection to export-grade cryptography. Thi