Measuring Small Subgroup Attacks Against Diffie-Hellman
Measuring small subgroup attacks against Diffie-Hellman Luke Valenta∗, David Adriany, Antonio Sansoz, Shaanan Cohney∗, Joshua Fried∗, Marcella Hastings∗, J. Alex Haldermany, Nadia Heninger∗ ∗University of Pennsylvania yUniversity of Michigan zAdobe Abstract—Several recent standards, including NIST SP 800- be large enoughp to thwart known attacks, which for prime q 56A and RFC 5114, advocate the use of “DSA” parameters run in time O( q). A common parameter choice is to use a for Diffie-Hellman key exchange. While it is possible to use 160-bit q with a 1024-bit p or a 224-bit q with a 2048-bit p, to such parameters securely, additional validation checks are match the security level under different cryptanalytic attacks. necessary to prevent well-known and potentially devastating Diffie-Hellman parameters with p and q of these sizes were attacks. In this paper, we observe that many Diffie-Hellman suggested for use and standardized in DSA signatures [50]. For implementations do not properly validate key exchange inputs. Combined with other protocol properties and implementation brevity, we will refer to these non-safe primes as DSA primes, choices, this can radically decrease security. We measure the and to groups using DSA primes with smaller values of q as prevalence of these parameter choices in the wild for HTTPS, DSA groups. POP3S, SMTP with STARTTLS, SSH, IKEv1, and IKEv2, A downside of using DSA primes instead of safe primes for finding millions of hosts using DSA and other non-“safe” Diffie-Hellman is that implementations must perform additional primes for Diffie-Hellman key exchange, many of them in validation checks to ensure the key exchange values they receive combination with potentially vulnerable behaviors.
[Show full text]