1. Measuring small subgroup attacks against Diffie-Hellman 2017 Attacks Diffie-Hellman IPSec Measurement NDSS TLS
    Luke Valenta and David Adrian and Antonio Sanso and Shaanan Cohney and Joshua Fried and Marcella Hastings and J. Alex Halderman and Nadia Heninger
    [View PDF on eprint.iacr.org]
    [Show BibTex Citation]

    @inproceedings{DBLP:conf/ndss/ValentaASCFHHH17,
    author = {Luke Valenta and David Adrian and
    Antonio Sanso and Shaanan Cohney and
    Joshua Fried and
    Marcella Hastings and
    J. Alex Halderman and
    Nadia Heninger},
    title = {Measuring small subgroup attacks against Diffie-Hellman},
    booktitle = {24th Annual Network and Distributed System Security Symposium, {NDSS}
    2017, San Diego, California, USA, February 26 - March 1, 2017},
    year = {2017},
    url = {https://www.ndss-symposium.org/ndss2017/ndss-2017-programme/measuring-small-subgroup-attacks-against-diffie-hellman/},
    timestamp = {Tue, 16 Jan 2018 15:43:37 +0100},
    biburl = {https://dblp.org/rec/bib/conf/ndss/ValentaASCFHHH17},
    bibsource = {dblp computer science bibliography, https://dblp.org}
    }

Several recent standards, including NIST SP 800- 56A and RFC 5114, advocate the use of “DSA” parameters for Diffie-Hellman key exchange. While it is possible to use such parameters securely, additional validation checks are necessary to prevent well-known and potentially devastating attacks. In this paper, we observe that many Diffie-Hellman implementations do not properly validate key exchange inputs. Combined with other protocol properties and implementation choices, this can radically decrease security. We measure the prevalence of these parameter choices in the wild for HTTPS, POP3S, SMTP with STARTTLS, SSH, IKEv1, and IKEv2, finding millions of hosts using DSA and other non-“safe” primes for Diffie-Hellman key exchange, many of them in combination with potentially vulnerable behaviors. We examine over 20 open-source cryptographic libraries and applications and observe that until January 2016, not a single one validated subgroup orders by default. We found feasible full or partial key recovery vulnerabilities in OpenSSL, the Exim mail server, the Unbound DNS client, and Amazon’s load balancer, as well as susceptibility to weaker attacks in many other applications.

  1.