2015-05-28

#encryption export controls #Logjam

5.27: news.cyb/sec/encryption export controls/Logjam:
arstechnica:
The new attack has been dubbed Logjam,
( the name is a pun on the "discrete log"
math operation used to break the weak keys.
But the name is also an allusion to the fact that
these '90s-era export ciphers are part of an
immense amount of technical debt
that's built up in our crypto protocols,"
"There's just too much dead wood that's accumulated over the years."
)
The weakness is the result of export restrictions
the US government mandated in the 1990s
to enable less secure encryption for foreigners
so the FBI and NSA could eavesdrop on them .

. the Diffie-Hellman key exchange algorithm
allows two parties that have never met before
to negotiate a secret key even though they're
communicating over an unsecured, public channel.
. servers using the Diffie-Hellman
that support the export restrictions
can have the encryption broken:
attackers can interfere with the handshake
in a way that causes the server to
use a smaller encryption key .

. developers of major browsers
are expected to implement a fix
that rejects encrypted connections
unless the key is at least 1024 bits.
. developers should also transition to
and elliptic curve version of the
Diffie-Hellman key exchange algorithm .

trendmicro:
. check if your browser is vulnerable by visiting:
https://weakdh.org/
-- dh stands for Diffie-Hellman .

. my chrome os chrome browser gets this message:
Warning! Your web browser is vulnerable to Logjam
and can be tricked into using weak encryption.
You should update your browser.