Recent attacks have shown the risks of leaving legacy TLS encryption modes enabled. In this blog post, the risks of having export-grade cryptography enabled will be addressed.
During the 90s very strict export regulations regarding cryptography were present in the United States of America. Due to this issue, some SSL implementations have deliberately weakened ciphers which would comply with the American export laws. All these ciphers are tagged as EXPORT ciphers or export-grade cryptography, which nowadays is considered obsolete. Solutions exist at the moment to provide higher confidentiality and integrity levels for messages, and these export regulations are no longer present.
Two attacks on SSL export ciphers will be discussed: Logjam and FREAK.
What is it?
The Logjam attack exploits the acceptance on both clients and servers of export-grade ciphers using Diffie-Hellman as their key exchange protocol.
To exploit this vulnerability, the attacker performs a downgrade attack on the victim, forcing them to use a weak key exchange protocol. A man-in-the-middle can force TLS clients to use export strength DH with any server that allows DHE_EXPORT ciphers. Then, by computing the discrete log using techniques such as precomputation attacks against known primes, the attacker can learn the session key and arbitrarily read or modify the contents of the data transmitted between both parties.
What does it expose?
The successful exploitation of Logjam would allow an attacker to completely compromise the confidentiality and integrity of any TLS session on a client or server which accepts export-grade Diffie-Hellman key exchange.
It should be noted that, although it is expected to take a week or so to precompute logs for each prime, Diffie-Hellman implementations on different TLS clients and servers often use the same small set of primes, so only a few primes need to be precomputed against in order to enable the decryption of a significant portion of global TLS traffic.
What is it?
The FREAK attack exploits the presence of export-grade cryptography with RSA key exchange. As with the Logjam attack, the target connection is deliberately weakened by forcing the use of an export-grade key exchange.
To exploit this vulnerability, an attacker downgrades a regular RSA key exchange to one that uses export-grade ephemeral RSA keys, relying on a bug in several TLS client implementations. The attacker then factors the ephemeral key to hijack future connections that use the same key. At the time the vulnerability was first published, it cost around $100 (USD) to factor the weak RSA key in 8 hours on a cluster of systems running GPUs. Once the RSA key has been factored, an attacker would be able to decrypt the RSA-protected key-exchange, recover the symmetric encryption key and decrypt all SSL traffic captured.
What does it expose?
The successful exploitation of FREAK would allow an attacker to completely compromise the confidentiality and integrity of any TLS session between a client or server which accepts export-grade RSA as key exchange protocol.
Who/What is affected?
Any service which runs over TLS and accepts EXPORT_DH or EXPORT_RSA ciphers is vulnerable to these attacks. Although these attacks target specifically these export ciphers, all export ciphers are considered to be obsolete and hence should be disabled. An example of common services which could be affected by this attack are the following:
What should we do?
Both attacks exploit the possibility of downgrading a connection initialization to use a legacy key exchange protocol. In order to defend against the Logjam and FREAK attacks, Portcullis recommends to have an up-to-date client and to disable all export-grade ciphers on both clients and servers. In addition to this, it is recommended to transition towards Elliptic Curve Diffie-Hellman as key exchange protocol.
Our SSL Good Practice Guide has been recommending that old protocols and ciphers be disabled for some time now, which prevents this attack. You can use the SSL cipher suite enum tool to test your configuration.