Latest attack against TLS shows the pitfalls of intentionally weakening encryption

02.03.2016
For the third time in less than a year, security researchers have found a method to attack encrypted Web communications, a direct result of weaknesses that were mandated two decades ago by the U.S. government.

These new attacks show the dangers of deliberately weakening security protocols by introducing backdoors or other access mechanisms like those that law enforcement agencies and the intelligence community are calling for today.

The field of cryptography escaped the military domain in the 1970s and reached the general public through the works of pioneers like Whitfield Diffie and Martin Hellman, and ever since, the government has tried to keep it under control and limit its usefulness in one way or another.

One approach used throughout the 1990s was to enforce export controls on products that used encryption by limiting the key lengths, allowing the National Security Agency to easily decrypt foreign communications.

This gave birth to so-called "export-grade" encryption algorithms that have been integrated into cryptographic libraries and have survived to this day. While these algorithms are no longer used in practice, researchers found that the mere support for them in TLS (Transport Layer Security) libraries and server configurations endanger Web communications encrypted with modern standards.

In March 2015, a team of researchers from Inria in Paris and the miTLS project developed an attack dubbed FREAK. They found that if a server was willing to negotiate an RSA_EXPORT cipher suite, a man-in-the-middle attacker could trick a user's browser to use a weak export key and decrypt TLS connections between that user and the server.

In May, another team of researchers announced another attack dubbed Logjam. While similar in concept to FREAK, Logjam targeted the Diffie-Hellman (DHE) key exchange instead of RSA and affected servers that supported DHE_EXPORT ciphers.

On Tuesday, another team of researchers announced a third attack.

Dubbed DROWN, this attack can be used to decrypt TLS connections between a user and a server if that server supports the old SSL version 2 protocol or shares its private key with another server that does. The attack is possible because of a fundamental weakness in the SSLv2 protocol that also relates to export-grade cryptography.

The U.S. government deliberately weakened three kinds of cryptographic primitives in the 1990s -- RSA encryption, Diffie-Hellman key exchange, and symmetric ciphers -- and all three have put the security of the Internet at risk decades later, the researchers who developed DROWN said on a website that explains the attack.

"Today, some policy makers are calling for new restrictions on the design of cryptography in order to prevent law enforcement from 'going dark,'" the researchers said. "While we believe that advocates of such backdoors are acting out of a good- faith desire to protect their countries, history's technical lesson is clear: Weakening cryptography carries enormous risk to all of our security."

Attacks like DROWN show the costs that Internet users continue to pay for mandated vulnerabilities in encryption that gave intelligence agencies a small, short-term advantage, Matthew Green, a cryptographer and assistant professor at the Johns Hopkins Information Security Institute, wrote in a blog post. "Given that we're currently in the midst of a very important discussion about the balance of short- and long-term security, let's hope that we won't make the same mistake again."

Lucian Constantin