Menu
Latest attack against TLS shows the pitfalls of intentionally weakening encryption

Latest attack against TLS shows the pitfalls of intentionally weakening encryption

Following FREAK and Logjam, DROWN is the third attack resulting from encryption algorithms that were deliberately weakened by the government

For the third time in less than a year, security researchers have found a method to attack encrypted Web communications, a direct result of weaknesses that were mandated two decades ago by the U.S. government.

These new attacks show the dangers of deliberately weakening security protocols by introducing backdoors or other access mechanisms like those that law enforcement agencies and the intelligence community are calling for today.

The field of cryptography escaped the military domain in the 1970s and reached the general public through the works of pioneers like Whitfield Diffie and Martin Hellman, and ever since, the government has tried to keep it under control and limit its usefulness in one way or another.

One approach used throughout the 1990s was to enforce export controls on products that used encryption by limiting the key lengths, allowing the National Security Agency to easily decrypt foreign communications.

This gave birth to so-called "export-grade" encryption algorithms that have been integrated into cryptographic libraries and have survived to this day. While these algorithms are no longer used in practice, researchers found that the mere support for them in TLS (Transport Layer Security) libraries and server configurations endanger Web communications encrypted with modern standards.

In March 2015, a team of researchers from Inria in Paris and the miTLS project developed an attack dubbed FREAK. They found that if a server was willing to negotiate an RSA_EXPORT cipher suite, a man-in-the-middle attacker could trick a user's browser to use a weak export key and decrypt TLS connections between that user and the server.

In May, another team of researchers announced another attack dubbed Logjam. While similar in concept to FREAK, Logjam targeted the Diffie-Hellman (DHE) key exchange instead of RSA and affected servers that supported DHE_EXPORT ciphers.

On Tuesday, another team of researchers announced a third attack.

Dubbed DROWN, this attack can be used to decrypt TLS connections between a user and a server if that server supports the old SSL version 2 protocol or shares its private key with another server that does. The attack is possible because of a fundamental weakness in the SSLv2 protocol that also relates to export-grade cryptography.

The U.S. government deliberately weakened three kinds of cryptographic primitives in the 1990s -- RSA encryption, Diffie-Hellman key exchange, and symmetric ciphers -- and all three have put the security of the Internet at risk decades later, the researchers who developed DROWN said on a website that explains the attack.

"Today, some policy makers are calling for new restrictions on the design of cryptography in order to prevent law enforcement from 'going dark,'" the researchers said. "While we believe that advocates of such backdoors are acting out of a good- faith desire to protect their countries, history's technical lesson is clear: Weakening cryptography carries enormous risk to all of our security."

Attacks like DROWN show the costs that Internet users continue to pay for mandated vulnerabilities in encryption that gave intelligence agencies a small, short-term advantage, Matthew Green, a cryptographer and assistant professor at the Johns Hopkins Information Security Institute, wrote in a blog post. "Given that we're currently in the midst of a very important discussion about the balance of short- and long-term security, let's hope that we won't make the same mistake again."

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Featured

Slideshows

Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow Electronics introduced Tenable Network Security to local resellers in Sydney last week, officially launching the distributor's latest security partnership across Australia and New Zealand. Representing the first direct distribution agreement locally for Tenable specifically, the deal sees Arrow deliver security solutions directly to mid-market and enterprise channel partners on both sides of the Tasman.

Arrow exclusively introduces Tenable Network Security to A/NZ channel
Examining the changing job scene in the Kiwi channel

Examining the changing job scene in the Kiwi channel

Typically, the New Year brings new opportunities for personnel within the Kiwi channel. 2017 started no differently, with a host of appointments, departures and reshuffles across vendor, distributor and reseller businesses. As a result, the job scene across New Zealand has changed - here’s a run down of who is working where in the year ahead…

Examining the changing job scene in the Kiwi channel
​What are the top 10 tech trends for New Zealand in 2017?

​What are the top 10 tech trends for New Zealand in 2017?

Digital Transformation (DX) has been a critical topic for business over the last few years and IDC is now predicting a step change as DX reaches macroeconomic levels. By 2020 a DX economy will emerge and it will become the core of what New Zealand industries focus on. From the board level through to the C-Suite, Kiwi organisations must be prepared to think and act digital when the DX economy emerges in 2017.

​What are the top 10 tech trends for New Zealand in 2017?
Show Comments