How to Protect Yourself from the NSA If You Use 1024-bit DH Encryption

Illustration for article titled How to Protect Yourself from the NSA If You Use 1024-bit DH Encryption


In a post on Wednesday, researchers Alex Halderman and Nadia Heninger presented compelling research suggesting that the NSA has developed the capability to decrypt a large number of HTTPS, SSH, and VPN connections using an attack on common implementations of the Diffie-Hellman key exchange algorithm with 1024-bit primes. Earlier in the year, they were part of a research group that published a study of the Logjam attack, which leveragedoverlooked and outdated code to enforce “export-grade” (downgraded, 512-bit) parameters for Diffie-Hellman. By performing a cost analysis of the algorithm with stronger 1024-bit parameters and comparing that with what we know of the NSA “black budget” (and reading between the lines of several leaked documents about NSA interception capabilities) they concluded that it’s likely NSA has been breaking 1024-bit Diffie-Hellman for some time now.

Advertisement

The good news is, in the time since this research was originally published, the major browser vendors (IE, Chrome, and Firefox) have removed support for 512-bit Diffie-Hellman, addressing the biggest vulnerability. However, 1024-bit Diffie-Hellman remains supported for the forseeable future despite its vulnerability to NSA surveillance. In this post, we present some practical tips to protect yourself from the surveillance machine, whether you’re using a web browser, an SSH client, or VPN software.

Disclaimer: This is not a complete guide, and not all software is covered.

Web Browser

To make sure you’re using the strongest crypto, you have to look at the encryption algorithms (or cipher suites) that your browser supports. There’s an excellent tool, How’s My SSL?, that will to test your browser’s cipher suite support. The relevant area of the page is the bottom, Given Cipher Suites. You want to make sure that you don’t see the text “_DHE_” in the list of ciphersuites. Although the Elliptic Curve variant of Diffie-Hellman, represented by suites with “_ECDHE_” is okay). Here’s how to remove those “_DHE_” cipher suites if you still have them:

Firefox

(tested with 40.0.3)

Open a new tab, enter “about:config” into the location bar and hit the “Enter” key. If you get a warning page, click “I’ll be careful, I promise!” This will bring you to the Firefox configuration settings. In the search bar up top, type “.dhe_” and hit the “Enter” key. This should result in two settings being displayed: “security.ssl3.dhe_rsa_aes_256_sha” and “security.ssl3.dhe_rsa_aes_256_sha”. Double-click both of them to change the value from “true” to “false”.

Advertisement
Illustration for article titled How to Protect Yourself from the NSA If You Use 1024-bit DH Encryption

Now, if you refresh the How’s My SSL page, the “_DHE_” ciphersuites should be gone!

Chrome

After following these steps in the following operating systems, refresh the How’s My SSL page, the “_DHE_” ciphersuites should be gone. Note that the hex values for the blacklist correspond to the TLS Cipher Suite Registry

Advertisement

OSX

(tested with 46.0.2490.71, OSX 10.10.5)

Open “automator” and double-click “Run Shell Script”. Replace the “cat” command with the following:

/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --cipher-suite-blacklist=0x0033,0x0039,0x009E,0xcc15
Advertisement
Illustration for article titled How to Protect Yourself from the NSA If You Use 1024-bit DH Encryption

Save the application to your applications folder with whatever filename you like. In finder, you can drag the application to your dock and use that to launch Chrome without the vulnerable ciphers.

Advertisement

Windows

(tested with 46.0.2490.71, Windows 7)

Right-click the shortcut to your Chrome application, click “properties” and then add the following to the end of the “target”: “—cipher-suite-blacklist=0x0033,0x0039,0x009E,0xcc15”

Advertisement

The target then should be similar to the following:

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --cipher-suite-blacklist=0x0033,0x0039,0x009E,0xcc15
Advertisement

From now on, open Chrome from this shortcut.

Linux

Tested with 46.0.2490.13, Ubuntu 14.04 LTS

Starting chrome from the command line with the following flag removes the undesired ciphers:

google-chrome --cipher-suite-blacklist=0x0033,0x0039,0x009E,0xcc15

SSH

An excellent guide for hardening your SSH configuration was released after revelations that the NSA can sometimes decrypt SSH connections. The guide is available here.

Advertisement

VPN

OpenVPN

Most VPN software supports the “.ovpn” file extension used by OpenVPN. Many VPN providers will also provide “.ovpn” files to connect using OpenVPN. We’ll have to specify in this file that we want to be using only Diffie-Hellman with 2048-bit primes. First, we’ll have to create a “dhparam” file with the “openssl” command-line:

openssl dhparam -out /some/path/to/dh2048.pem 2048

Then, we specify that we want to use this file’s Diffie-Hellman parameters in the “.ovpn” file:

echo "dh /some/path/to/dh2048.pem" >> myvpnfile.ovpn

When you connect now, you should be using 2048-bit primes!

This post first appeared on Electronic Frontier Foundation’s blog and is republished here under Creative Commons license.

Advertisement

Image by Yuri Samoilov under Creative Commons license.

Share This Story

Get our newsletter

DISCUSSION

Is 1028-DH different than RSA? I always used to hear how 128 (not even 1028) RSa was uncrackable and how it would take so many millennia to brute force it. I do remember though that it turned out rsa had given the nsa a Blackdoor or something. Short of being compromised that way is 1028 even crackable? I'm assuming f what's explained in the article above is a VULNERABILITY and not brute force. If so, wouldn't it make sense that the organisation that maintains 1028 dh simply update it to remove the vulnerability?