Imperfect forward secrecy

  title={Imperfect forward secrecy},
  author={David Adrian and Karthikeyan Bhargavan and Zakir Durumeric and Pierrick Gaudry and Matthew Green and J. Alex Halderman and Nadia Heninger and Drew Springall and Emmanuel Thom{\'e} and Luke Valenta and Benjamin VanderSloot and Eric Wustrow and Santiago Zanella B{\'e}guelin and Paul Zimmermann},
  journal={Communications of the ACM},
  pages={106 - 114}
We investigate the security of Diffie-Hellman key exchange as used in popular Internet protocols and find it to be less secure than widely believed. [] Key Method To carry out this attack, we implement the number field sieve discrete logarithm algorithm. After a week-long precomputation for a specified 512-bit group, we can compute arbitrary discrete logarithms in that group in about a minute. We find that 82% of vulnerable servers use a single 512-bit group, and that 8.4% of Alexa Top Million HTTPS sites…

Figures and Tables from this paper

A Novel Provably Secure Key Agreement Protocol Based On Binary Matrices
Security analysis of the protocol shows that the shared secret key is indistinguishable from the random under Decisional Diffie-Hellman (DDH) Assumption for subgroup of matrices over GF(2) with prime order, and that complexity of brute force attack on the protocol is equivalent to exhaustive search for the secret key.
Postcards from the Post-HTTP World: Amplification of HTTPS Vulnerabilities in the Web Ecosystem
The results show that the security of a consistent number of websites is severely harmed by cryptographic weaknesses that, in many cases, are due to external or related-domain hosts.
A Novel Provably Secure Key-Agreement Using Secret Subgroup Generator
While using exponentiation over a cyclic subgroup to establish the key-agreement, the generator of that subgroup is hidden to secure the scheme against adversaries that are capable of solving the Discrete Logarithm Problem, which means the scheme might be candidate as a post-quantum key exchange scheme.
Secure i-Voting Scheme with Blockchain Technology and Blind Signature
This paper proposes and test implement a robust online voting system based on blockchain in order to prevent election forgery and ease the voting process for citizens, and proposes a solution to identity impersonation and vote-selling problems.
Comparing the difficulty of factorization and discrete logarithm: a 240-digit experiment
Two new records are reported: the factorization of RSA-240, a 795-bit number, and a discrete logarithm computation over a 7 95-bit prime field, and it is shown that computing a discreteLogarithms is not much harder than a factorized number of the same size.
Magic cube puzzle approach for image encryption
This study showed that the proposed magic cube puzzle approach to encrypt an 8-bit grayscale image was better than the other methods, except for entropy metrics.
Deviant security: the technical computer security practices of cyber criminals
The findings of this socio-technical-legal project prove that deviant security is an academic field of study on its own with continually evolving research opportunities.
New Discrete Logarithm Computation for the Medium Prime Case Using the Function Field Sieve
Progress in discrete logarithm computation for the general medium prime case using the function field sieve algorithm is reported, with analysis indicating that the relation collection and descent steps are within reach for fields with 32-bit characteristic and moderate extension degrees.
Reproducing "Analysis of the HTTPS Certificate Environment"


Security Analysis of IKE's Signature-Based Key-Exchange Protocol
A security analysis of the Diffie-Hellman key-exchange protocol authenticated with digital signatures used by the Internet Key Exchange (IKE) standard is presented, based on an adaptation of the key-Exchange model to the setting where peers identities are not necessarily known or disclosed from the start of the protocol.
Analysis of the Internet Key Exchange protocol using the NRL Protocol Analyzer
  • C. Meadows
  • Computer Science, Mathematics
    Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344)
  • 1999
The NRL Protocol Analyzer, a special-purpose formal methods tool designed for the verification of cryptographic protocols, was used in the analysis of the Internet Key Exchange (IKE) protocol, which uncovered several ambiguities and omissions in the specification.
The OAKLEY Key Determination Protocol
The OAKLEY protocol supports Perfect Forward Secrecy, compatibility with the ISAKMP protocol for managing security associations, user-defined abstract group structures for use with the Diffie-Hellman algorithm, key updates, and incorporation of keys distributed via out-of-band mechanisms.
ZMap: Fast Internet-wide Scanning and Its Security Applications
ZMap is introduced, a modular, open-source network scanner specifically architected to perform Internet-wide scans and capable of surveying the entire IPv4 address space in under 45 minutes from user space on a single machine, approaching the theoretical maximum speed of gigabit Ethernet.
Non-wafer-Scale Sieving Hardware for the NFS: Another Attempt to Cope with 1024-Bit
A new hardware design for implementing the sieving step of the Number Field Sieve is presented and from a practical cryptanalytic point of view the new design seems to be no less attractive than TWIRL.
Discrete Logarithms in GF(P) Using the Number Field Sieve
  • D. M. Gordon
  • Mathematics, Computer Science
    SIAM J. Discret. Math.
  • 1993
This paper presents an algorithm to solve the discrete logarithm problem forGF ( p) with heuristic expected running time L_p [ 1/3; 3^{2/3}] and for umbers of a special form, there is an asymptotically slower but more practical version of the algorithm.
New directions in cryptography
This paper suggests ways to solve currently open problems in cryptography, and discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.
Computation of a 768-Bit Prime Field Discrete Logarithm
This paper reports on the number field sieve computation of a 768-bit prime field discrete logarithm, describes the different parameter optimizations and resulting algorithmic changes compared to the
Virtual logarithms
Improvements to the general number field sieve for discrete logarithms in prime fields. A comparison with the gaussian integer method
It is shown that the number field sieve outperforms the gaussian integer method in the hundred digit range by successfully computing discrete logarithms with GNFS in a large prime field.