Diffie-Hellman key exchange is an popular cryptographic algorithm that provide secure way of exchanging cryptographic key ever a public network/channel. D–H is one of the earliest practical examples of public key exchange implemented within the field of cryptography. It is fundamental to many protocols including HTTPS, SSH, IPsec, SMTPS, and protocols that rely on TLS.
Below are several weaknesses in how Diffie-Hellman key exchange has been deployed:
- Logjam attack against the TLS protocol. The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and modify any data passed over the connection. The attack is reminiscent of the FREAK attack, but is due to a flaw in the TLS protocol rather than an implementation vulnerability, and attacks a Diffie-Hellman key exchange rather than an RSA key exchange.
- Millions of HTTPS, SSH, and VPN servers all use the same prime numbers for Diffie-Hellman key exchange. Practitioners believed this was safe as long as new key exchange messages were generated for every connection. However, the first step in the number field sieve—the most efficient algorithm for breaking a Diffie-Hellman connection—is dependent only on this prime. After this first step, an attacker can quickly break individual connections.
To fix issue with weak Diffie Hellman Logjam Attack you need to:
- Disable Export Cipher Suites.
- Deploy (Ephemeral) Elliptic-Curve Diffie-Hellman (ECDHE)
- Use a Strong Diffie Hellman Group
Below is a Fix for Nginx web server:
ssl_ciphers in global NGINX configuration file
Create a Strong DH Group
Run following command on your server
openssl dhparam -out /etc/nginx/dhparams.pem 2048
open your NGINX configuration file
and update below directive into it
Reload or Restart Nginx Services.
service nginx restart