How to Prevent 1024-bit Diffie-Hellman from being cracked

How to Prevent 1024-bit Diffie-Hellman from being cracked

On Wednesday, Researchers Alex Halderman and Nadia Heninger proposed that NSA has been able to decrypt a large number of HTTPS, SSH, and VPN connections by attacking a 1024-bit prime number Diffie-Hellman Key Exchange algorithm.

NSA may have cracked 1024-bit Diffie-Hellman

Logjam attacks discovered in the first half of this year allow a hacker using man-in-the-middle attacks to reduce the output level of the TLS link encryption algorithm to 512 bits. Through cost analysis of algorithms with strong 1024-bit parameters and comparison with the "black budget" of the National Security Agency we know. NSA may have cracked the 1024-bit Diffie-Hellman for some time.

The good news is that, since the publication of this study, major browser vendors (IE, Chrome, and Firefox) have deleted 512-bit Diffie-Hellman support.

Here are some tips about Web browsers, SSH clients, and VPN software to protect yourself from being monitored.

 

Web Browser

To ensure that you are using the strongest cipher suite, you need to check whether the browser supports the encryption algorithm (or cipher suite ). Here is a good tool, How's My SSL, used to test the browser's encryption suite support. The relevant area of the page provides your cipher suite at the bottom. You must note that uninstalling the "_ DHE _" encryptor can eliminate the risk of such attacks, but it may also cause the deletion of some website forward security support. The following describes how to remove the "_ DHE _" Encryptors:

1. Firefox (version 40.0.3)

Open a new tag and enter "about: config" in the address bar. If you get a warning page, click "I promise I will be careful !" In this way, you enter the configuration settings of Firefox. In the search box, type ". dhe _" and press "Enter. This will display two settings: "security. ssl3.dhe _ rsa_aes_128_sha" and "security. ssl3.dhe _ rsa_aes_256_sha ". Double-click them and change "true" to "false ".

 

Refresh the How's My SSL page. The "_ DHE _" cipher suite is gone!

2. Chrome

After following these steps in the following operating system, refresh the How's My SSL page and the "_ DHE _" cipher suite disappears. Note that the hexadecimal values in the list of TLS Cipher Suite Registry are different.

(1) OSX System (OSX 10.10.5)

Open "Automator" and double-click "Run Shell script ". Replace the "cat" command with the following:

/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --cipher-suite-blacklist=0x0033,0x0039,0x009E,0xcc15

 

Save the application to your application folder. In the finder, you can drag an application to your dock and use it to open the Chrome browser.

(2) Windows (Windows 7)

Right-click the shortcut in Chrome, click "properties", and add the following content to the end of "target:

“--cipher-suite-blacklist=0x0033,0x0039,0x009E,0xcc15”

Then, the target should be similar to the following:

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --cipher-suite-blacklist=0x0033,0x0039,0x009E,0xcc15

From now on, use this shortcut to open your browser.

(3) Linux (Ubuntu 14.04 LTS)

Start chrome from the command line to delete unwanted cipher suites:

google-chrome --cipher-suite-blacklist=0x0033,0x0039,0x009E,0xcc15

SSH

The detailed guide for handling SSH configuration is here.

VPN

Most VPN software supports the ". ovpn" file extension of OpenVPN. Many VPN vendors also provide ". ovpn" file connections. You can use the following command to query your OpenVPN client cipher suite:

openvpn --show-tls

The list should first be encrypted by the strongest cipher suite. The latest version of OpenVPN supports "ECDHE", but your VPN supplier must also support the required encryption system. Only the "DHE" encryption system may be very easy to conquer, but OpenVPN often has a VPN Server to generate its own prime number, which reduces the risk of pre-computing attacks. Edit the ". ovpn" file and connect to the test file to prevent the VPN supplier from exploring it.

tls-cipher [cipher-1]:[cipher-2]:[cipher-3]

If it still does not have a strong password connection, contact your VPN vendor and ask them to update their servers to use more powerful encryption algorithms.