[Cryptography] Imperfect Forward Secrecy: How DH Fails in Practice

Henry Baker hbaker1 at pipeline.com
Wed Dec 30 09:17:18 EST 2015


Alex Halderman & Nadia Heninger's talk at 32c3:

Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice

Slides:

https://weakdh.org/weakdh-ccs-slides.pdf

Paper:

https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf

Video of 60-minute talk:

http://cdn.media.ccc.de/congress/2015/h264-hd/32c3-7288-en-de-Logjam_Diffie-Hellman_discrete_logs_the_NSA_and_you_hd.mp4

On last slide:

1024-bit discrete log within range for governments.

Parameter reuse allows wide-scale passive decryption.

Mitigations:
* Move to elliptic curve cryptography
* If ECC isn’t an option, use = 2048-bit primes.
* If 2048-bit primes aren’t an option, generate a fresh 1024-bit prime.



More information about the cryptography mailing list