The 2016 Pwnie Nominee For Best Cryptographic Attack

OpenSSL Key Recovery Attack on DH small subgroups (CVE-2016-0701)

Credit: Antonio Sanso

What doesn’t go wrong with OpenSSL? When the trickster gods of software security see too much time elapse since the last exploitable memory corruption vulnerability in OpenSSL, they summon demons from the underworld to add support for new TLS options just so new memory corruption flaws can be introduced. ia! ia! OpenSSL! Leave no padding un-oracled! No Bleichen un-bachered! No buffer underflown, no carry un-un-propagated!

Even when OpenSSL gets things right, it gets things wrong, as Antonio Sanso discovered.

You and me, we look at RFC 5114 and we say to ourselves, “why are we reading RFC 5114?” and we go back to perfecting our Lucio wall-riding on Numbani in Overwatch.

Sanso looks at RFC 5114 and he thinks to himself, “why are these DH generator values so complicated compared to normal DH generator values?” And the answer, it turns out, is that they’re stupid and broken!

Now, you hear “why is this DH generator value so complicated?” and you think to yourself “I’m not sure whether my life would get any better at all if I knew what a DH generator value OH FUCK fucking Junkrat just did that stupid fucking tire thing on me now what were we talking about again?”

But it turns out your life does get a little better if you know how DH parameters work and you read RFC 5114 and you take the time to implement one of the all-time classic crypto attacks and people in the world actually use OpenSSL.

Because what you can do with the broken standard DH group is, you can make lots of TLS connections to an OpenSSL server and each time, feed it a bogus DH public key, one the generator couldn’t have generated, one that can only generate a small subset of all possible session keys. So small a subset, you can brute force it. And you can do that over and over again, and take all those broken session keys, and feed them to the Chinese Remainder Theorem, and GOD DAMMIT FUCKING REAPER — sorry, I mean you can remotely recover the OpenSSL server’s private DH key.

But only if OpenSSL’s DH is in its default configuration. The trickster gods didn’t want to make it too easy.

OpenSSL Key Recovery Attack on DH small subgroups 

(CVE-2016-0701)