The 2015 Pwnie Winner For Most Innovative Research

Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice

Credit: David Adrian et al.

This paper introduces the Logjam attack, a vulnerability that allows a man-in-the-middle attacker to downgrade TLS connections to 512-bit export-grade Diffie-Hellman and recover the session keys. It then goes on to make a convincing case that the NSA is already doing this for 1024-bit Diffie-Hellman. Although this would require an enormous investment in computing power (perhaps the biggest secret crypto project since WW II), it would allow them to passively eavesdrop on about half of encrypted VPN and SSH traffic. This explanation precisely fits the crypto breaks described in the Snowden leaks. This paper is a landmark result, in that it uncovers a major blindspot in the relation between crypto theory and security practice, introduces a novel TLS break that is practical to exploit today, and solves a major open question about government mass surveillance capabilities.