30 Diffie-Hellman in TLS

Diffie-Hellman (DH) key exchange is widely used in TLS for forward secrecy :

• Client and server agree on a prime number $p$ and a generator $g$.
• Client picks a secret $a$, computes $A=g^{a}modp$, and sends $A$ to the server.
• Server picks a secret $b$, computes $B=g^{b}modp$, and sends $B$ to the client.
• Both parties compute the shared secret :

$$K=B^a\mathrm{mod}p=A^b\mathrm{mod}p$$

Problem

Many servers reuse the same small set of DH primes, making them vulnerable to precomputation attacks !

LogJam

Step 1 : Man-in-the-Middle Attack

• The attacker intercepts the ClientHello message.
• The client proposes a strong Diffie-Hellman group (2048-bit).
• The attacker modifies this to request an export-grade 512-bit DH group.

Step 2: Server Accepts Weak DH Group

• The server allows the downgrade and responds with a weak DH group.
• The attacker can now easily compute the discrete log for the shared key.
• Attacker quickly computes the shared secret due to precomputed discrete logs.
• Attacker decrypts and relays traffic in real-time.

Defending Against LogJam

Mitigation Steps :

• Increase minimum DH key size to at least 2048 bits.
• Disable export-grade ciphers completely
• Use unique DH groups instead of common shared primes.
• Prefer Elliptic Curve Diffie-Hellman (ECDH) over traditional DH.