Diffie-Hellman key exchange
Diffie-Hellman key exchange is a cryptographic protocol in which two communication partners exchange information that is not secret in order to share information that is – without having to send anything confidential. The key exchange then serves as a session key for the symmetric encryption of the messages exchanged.
Because the DH protocol does not offer authentication of the partners, it is susceptible to man-in-the-middle attacks. If an attacker can actively break into communication between the two partners, then the attacker can also pretend to be the respective other communication partner and thus agree to a shared secret with both other parties. In practice, DH is therefore always used in combination with an additional authentication method, generally digital signatures.
One important aspect of the protocol is that it provides Perfect Forward Secrecy (PFS) if correctly implemented. Attackers will not be able to figure out the negotiated session key even if they have cracked all other keys used in communication, such as the private keys used by the communication partners. Furthermore, attackers are not able to decrypt records of such protected connections after the fact.
To have Perfect Forward Secrecy using Diffie-Hellman, the two communication partners merely have to get rid of the random numbers generated for the DH exchange immediately after they agree to a session key. If an attacker manages to get at least one of the two random numbers used for Diffie-Hellman, Perfect Forward Secrecy breaks down, and the attacker can begin directly cracking the agreed symmetric key. Recorded communication sessions can then be decrypted after the fact. The asymmetric keys do not even need to be cracked if direct attacks on a session key are possible. In the case of OpenSSH, this is even possible for connections in which authentication was not provided with a public key, but rather with a username and password.
Alexander Klink's script check_weak_dh_ssh.pl, which analyses records of OpenSSH sessions in the PCAP format, shows that this works in practice. Based on the Diffie-Hellman parameters negotiated in the handshake, the script can conduct test calculations using all possible random numbers for the vulnerable Debian-OpenSSL to detect any matches with the value sent in the handshake. If there is a match, the script outputs which clients worked with weak random numbers. At the moment, the script cannot detect any servers with weak random numbers because they generate one random number per PID and connection number; more precalculated data would be required.
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
