Websites, mail servers, and other Transport Layer Security (TLS) dependent services that support Diffie-Hellman key exchange using ephemeral keys (DHE cipher suites) are at risk of the DHEat attack. Services using other cryptographic protocols can also be affected.
* Secure Shell (SSH) services support Diffie-Hellman key exchange methods.
* Internet Protocol Security (IPsec) services offer DH groups.
* OpenVPN servers support Diffie-Hellman key exchange in the control channel (DHE TLS ciphers).
DHE has already been considered weak, with ECDHE as the recommended replacement, for a long time now, so I suspect that most systems operated by people who take security seriously already won't be vulnerable to this.
Your post corroborates SUSE[0] claims that ECDHE is not vulnerable to this. Default golang TLS server looks like it's got it's head on straight for this.
I'm a bit confused what the attack is. Is it just that SSL handshakes are expensive for the server, while the client avoids the computational cost because it chooses a random public key instead of one for which it knows the private key?
And why doesn't this also apply to plain RSA and ECDHE_RSA suites, which need to compute an expensive RSA private key operation, which should be similarly expensive as DH?
8 comments
[ 2.7 ms ] story [ 23.6 ms ] threadWebsites, mail servers, and other Transport Layer Security (TLS) dependent services that support Diffie-Hellman key exchange using ephemeral keys (DHE cipher suites) are at risk of the DHEat attack. Services using other cryptographic protocols can also be affected.
* Secure Shell (SSH) services support Diffie-Hellman key exchange methods. * Internet Protocol Security (IPsec) services offer DH groups. * OpenVPN servers support Diffie-Hellman key exchange in the control channel (DHE TLS ciphers).
[0] https://www.suse.com/support/kb/doc/?id=000020510
[1] - https://www.ssllabs.com/ssltest/analyze.html?d=dheat-attack....
https://nvd.nist.gov/vuln/detail/CVE-2002-20001
And why doesn't this also apply to plain RSA and ECDHE_RSA suites, which need to compute an expensive RSA private key operation, which should be similarly expensive as DH?