8 comments

[ 2.7 ms ] story [ 23.6 ms ] thread
Who is affected?

Websites, mail servers, and other Transport Layer Security (TLS) dependent services that support Diffie-Hellman key exchange using ephemeral keys (DHE cipher suites) are at risk of the DHEat attack. Services using other cryptographic protocols can also be affected.

* Secure Shell (SSH) services support Diffie-Hellman key exchange methods. * Internet Protocol Security (IPsec) services offer DH groups. * OpenVPN servers support Diffie-Hellman key exchange in the control channel (DHE TLS ciphers).

DHE has already been considered weak, with ECDHE as the recommended replacement, for a long time now, so I suspect that most systems operated by people who take security seriously already won't be vulnerable to this.
I'm a bit confused what the attack is. Is it just that SSL handshakes are expensive for the server, while the client avoids the computational cost because it chooses a random public key instead of one for which it knows the private key?

And why doesn't this also apply to plain RSA and ECDHE_RSA suites, which need to compute an expensive RSA private key operation, which should be similarly expensive as DH?