Cryptographic Failures in Practice
Zakir Durumeric from University of Michigan came to give a talk at the MIT security seminar. His research focuses on measurement-driven security. Specifically, he is interested in developing tools for researchers to better measure the Internet, and using this perspective to understand how systems are deployed in practice. He talked about two topics, email security and failure of Diffie-Hellman in practice. I’ll give a summary of the talk here. For more details, I refer you to his IMC paper for email security and his CCS paper for failure of Diffie-Hellman in practice.
As originally conceived, SMTP had no built-in security. We have extended SMTP with new extensions to encrypt email in transit and authenticate email on receipt.
We have STARTTLS, which provides TLS between hops, and it has seen increased usage in Gmail over time. There is a long tail of mail operators. Of the Alexa top 1M with Mail Servers. 81.8 percent support STARTTLS, 34 percent have certificates that match the MX server, and 0.6 percent have certificates that match the domain. However, STARTTLS provides opportunistic protection. There are two main attacks: STARTTLS stripping and lying DNS servers.
There are a few ways to authenticate email. First, one could use DomainKeys Identified Mail (DKIM), where the sender signs the messages with a cryptographic key. Second, one could use sender policy framework (SPF), where the sender publishes lists of IPs authorized to send mail. Finally, one could use Domain Message Authentication, Reporting and Conformance (DMARC), where the sender publishes policy in DNS that specifies what to do if DKIM or SPF validation fails.
There are two IETF proposals to solve real world issues. First, there is SMTP Strict Transport Security, which is equivalent to HTTPS HSTS (key pinning). Then there is Authenticated Received Chain (ARC), which is DKIM replacement that handles mailing lists.
Next, he talked about Diffie-Hellman. It is important to note he is referring to the integer version of Diffie-Hellman not the elliptic curve version. For a primer on the Diffie-Hellman key exchange, I refer you to this article. Diffie Hellman is pervasive on the Internet today with SSH, IPSEC VPNs, HTTPS, SMTP, IMAP, POP3, etc.
The best known attack against Diffie-Hellman is the number field sieve, which means that a single, not unique 1024-bit prime can be breakable in a reasonable amount of time. With some crude estimates, he theorizes that nation states have the ability to break 1024-bit primes in general. For these calculations, I refer you to his paper.
Zakir presented interesting work on the state of security in the Internet. He provides numbers that expose that security flaws in practice. This is extremely useful in guiding future security practices.