Content deleted Content added
Susanjenie (talk | contribs) mNo edit summary Tag: Reverted |
Doug butler (talk | contribs) Undid revision 1158664210 by Susanjenie (talk) original meaning changed without explanation |
||
Line 18:
"The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the 'Logjam' issue."</ref>
The authors also estimated the feasibility of the attack against 1024-bit Diffie–Hellman primes. By design, many Diffie–Hellman implementations use the same pre-generated [[prime number|prime]] for their field. This was considered secure, since the [[discrete log problem]] is still considered hard for big-enough primes even if the group is known and reused. The researchers calculated the cost of creating logjam precomputation for one 1024-bit prime at hundreds of millions of USD, and noted that this was well within
Claims on the practical implications of the attack were however disputed by security researchers Eyal Ronen and [[Adi Shamir]] in their paper "Critical Review of Imperfect Forward Secrecy".<ref>{{Cite document | url=http://www.wisdom.weizmann.ac.il/~eyalro/RonenShamirDhReview.pdf | first1=Eyal | last1=Ronen | first2=Adi | last2=Shamir | title=Critical Review of Imperfect Forward Secrecy | date=October 2015 | journal= | access-date=2022-04-30 | archive-date=2021-12-11 | archive-url=https://web.archive.org/web/20211211100114/https://www.wisdom.weizmann.ac.il/~eyalro/RonenShamirDhReview.pdf | url-status=live }}</ref>
| |||