How to Backdoor Diffie-Hellman
-
Upload
david-wong -
Category
Education
-
view
131 -
download
0
Transcript of How to Backdoor Diffie-Hellman
![Page 1: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/1.jpg)
HOW TO BACKDOOR DIFFIE-HELLMAN
David Wong
NCC Group
![Page 2: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/2.jpg)
TLSpre-2007: Absence of TLS
2007: TLS only for login forms (Graham sniffs gmail cookies live at Blackhat)
2009: Moxie releases SSLstrip at Blackhat
2010: HSTS introduced in Firefox
2013: Facebook is full-https
2014: preloaded-HSTS introduced in Chrome
![Page 3: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/3.jpg)
TLSpre-2007: Absence of TLS
2007: TLS only for login forms (Graham sniffs gmail cookies live at Blackhat)
2009: Moxie releases SSLstrip at Blackhat
2010: HSTS introduced in Firefox
2013: Facebook is full-https
2014: preloaded-HSTS introduced in Chrome
![Page 4: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/4.jpg)
![Page 5: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/5.jpg)
TLSpre-2007: Absence of TLS
2007: TLS only for login forms (Graham sniffs gmail cookies live at Blackhat)
2009: Moxie releases SSLstrip at Blackhat
2010: HSTS introduced in Firefox
2013: Facebook is full-https
2014: preloaded-HSTS introduced in Chrome
![Page 6: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/6.jpg)
TLSpre-2007: Absence of TLS
2007: TLS only for login forms (Graham sniffs gmail cookies live at Blackhat)
2009: Moxie releases SSLstrip at Blackhat
2010: HSTS introduced in Firefox / Firesheep
2013: Facebook is full-https
2014: preloaded-HSTS introduced in Chrome
![Page 7: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/7.jpg)
![Page 8: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/8.jpg)
TLSpre-2007: Absence of TLS
2007: TLS only for login forms (Graham sniffs gmail cookies live at Blackhat)
2009: Moxie releases SSLstrip at Blackhat
2010: HSTS introduced in Firefox / Firesheep
2013: Facebook is full-https / Snowden leaks
2014: preloaded-HSTS introduced in Chrome
![Page 9: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/9.jpg)
TLSpre-2007: Absence of TLS
2007: TLS only for login forms (Graham sniffs gmail cookies live at Blackhat)
2009: Moxie releases SSLstrip at Blackhat
2010: HSTS introduced in Firefox / Firesheep
2013: Facebook is full-https / Snowden leaks
2010/2014: preloaded-HSTS introduced in Chrome
![Page 10: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/10.jpg)
![Page 11: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/11.jpg)
![Page 12: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/12.jpg)
Logjam
![Page 13: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/13.jpg)
• hardcoded DHE parameters in Apache
• NSA believed to be able to compute discrete logarithm in modulo 1024-bit integers
• too much work
Logjam
![Page 14: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/14.jpg)
Logjam
Client Server
clientHello
serverHello
rsa(secret)
![Page 15: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/15.jpg)
Logjam
Client Server
clientHello
serverHello
clientKeyExchange
serverKeyExchange
![Page 16: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/16.jpg)
Logjam
Client Server
clientHello
serverHello
clientKeyExchange
serverKeyExchange
![Page 17: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/17.jpg)
Logjam
Client Server
clientHello
serverHello
![Page 18: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/18.jpg)
• hardcoded DHE parameters in Apache
• NSA believed to be able to compute discrete logarithm in modulo 1024-bit integers
• too much work
Logjam
![Page 19: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/19.jpg)
• hardcoded DHE parameters in Apache
• NSA believed to be able to compute discrete logarithm in modulo 1024-bit integers
• too much work
Logjam
![Page 20: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/20.jpg)
• hardcoded DHE parameters in Apache
• NSA believed to be able to compute discrete logarithm in modulo 1024-bit integers
• too much work
Logjam
![Page 21: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/21.jpg)
U.S. export rules
• weak “Export” Cipher Suites
• 512-bit primes for Diffie-Hellman
• 40-bit keys for DES
![Page 22: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/22.jpg)
U.S. export rules
• weak “Export” Cipher Suites
• 512-bit primes for Diffie-Hellman
• 40-bit keys for DES
![Page 23: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/23.jpg)
U.S. export rules
• weak “Export” Cipher Suites
• 512-bit primes for Diffie-Hellman
• 40-bit keys for DES
![Page 24: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/24.jpg)
![Page 25: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/25.jpg)
LOTUS NOTES
• 64-bit crypto allowed…
• …if 24 bits of the key are encrypted to the NSA
• NSA’s RSA public key O=MiniTruth CN=Big Brother
![Page 26: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/26.jpg)
LOTUS NOTES
• 64-bit crypto allowed…
• …if 24 bits of the key are encrypted to the NSA
• NSA’s RSA public key O=MiniTruth CN=Big Brother
![Page 27: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/27.jpg)
LOTUS NOTES
• 64-bit crypto allowed…
• …if 24 bits of the key are encrypted to the NSA
• NSA’s RSA public key O=MiniTruth CN=Big Brother
![Page 28: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/28.jpg)
Kleptography
• A kleptographic attack is an attack which uses asymmetric cryptography to implement a cryptographic backdoor.
• A secure kleptographic attack is undetectable as long as the cryptosystem is a black-box.
• what about white-box? Reverse Engineering?
![Page 29: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/29.jpg)
Kleptography
• A kleptographic attack is an attack which uses asymmetric cryptography to implement a cryptographic backdoor.
• A secure kleptographic attack is undetectable as long as the cryptosystem is a black-box.
• what about white-box? Reverse Engineering?
![Page 30: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/30.jpg)
Kleptography
• A kleptographic attack is an attack which uses asymmetric cryptography to implement a cryptographic backdoor.
• A secure kleptographic attack is undetectable as long as the cryptosystem is a black-box.
• what about white-box? Reverse Engineering?
![Page 31: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/31.jpg)
• Weak crypto
• Kleptography
![Page 32: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/32.jpg)
Dual EC
![Page 33: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/33.jpg)
2007
![Page 34: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/34.jpg)
CRYPTO 2007
![Page 35: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/35.jpg)
NSA’s BULLRUN
![Page 36: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/36.jpg)
![Page 37: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/37.jpg)
![Page 38: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/38.jpg)
![Page 39: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/39.jpg)
Dual EC is obvious.
![Page 40: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/40.jpg)
• Weak crypto
• Kleptography
• New Backdoored Algorithms
![Page 41: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/41.jpg)
![Page 42: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/42.jpg)
![Page 43: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/43.jpg)
DHE backdoor?
![Page 44: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/44.jpg)
DHE backdoor?
• Everyone trust DHE already
• Logjam: hardcoded DHE everywhere
• Everyone is upgrading to 2048-bit parameters
![Page 45: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/45.jpg)
DHE backdoor?
• Everyone trust DHE already
• Logjam: hardcoded DHE everywhere
• Everyone is upgrading to 2048-bit parameters
![Page 46: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/46.jpg)
DHE backdoor?
• Everyone trust DHE already
• Logjam: hardcoded DHE everywhere
• Everyone is upgrading to 2048-bit parameters
![Page 47: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/47.jpg)
Diffie-Hellman
Alice Bob
![Page 48: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/48.jpg)
Diffie-Hellman
Alice Bob
![Page 49: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/49.jpg)
Diffie-Hellman
Alice Bob
![Page 50: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/50.jpg)
Diffie-Hellman
Alice Bob
![Page 51: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/51.jpg)
Diffie-Hellman
Alice Bob
![Page 52: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/52.jpg)
Agenda
1. Group Theory
2. Attacks on DH
3. Construct a backdoor
4. Construct a NOBUS backdoor
![Page 53: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/53.jpg)
Known attacks against DHGroup Theory
![Page 54: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/54.jpg)
Known attacks against DHGroup Theory
Alice’s
![Page 55: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/55.jpg)
Known attacks against DHPohlig-HellmanGroup Theory
![Page 56: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/56.jpg)
Known attacks against DHPohlig-HellmanGroup Theory
![Page 57: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/57.jpg)
Known attacks against DHPohlig-HellmanGroup Theory
![Page 58: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/58.jpg)
Known attacks against DHPohlig-HellmanGroup Theory
![Page 59: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/59.jpg)
Known attacks against DHPohlig-HellmanGroup Theory
![Page 60: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/60.jpg)
Known attacks against DHPohlig-HellmanGroup Theory
![Page 61: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/61.jpg)
Known attacks against DHPohlig-HellmanGroup Theory
![Page 62: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/62.jpg)
Known attacks against DHPohlig-HellmanGroup Theory
![Page 63: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/63.jpg)
wPohlig-HellmanGroup Theory
![Page 64: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/64.jpg)
Known attacks against DH
![Page 65: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/65.jpg)
Known attacks against DHDiffie-HellmanKnown attacks against DH
![Page 66: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/66.jpg)
Known attacks against DH
• Trial Multiplication
• SNFS, GNFS
• Shank’s BSGS, Pollard Rho & Kangaroo, …
• Small subgroup attacks (active)
• Pohlig-Hellman (passive)
![Page 67: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/67.jpg)
Known attacks against DH
• Trial Multiplication
• SNFS, GNFS
• Shank’s BSGS, Pollard Rho & Kangaroo, …
• Small subgroup attacks (active)
• Pohlig-Hellman (passive)
![Page 68: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/68.jpg)
Known attacks against DH
• Trial Multiplication
• SNFS, GNFS
• Shank’s BSGS, Pollard Rho & Kangaroo, …
• Small subgroup attacks (active)
• Pohlig-Hellman (passive)
![Page 69: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/69.jpg)
Known attacks against DH
• Trial Multiplication
• SNFS, GNFS
• Shank’s BSGS, Pollard Rho & Kangaroo, …
• Small subgroup attacks (active)
• Pohlig-Hellman (passive)
![Page 70: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/70.jpg)
Known attacks against DH
• Trial Multiplication
• SNFS, GNFS
• Shank’s BSGS, Pollard Rho & Kangaroo, …
• Small subgroup attacks (active)
• Pohlig-Hellman (passive)
![Page 71: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/71.jpg)
Small Subgroups Attack
alice
![Page 72: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/72.jpg)
Small Subgroups Attack
alice
![Page 73: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/73.jpg)
Small Subgroups Attack
alice
![Page 74: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/74.jpg)
Small Subgroups Attack
alice
odd even
![Page 75: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/75.jpg)
Known attacks against DHPohlig-Hellman
![Page 76: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/76.jpg)
Known attacks against DHPohlig-Hellman
![Page 77: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/77.jpg)
Prime groups
![Page 78: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/78.jpg)
Prime groups
![Page 79: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/79.jpg)
Prime groups
![Page 80: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/80.jpg)
Prime groups
![Page 81: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/81.jpg)
CM-HSOComposite Modulus with a Hidden Smooth Order
![Page 82: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/82.jpg)
CM-HSOComposite Modulus with a Hidden Smooth Order
![Page 83: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/83.jpg)
CM-HSOComposite Modulus with a Hidden Smooth Order
![Page 84: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/84.jpg)
CM-HSOComposite Modulus with a Hidden Smooth Order
![Page 85: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/85.jpg)
![Page 86: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/86.jpg)
![Page 87: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/87.jpg)
DEMO
![Page 88: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/88.jpg)
https://github.com/mimoo/Diffie-Hellman_Backdoor
![Page 89: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/89.jpg)
Detect and Protect
• Check for prime modulus
• Better: check for safe prime modulus
• Google Chrome -> deprecating DHE
• migrating to ECDHE
![Page 90: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/90.jpg)
Detect and Protect
• Check for prime modulus
• Better: check for safe prime modulus
• Google Chrome -> deprecating DHE
• migrating to ECDHE
![Page 91: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/91.jpg)
Detect and Protect
• Check for prime modulus
• Better: check for safe prime modulus
• Google Chrome deprecating DHE (-> ECDHE)
• migrating to ECDHE
![Page 92: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/92.jpg)
END
how many VPN/libraries/closed-source products are backdoored?
![Page 93: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/93.jpg)
END
how many VPN/libraries/closed-source products are backdoored?
what about ECDHE?
![Page 94: How to Backdoor Diffie-Hellman](https://reader036.fdocuments.net/reader036/viewer/2022082218/58f1b7351a28abc3348b45d3/html5/thumbnails/94.jpg)
twitter.com/lyon01_david