Diffie-Hellman (DF) protocol is key agreement protocol which allows two entities to exchange a shared secret key over insecure channel without previously sharing any secret material or even have any previous infrastructure. What is needed just to agree on two global parameters, which is considered major benefits of using this protocol. Another benefit of DF protocol is that it enables entities create shared keys on-demand without the need to store them for long duration, and dispose them once done.
In this protocol, both entities (e.g. Alice and Bob) agree on two numbers (e.g. p and g) where p is large prime number. The number g is chosen such that the positive integer q in this equation gˆq =1 modulo p is large. Alice, then, chooses her private key x where 1≤x≤q, and Bob does the same. From the private keys, both of Alice and Bob compute the public key using gˆx modulo p. This operation is irreversible so that the secret key can’t be calculated from the Public key. After that, Alice computes the shared key K =(gˆy)ˆx modulo p and Bob create the same key K = (gˆx)ˆy modulo p. As you see, the shared secret K is the same for both entities: K = (gˆy)ˆx modulo p = (gˆx)ˆy.
This process makes DF attractive protocol to be used in VPNs where peers need a shared secret key to establish secure channel that enable them securely exchange other key material for symmetric ciphers and MACs. However, there are many weaknesses in this protocol.
The first major weakness in Diffie-Hellman protocol is that the protocol by nature can’t achieve any kind of authentication. So, both entities have no guarantee about with whom they exchanged keys. This make the VPN connection susceptible to the MITM attack prior to establishing the connection. MITM takes place when a malicious third party can impersonate identity of Alice while communicating with Bob, and impersonate identity of Bob while communicating with Alice and negotiate keys with both of them. This enable the third party to relay messages between both entities during the connection lifetime which threatens confidentiality and integrity of data.
Another weakness resulted from the fact that DF protocol is computationally intensive protocol, this makes the protocol vulnerable to what is known as the clogging attack. In this attack, one entity requests high number of keys from another one which makes the victim spends a lot of its computing resources in useless calculations. This condition causes Denial of Service attack that impacts availability of the victim.
Recent weakness has been discovered by group of researchers who published paper about new attack against this protocol called ‘Logjam’. Logjam is security vulnerability against DH groups that exchange keys smaller than 1024 bits. Main reasons behind realization of this attack is the fact that many of devices which utilize DH protocol use the common DH groups which are based on 1024-bit prime numbers. Also, some devices support the legacy export-grade 512-bit primes. When satisfying the above conditions and exploiting this vulnerability, the attacker can perform MITM attack to force clients to downgrade TLS connection to use the old 512-bit export-grade cryptographic keys, which make it easier for the attacker to learn the session key and read exchanged data and even inject data into the connection, which apparently impacts confidentiality and integrity of transmitted data. This vulnerability affects mainly TLS-based connections including VPN connections based on TLS that utilize DF protocol. Although IPSec VPN connections are not affected, it is strongly recommended to use 2048-bit keys.