D(HE)at: A Practical Denial-of-Service Attack on the Finite Field Diffie–Hellman Key Exchange

In this paper, D(HE)at, a practical denial-of-service (DoS) attack targeting the finite field Diffie-Hellman (DH) key exchange protocol, is presented, allowing remote users to send non-public keys to the victim, triggering expensive server-side DH modular-exponentiation calculations. The attack was disclosed in November 2021 with an assigned CVE-2002-20001 number. Additionally, the “long exponent” issue, an implementation flaw in cryptographic libraries where unreasonably large private keys are used, deviating from the recommended NIST guidelines, and making D(HE)at more effective, is presented. This issue was disclosed in November 2022 with an assigned CVE-2022-40735 number. A thorough analysis of the D(HE)at attack, along with proof of concept code that has the potential to compromise all existing protocols employing DH key exchange, such as TLS or SSH, is presented in this paper, highlighting the necessity of additional security measures for effective safeguarding. The potential of reaching full 100% CPU utilization by the D(HE)at attack is demonstrated, even on the most up-to-date operating systems, without any significant computation on the client side. With minimal bandwidth and a low request rate per second (rps), the D(HE)at attack can be carried out against target machines from a single laptop. In this study, the consequences of these issues are explored, and a comparative security and performance analysis is conducted among the most commonly used general-purpose cryptographic libraries, including OpenSSL, BoringSSL, LibreSSL, GnuTLS, NSS, Mbed TLS, OpenJDK, Oracle JDK, and WolfSSL. Based on Shodan measurements, it has been found that 87% of servers worldwide support DH key exchange in the SSH protocol, and according to our scan, 55% of the top 1 million websites support DH in TLS. As a result of this study, it is recommended that developers and administrators consider exclusively enabling Elliptic Curve Diffie-Hellman (ECDH), a significantly more efficient protocol, in their server configurations.