Websites, mail servers, and other Transport Layer Security (TLS) dependent services that support Diffie-Hellman key exchange using ephemeral keys (
DHE cipher suites) are at risk of the DHEat attack. Services using other cryptographic protocols can also be affected.
You can mitigate the vulnerability or significantly decrease its effectiveness in the following ways:
Quite widespread. Diffie-Hellman is part of well-known cryptographic protocols, such as Mbed TLS, GnuTLS, OpenSSL, etc. Most cryptographic protocol libraries support it, and many servers still use it. However, the portion can vary from protocol to protocol. The cryptographic protocol and the application protocol influence the usage ratio. Independently from the fact that the elliptic-curve-based version of the Diffie-Hellman (ECDHE) is preferred over the original version (DHE), the attack can work. It is sufficient that DHE is enabled in the server configuration, but it is not necessary to be preferred.
DHE mainly provides backward compatibility with older client applications that do not support ECDHE but has an essential advantage over the RSA algorithm in that it provides forward secrecy. Forward secrecy is a property of the key exchange algorithms that makes them future-proof. If the key is exchanged using an algorithm with this property, the eavesdropped encrypted traffic cannot be decrypted even if the master secret has been compromised.
The reason why DHE is still popular in the case of Transport Layer Security (TLS), Secure Shell (SSH), Internet Protocol Security (IPsec), and OpenVPN is the fact that it provides both backward compatibility and forward secrecy. Except in terms of TLS, usually, the performance is not so critical, as the application servers of SSH and VPN (Virtual Private Networks), like IPsec and OpenVPN, have protocols that handle a relatively small number of new connections. As the cryptographic handshake is rare, a key exchange algorithm with lower performance (DHE) is acceptable, especially given that forward secrecy is particularly important in the case of remote access protocols like SSH and IPsec.
Among the web servers of the top 100 domains, the Diffie-Hellman key exchange support is extremely low. Among the top 10 thousand domains, the ratio of the servers supporting DHE is higher than 25%, which is still not so high. In the case of the top 1 million domains, the ratio is 45%, which can be considered high, especially if we consider the fact that there are more than 25 million HTTPS servers, according to Shodan. If the ratio is similar in general as in the top 1 million domains. In that case, more than 10 million servers could be connected to the internet using the Diffie-Hellman key exchange.
The vast majority of the web servers use a 2048-bit key size, where the attack can be effective. The ratio of the 1024-bit key size is still so high because the Logjam attack is estimated to be successful by a state-level attacker. It should be noted that TLS 1.2 initially supported only one key size, but an extension (RFC 7919) allows for negotiating the key size part of the handshake. This extension is part of the TLS 1.3 protocol definition. However, unlike other cryptographic libraries (e.g., GnuTLS, OpenJDK, WolfSSL), OpenSSL does not support the extension TLS 1.2 and supports Diffie-Hellman key exchange in TLS 1.3 before version 3.0.