Misconfigured groupsThe Digital Signature Algorithm(DSA) [38] uses primespsuch thatp-1has a large primefactorqandggenerates only a subgroup of orderq. Whenusing properly generated DSA parameters, these groups aresecure for use in Diffie-Hellman key exchanges. Notably, DSAgroups are hard-coded in Java’ssun.security.providerpackage and are used by default in many Java-based TLSservers. However, some servers in our scans used Java’s DSAprimes aspbut mistakenly used the DSA group orderqin theplace of the generatorg. We found 5,741 hosts misconfiguredthis way.This substitution ofqforgis likely due to a usability prob-lem: the canonical ASN.1 representation of Diffie-Hellmankey exchange parameters (coming from PKCS#3) is a se-quence(p, g), while that of DSA parameters (coming fromPKIX) is(p, q, g); we conjecture that the confusion betweenthese formats led to a simple programming error.In a DSA group, the subgroup generated byqis likelyto have many small prime factors in its order, since forpgenerated according to [38],(p-1)/qis a random integer.For Java’ssun.security.provider512-bit prime, usingqasa generator leaks 290 bits of information about exponents at6

a cost of roughly240operations. Luckily, since the providergenerates exponents of lengthmax(n/2,384)forn-bitp,this does not suffice to recover a full exponent. Still, thismisconfiguration bug results in a significant loss of securityand serves as a cautionary tale for programmers.4.STATE-LEVEL THREATS TO DHThe previous sections demonstrate the existence of practi-cal attacks against Diffie-Hellman key exchange as currentlyused by TLS. However, these attacks rely on the ability todowngrade connections to export-grade crypto or on the useof unsafe parameters. In this section we address the followingquestion: how secure is Diffie-Hellman in broader practice,as used in other protocols that do not suffer from downgrade,and when applied with stronger groups?To answer this question we must first examine how thenumber field sieve for discrete log scales to 768- and 1024-bitgroups. As we argue below, 768-bit groups, which are still inrelatively widespread use, are now within reach for academiccomputational resources, and performing precomputationsfor a small number of 1024-bit groups is plausibly withinthe resources of state-level attackers. The precomputationwould likely require special-purpose hardware, but would notrequire any major algorithmic improvements beyond what isknown in the academic literature. We further show that evenin the 1024-bit case, the descent time—necessary to solveany specific discrete log instance within a common group—would be fast enough to break individual key exchanges inclose to real time.In light of these results, we examine several standard Inter-net security protocols—IKE, SSH, and TLS—to determinethe vulnerability of their key exchanges to attacks by resource-ful attackers. Although the cost of the precomputation for a1024-bit group is several times higher than for an RSA key