What is a 2048 bit Diffie-Hellman key?

1. About the change

This change is in regard to the FlightStats Flex APIs, which reside at https://api.flightstats.com/ and are documented at https://developer.flightstats.com/. On July 27th, 2016 FlightStats modified the web servers at https://api.flightstats.com/ in order to increase encryption strength to acceptable levels. Specifically, we increased the encryption key size required during the Diffie-Hellman session key exchange, from 1024 bits to 2048 bits.

Using a key smaller than 2048 bits makes the TLS connection vulnerable to the "LogJam" attack technique. The vulnerability is well documented here: https://weakdh.org/

The list of ciphers that https://api.flightstats.com/ supports will not change, but all TLS connections are impacted, as TLS connections always use Diffie-Hellman key exchange.

----------

2. Who is affected?

Nearly all modern TLS implementions support 2048 bit Diffie-Hellman keys. Openssl-based clients, as well as Java 7 & 8 support it by default.

Java 6 and below do not support 2048 DH key sizes. An exception like the following will occur when a default Java 6 JRE attempts to connect with TLS and 2048 Diffie-Hellman keys:

Exception in thread "main" javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair
Caused by: java.lang.RuntimeException: Could not generate DH keypair
Caused by: java.security.InvalidAlgorithmParameterException: Prime size must be multiple of 64, and can only range from 512 to 1024 (inclusive)

----------

3. How can I test my software in advance?

If your software can establish a TLS connection to https://www.ssllabs.com/ssltest/viewMyClient.html, then it supports 2048 bit Diffie-Hellman keys.

----------

4. What if my software cannot support 2048 bit keys?

If you have software that cannot be modified to support 2048 bit keys, then we recommend installing an on-premise HTTPS proxy that can accept TLS connections with 1024 bit Diffie-Hellman keys, but then relay the requests to https://api.flightstats.com/ over a TLS connection with 2048 Diffie-Hellman keys. We cannot offer specific guidance on this matter, as it is highly dependent on the characteristics and constraints of your infrastructure.

----------

[END]

----------

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk