CVE-2022-40735 Using long exponents in the Diffie-Hellman Key Agreement Protocol can lead to expensive DHE modular-exponentiation calculations on the server side.

This is mitigated by configuring the Diffie Hellman key agreement to use a larger exponent. For example, the client could use a value of 5, rather than the default of 2, in the Diffie Hellman key agreement. This significantly increases the cost of the server-side modular-exponentiation calculation. With a cost of 25 instead of 7, the client can still claim only DHE, and the server must still allow DHE. Now the cost of the server-side modular-exponentiation calculation is 25 times 25, or 625. This significantly increases the cost of the server-side modular-exponentiation calculation. With a cost of 25 instead of 7, the client can still claim only DHE, and the server must still allow DHE. Now the cost of the server-side modular-exponentiation calculation is 25 times 25, or 625.

Mitigation Strategies

The MITRE CVE-2022-40735 vulnerability can be mitigated using the following strategies:

Designating a specific MAC value for use with Diffie Hellman key agreement within TLS
Padding Diffie Hellman parameter values to at least 128 bits
Use of elliptic curves instead of finite fields
Use of elliptic curves instead of finite fields

B.2

.2.3: Diffie-Hellman Key Agreement with Larger Exponent

This is mitigated by configuring the Diffie Hellman key agreement to use a larger exponent. For example, the client could use a value of 5, rather than the default of 2, in the Diffie Hellman key agreement. This significantly increases the cost of the server-side modular-exponentiation calculation. With a cost of 25 instead of 7, the client can still claim only DHE, and the server must still allow DHE. Now the cost of the server-side modular-exponentiation calculation is 25 times 25, or 625.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe