How can a RSA-2048 certificate be vulnerable to logjam attack?

Question

Most likely I am missing some fundamentals: Our web servers are secured with TLS encryption. We use RSA-2048 bit certificates. The logjam attack targets the DH algorithm. How can our web servers be vulnerable to the logjam attack? Is a combination of both encryption algorithms used? Also Chrome states for our connection:

• Authentication and encryption with AES_128_GCM
• ECDHE_RSA for key exchange

We removed the support for several cipher suites a while ago and weakdh.org confirmed that we are not vulnerable anymore. Still I do not understand why we were vulnerable in the first place with RSA-2048.

Answer 1

[EC]DHE_RSA means that the shared secret between the client and server is computed via Diffie-Hellman. In the case of DHE each session has its own DH parameters (DHE = elliptic curve Diffie-Hellman ephemeral) which is done to provide forward secrecy. It goes something like this (over simplified):

• Server generates some DH parameters.
• Server signs the DH params with its long term key (i.e. your RSA 2048 key) and sends the params and signature to the client.
• Client verifies the signature for the params against the public RSA 2048 key contained in the servers certificate.
• If the signature is good the client and server use DH with these params to established a shared secret from which they derive keys for the session.

So if your server generates DH params that are too small (e.g. 512 bits) or it supports DHE_EXPORT (or anything else mentioned in the logjam paper), then you are still vulnerable to the attack. You can reference this answer for good discussion on the security of DH params. The key insight is that the long-term RSA key is being used to ensure that the parameters sent to the client were not tampered with and generated by the server. The actual key generation / derivation is done via DH.

(ECDHE does not have this pitfall, so any cipher suite with ECDHE_RSA should be fine).