What is a 2048 bit Diffie-Hellman key?

1. About the change

This change is in regard to the FlightStats Flex APIs, which reside at https://api.flightstats.com/ and are documented at https://developer.flightstats.com/. On July 27th, 2016 FlightStats modified the web servers at https://api.flightstats.com/ in order to increase encryption strength to acceptable levels. Specifically, we increased the encryption key size required during the Diffie-Hellman session key exchange, from 1024 bits to 2048 bits.

Using a key smaller than 2048 bits makes the TLS connection vulnerable to the "LogJam" attack technique. The vulnerability is well documented here: https://weakdh.org/

The list of ciphers that https://api.flightstats.com/ supports will not change, but all TLS connections are impacted, as TLS connections always use Diffie-Hellman key exchange.


2. Who is affected?

Nearly all modern TLS implementions support 2048 bit Diffie-Hellman keys. Openssl-based clients, as well as Java 7 & 8 support it by default.

Java 6 and below do not support 2048 DH key sizes. An exception like the following will occur when a default Java 6 JRE attempts to connect with TLS and 2048 Diffie-Hellman keys:

Exception in thread "main" javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair
Caused by: java.lang.RuntimeException: Could not generate DH keypair
Caused by: java.security.InvalidAlgorithmParameterException: Prime size must be multiple of 64, and can only range from 512 to 1024 (inclusive)


3. How can I test my software in advance?

If your software can establish a TLS connection to https://www.ssllabs.com/ssltest/viewMyClient.html, then it supports 2048 bit Diffie-Hellman keys.


4. What if my software cannot support 2048 bit keys?

If you have software that cannot be modified to support 2048 bit keys, then we recommend installing an on-premise HTTPS proxy that can accept TLS connections with 1024 bit Diffie-Hellman keys, but then relay the requests to https://api.flightstats.com/ over a TLS connection with 2048 Diffie-Hellman keys. We cannot offer specific guidance on this matter, as it is highly dependent on the characteristics and constraints of your infrastructure.




Have more questions? Submit a request


Article is closed for comments.
Powered by Zendesk