Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Mozilla Implements Faster Diffie-Hellman Function in Firefox

Mozilla this week revealed plans to introduce a new key establishment algorithm in Firefox to improve both security and performance of the web browser.

Mozilla this week revealed plans to introduce a new key establishment algorithm in Firefox to improve both security and performance of the web browser.

Called Curve25519, and designed by Daniel Julius Bernstein, the algorithm is a high-security elliptic-curve-Diffie-Hellman function deemed suitable for a wide variety of cryptographic applications. The public key cryptography can achieve record-setting speeds, while also offering free key compression, free key validation, and state-of-the-art timing-attack protection, Bernstein explains (PDF).

Widely used for key-exchange in TLS, Curve25519 was recently standardized by the Internet Engineering Task Force (IETF). Mozilla has already implemented the algorithm in the latest Firefox Nightly, and expects Firefox 57, set to be released in November, to bring the feature to all users, Benjamin Beurdouche, Mozillian INRIA Paris – Prosecco team, reveals.

The implementation of Curve25519 into Firefox is the result of a collaboration with INRIA (French Institute for Research in Computer Science and Automation) and Project Everest (Microsoft Research, Carnegie Mellon University, INRIA).

As a result of the partnership, Mozilla aims to have the first major web browser to have formally verified cryptographic primitives.

In addition to being formally verified, the HACL Curve25519 implementation is also expected to deliver a 20% performance increase on 64-bit platforms when compared to existing NSS implementation (19500 scalar multiplications per second instead of 15100).

The enhancement, the Internet organization points out, is expected to improve the overall security of Firefox and its users, given that the key exchange algorithm has been already verified.

“Even innocuous looking bugs in cryptographic primitives can break the security properties of the overall system and threaten user security. Fortunately, recent advances in formal verification allow us to significantly improve the situation by building high assurance implementations of cryptographic algorithms,” Beurdouche says.

The organization also plans on implementing other HACL algorithms into NSS, and expects to be able to do so over the next months.

Related: Firefox Makes Adobe Flash Click-to-Activate by Default

Related: Mozilla Conducts Security Audit of Firefox Accounts

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Google’s Threat Analysis Group (TAG) has shared technical details on an Internet Explorer zero-day vulnerability exploited in attacks by North Korean hacking group APT37.

Application Security

Computer maker Lenovo has started pushing security patches to address three vulnerabilities impacting the UEFI firmware of more than 110 laptop models.

Application Security

Big-game malware hunters at Volexity are shining the spotlight on a sophisticated Chinese APT caught recently exploiting a Sophos firewall zero-day to plant backdoors...

Application Security

Virtualization technology giant Citrix on Tuesday scrambled out an emergency patch to cover a zero-day flaw in its networking product line and warned that...

Endpoint Security

Red Hat announced on Tuesday the general availability of a malware detection service for Red Hat Enterprise Linux (RHEL) systems.