The OpenVPN section is misleading. The dh option is only supported on the server side. If you try to use it on the client side (which is what this guide appears to be tailored towards) it will be ignored and you'll use whatever DH parameters the server provides.
It may be misleading but also in the sense that there's no recommendation to just drop VPN altogether. How about we just stop relying on terribly over-designed protocols such as VPN and IPSec? Complexity is the enemy of security.
There's nothing inherently wrong with the DHE ciphersuites, as long as the server provides secure parameters. Since weakdh is really a server-side issue, and howsmyssl.com is a client-side test, a warning doesn't really make sense.
... but clients can guard against weak server-side DHE by rejecting DHE ciphersuites. So I think the GP was correct that this diagnostic should be updated.
No, because as agwa pointed out, howsmyssl checks client security. There's nothing wrong with a DHE cipher suite and it can be used in a secure manner quite easily. Since this is wholly on the server, and howsmyssl has no way of testing a server you're connecting to, then there's no possible way for it to know if your specific connections are okay or not. Based solely on the client suites tested, DHE would still be considered secure. It's only the interaction with an insecure server that makes it insecure.
Does anyone have links to bugs for the affected programs to make 2048 the minimum by default? It seems like we shouldn't have to continue to manually configure secure settings.
OpenVPN?
SSH?
Nginx?
Apache?
Where are the bugs to make these not use insecure dhparams by default?
FWIU of the situation, we have reason to suspect the government has 'cracked' the default large primes that are commonly used by a bunch of different software packages, including web servers. Assuming they have, the challenge is then defined as determining which applications and sites tend to use these standardized or hard-coded primes.
> Breaking a second 1024-bit prime would allow passive eavesdropping on connections to nearly 20% of the top million HTTPS websites.
I'll point out that agwa's comment is relevant here in mitigation. Without any control over what primes are used on the server side, the only resolution would be to detect the server is using such a prime and then avoid communicating with that server until they've patched their systems. Perhaps someone who knows more about this could comment on how we could go about notifying websites they are using venerable primes?
Maybe a Chrome plugin attached to an IPFS client could be one method to warn on access of sites using default primes.
The problem (defined as narrowly as possible) should be as simple as finding every application that uses 1024 bit Diffie Hellman and making it use 2048 bit Diffie Hellman instead.
> nonsense ... the only sane one here ... hysterical ... conspiracy conjecture ... the cultural narrative ... all-seeing eye ... sensible ... conspiracy
Nearly this entire comment is name-calling in the sense of the HN guidelines when they say: When disagreeing, please reply to the argument instead of calling names. E.g. "That is idiotic; 1 + 1 is 2, not 3" can be shortened to "1 + 1 is 2, not 3."
When posting to HN, please edit that out and stick to the substance.
"The Snowden documents also hint at some extraordinary capabilities: they show that NSA has built extensive infrastructure to intercept and decrypt VPN traffic and suggest that the agency can decrypt at least some HTTPS and SSH connections on demand... Based on the evidence we have, we can’t prove for certain that NSA is doing this. However, our proposed Diffie-Hellman break fits the known technical details about their large-scale decryption capabilities better than any competing explanation. For instance, the Snowden documents show that NSA’s VPN decryption infrastructure involves intercepting encrypted connections and passing certain data to supercomputers, which return the key. The design of the system goes to great lengths to collect particular data that would be necessary for an attack on Diffie-Hellman but not for alternative explanations, like a break in AES or other symmetric crypto. While the documents make it clear that NSA uses other attack techniques, like software and hardware “implants,” to break crypto on specific targets, these don’t explain the ability to passively eavesdrop on VPN traffic at a large scale."
Ok, how's this for sensible? The holy trinity of criminal law is means, motive and opportunity. Let's review:
Does the NSA have the means for such an attack? The article argues convincingly that they do.
Does the NSA have the motive for such an attack? Yes, if their mission is to gain access to as much of the signals traffic in the world as possible -- and I think that's been pretty well shown to be true.
Does the NSA have the opportunity for such an attack? Certainly, the Snowden papers have shown that the NSA has access to a wide variety of communications channels.
So, I think it's a perfectly sane argument to say that if the NSA haven't performed this attack already, they will certainly do so at some point in time against some target. And, if they are not, state intelligence organizations under other flags, such as China, will -- and China has shown a clear interest in attacking not just military but also commercial targets within the USA.
You want a sensible discussion? How about starting with not calling people "conspiracy theorists" for merely wanting to be as safe as possible?
And how about not asking things such as "Am I the only sane one here?" then? You're surrounded with very smart people on this website, most of which will tell you that it's not insane to assume the worst of the NSA, and yet you hop around calling people crazy. If you're not going to do this for the sake of reason, at least do it for the sake of humility.
> Am I the only sane one here? Can no-one else see that the response is hysterical?
This is an asinine pair of questions to ask because they are logically unanswerable and interdependently blaming. If someone were to answer "yes, you are the only sane person here", then you've successfully elevated yourself to a level by which you can judge. If someone were to answer "no, you aren't the only sane person here" you get the sequential treatment applied to the rhetorical question "So you can see this response is (then) hysterical?" and you still get to judge.
Clearly you think I'm hysterical, regardless of whether it was asked as a question or not.
I have every right to voice my opinions and questions about how we can trust the tools we use for our craft on a day-to-day basis. I also have the right to the expectation the tools aren't being mass-monitored by our government as a cheap and insecure way of doing their job: law enforcement. I am grateful to be fortunate enough to understand how we technically implement these levels of trust in our tools and feel it is part of my social responsibility to share my views on these matters with my peers. I don't believe in allowing criminals to break laws, but I also feel that making things less secure by trying to monitor everyone for criminal activity is not the answer because I also think it's prohibitively expensive to eliminate all criminal activity. Maybe that makes me hysterical...but at least I don't speak for others.
I made ZERO blaming statements in my comment. I asserted that, from what I understand of the parent article, we have reason to suspect the government has cracked, or has the ability to crack, large primes. We know for a fact that a lot of software uses the default primes, so the logic goes that the government has the ability to monitor a portion of what we would normally consider secure SSL traffic. That individuals have little way of mitigating this "venerability" is an important one here because it may depend on us working together to determine the attack coverage and exposure. Without knowing those things, we're really at a loss to what could possibly going on with monitoring.
I will also point out that, if those cracked prime solutions exist, they will eventually fall into the wrong hands.
Cryptography based on limitations of computing power has to make the assumption that if the computing power required is even potentially within reach of any existing organization, or within orders of magnitude of being within reach, it's long past time to migrate away. It doesn't matter if the capability has in fact been developed; if it seems even remotely feasible, time to migrate to better crypto.
Moving to 2048 or 4096, or to ECC, thus seems like a prudent step whether you believe such intercept capabilities actually exist or not.
Why is it not a reasonable assumption that the NSA (and possibly other actors with the means) are doing so? / Why wouldn't you do it in their position?
Because this particular military spy organisation is being deployed by the US government against its own citizens, en masse, as an end-around well-established due process and constitutional protections that require individualised suspicion of wrongdoing. It also represents a giant exfiltration target for other state actors, like those who breached OPM. NSA hurts the security of Americans under the guise of preventing foreign terrorism, which happens to pose a risk comparable to lightning strikes.
So you're telling me there's no evidence that the NSA has committed call logs of every US Verizon subscriber to their own persistent storage for later inspection? No evidence that NSA intercepted inter-datacenter transfers of American companies, who were housing the personal data of Americans? No evidence that Americans have been swept up in overly-broad "one foreign end" wiretaps? All of the weakdh.org people are crazy? That well-documented room in the AT&T building in San Francisco was just a big misunderstanding?
I would not do it if I was in their position. I'm a US citizen, so I believe in upholding the constitution, which includes a prohibition on unreasonable search and seizure. Whatever the lawyers and judges have made "unreasonable" out to be, NSA dragnet surveillance is way beyond "reasonable" and on into "police state" territory.
Also, I'm not a pervert who gets kicks from listening to others' conversations. They apparently are.
The only reasonable assumption I can come up with for not cracking the stock primes would be expense and inability to execute on a plan. Otherwise, it makes perfect sense to crack them. And, talk about fun and interesting work!
Easy-rsa[1] (OpenVPN's key/cert generation/signing tool) version 3 will generate a 2048 bit diffie hellman key by default. Previous versions of easy-rsa used 1024 bit as default.
Here is a comment written in the vars configuration file for easy-rsa 2.2.2:
# Increase this to 2048 if you
# are paranoid. This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=1024
So if you used easy-rsa version 2.2.2 or previous to generate your diffie hellman key for the server, and didn't increase the default size in the vars file before doing so, your server uses a 1024 bit diffie hellman key.
From what we know as long as it is a custom 1024-bit DH key and you're not being actively targeted by the NSA you are probably okay. That said, you should still upgrade to 2048-bit (or higher, if you're paranoid) ASAP.
OpenVPN makes you provide your own parameters; there is no default.
As of Apache 2.4.7, the default DH parameters have the same number of bits as your RSA key, and since CAs have required at least 2048 bit RSA for a few years now, you'll be fine.
OpenSSH does ship parameters that are larger than 1024 bits (in addition to 1024 bit parameters), and with the "group-exchange" kex, sufficiently-secure parameters should be negotiated with clients, although I haven't looked too closely to see if this might be vulnerable to downgrade attacks.
Last I looked nginx used fixed 1024 bit parameters, which is very bad. I don't know if this has changed or if there's a bug report.
RSA key exchange is still secure, but you lose PFS when downgrading to it since very few servers will generate ephemeral RSA keys like they will when using DHE. 3DES is secure, but slow.
Ideally, you would want to just disable all ciphersuites that don't use ECDHE to do the key exchange, but that would probably hurt compatibility.
Please read the article before posting. There _are_ some things that can be done client side to raise the minimum level of encryption, although not to raise the maximum level of encryption.
One tactic the NSA and at least one vendor are suspected to use is to inject/drop a header which prevents the client and server of an SSL/TLS connection from settling on the highest level of encryption that both the client and server have. In this case, it's best for your client to disable the weakest forms of SSL/TLS encryption which raises the minimum level of encryption of the connection.
That's what much of this EFF article describes, although it fails to describe these steps for browsers other than Firefox and Chrome.
I'm confused. They included instructions for updating Firefox and Chrome (web browser clients) to remove support for the older cipher suites. I was asking if there was a way to do the same for Safari.
Sadly, users who follow this advice will forget that they did by the time they can't figure out why connections fail to servers that have been configured for forward secrecy only but run an ECC-incapable version of Apache (thanks to long-term support Linux distros keeping old Apache around).
Apache decides the DHE keys, OpenSSL decides the ciphersuites used. Red Hat didn't even enable ECDHE until they moved to OpenSSL 1.0.1 in RHEL 6.5 in late 2013.
tlsinterposer[0] helps in cases like this. (tldr: LD_PRELOAD middleware to upgrade an application's OpenSSL support without modifying the application.)
Tor browser 5.0.3/latest(based on firefox 38.0.3) is not listed. However, it does have .dhe enabled/"true" set in the config file. For those of you running - it might be good to add this to your disable "to-do" list.
Without using the brew dupe and ` --with-keychain-support` flag, I was getting cipher errors when trying to use SSH after following the instructions linked to in TFA.
You may have a cipher mismatch with the server. If you use ssh with the -vv flag you can see which ciphers the server is supporting and compare that to the ciphers your client supports.
If you are on El Capitan, it is not needed to install a brewed openssh. OpenSSH pre-bundled with El Capitan is already pretty up-to-date and includes most of the new ciphersuites.
Support for the 1024-bit diffie-hellman-group1-sha1 key exchange is disabled by default at run-time. It may be re-enabled using the instructions at http://www.openssh.com/legacy.html
3DES (the cipher) is secure but incredibly slow. It's often included in server ciphersuites to support old clients (the alternative for old clients is RC4, which is not secure).
Edit: I should mention though that 3DES as used in TLS is vulnerable to BEAST if not mitigated client-side and possibly Lucky 13 too, so the ciphersuite ought to be the next to "go" along with the other CBC ciphersuites. Still better than RC4 though.
Valid concern, but that's a bit a defeatist attitude. Yes if we all switch to more secure encryption, they will try to crack or cripple those, but to crack 1024 DH was a multi billion dollar effort (just on the cusp of what it feasible for them). If we can use something more secure, then it's out of their ability. The good part is that often we can increase the difficulty to crack something by an order of magnitude without a high cost to us.
It's any attacker's best interest to aim for the weakest link in any stack/network.
Fortifying the current weakest link raises the overall security of the remaining system. Whether your threat model includes the NSA or not, disabling the weakest TLS algos is likely to increase your network security.
It seems that the NSA (and possibly other state-level actors) can access encrypted traffic that uses 1024-bit Diffie-Hellman that use commonly-used prime numbers. This means HTTPS, SSH, IPsec, SMTPS, and protocols that rely on TLS are potentially vulnerable. Where’s there’s smoke, there’s fire and there’s a lot of smoke indicating the NSA can do this. They have the money, technology, infrastructure and the technical ability to pull this off.
From https://weakdh.org:
>Breaking the single, most common 1024-bit prime used by web servers would allow passive eavesdropping on connections to 18% of the Top 1 Million HTTPS domains. A second prime would allow passive decryption of connections to 66% of VPN servers and 26% of SSH servers. A close reading of published NSA leaks shows that the agency’s attacks on VPNs are consistent with having achieved such a break.
This is real.
It’s all of the networking infrastructure that no longer gets software/firmware updates running 512, 768 and 1024-bit Diffie-Hellman that are likely already being exploited, not to mention all of the old VPNs, email servers, SSH clients, etc. that can’t be easily upgraded and can’t use more secure encryption protocols. After all of the hoopla dies down, this is the ongoing problem.
But don’t panic.
On current operating systems, going to larger 2048-bit Diffie-Hellman or using Elliptic-Curve Diffie-Hellman Key Exchange (ECDH) addressed the problem. As has been pointed out several times, 2048-bit Diffie-Hellman isn’t double the strenght of 1024-bit Diffie-Hellman; we’re going from a keyspace of 2^1024 to 2^2048. So unless there’s an unprecedented crytography breakthrough or quantum computers start sprouting like Dandelions, 2048-bit Diffie-Hellman is firmly in the "it would take more energy than what would be required to boil all of the oceans on Earth" arena.
If you keep up with current cryptography trends, you’re probably already in a good place, but it doesn’t hurt to check. There are lots of guides on how to get your stuff right:
"It seems that the NSA (and possibly other state-level actors) can access encrypted traffic that uses 1024-bit Diffie-Hellman that use commonly-used prime numbers."
How does it "seem this"? There's no evidence, no plausibility, no sense here whatsoever. Someone hypothetically conjectured a magic all-powerful computer that could magically crack a prime, and that would magically make us all vulnerable to the government who want to steal the data from my recipe startup and the church newsletters documents on my laptop.
And therefore, system admins are all recommending upgrading to 2048 keys?
I can't see the sense or logic here. It just seems hysterical conspiracy nonsense to me.
It seems like you're calling section 4.1 of the paper "magical"; do you have something specific in it to object to that makes you think the estimates are severely mistaken?
In order to defend against adversaries with undisclosed capabilities, you have to extrapolate known attack methods and hardware to produce estimates of what may be practical. Every paper that proposes keylength and parameter size recommendations does this. If we didn't extrapolate this way, there would have been no reason to stop using 56-bit symmetric ciphers until 1998 (!). The hardware necessary to crack such a cipher could have been dismissed as "magical" because nobody who had built it had published a paper about it.
It is magical. There is a magic 36000-core (?) computer that has been running for years (?). Well no, the paper just invents it. On the hearsay that an "anonymous nsa official" said they'd cracked something.
It astonishes me that people are running about like rabbits in a headlight on such flimsy nonsense.
But I understand. It makes us feel important. The new James Bond movie is coming out. And imagine! We're like a superhero secret agent. We can protect from the big bad government by increasing all the keys to 2048 bits! And we get to feel special and important.
Classified documents published by Der Spiegel [46] indicate that NSA is passively decrypting IPsec connections at significant scale. The documents do not describe the crypt- analytic techniques used, but they do provide an overview of the attack system architecture.
Due to the Snowden leaks, we know the NSA is doing something that they haven't been able to do previously. The paper just explains, given what we know today, how this is plausible. There's nothing magical about that.
With standard transistor costs and utilization, this would cost about $2 per chip to manufacture, after fixed design and tape-out costs of roughly $2M [32]. This suggests that an $8M investment would buy enough ASICs to complete the DH-1024 sieving precomputation in one year.
$8 million is pocket change for the NSA, who's estimated yearly budget is around $10 billion.
QUIC is what WireShark says I am looking at. I can see the DNS lookup, and then a stream of encrypted UDP packets with not much plain text in the payloads.
I get what the other poster says about asking the provider, but I wouldn't have much confidence in the answer.
I'm not really familiar with QUIC, but are there any cryptographic setup steps that Wireshark can parse out of the first (say) three or four packets that get exchanged? (Or maybe the key was established when you first used the VPN and is being cached on your machine and re-used whenever you reconnect?)
I get that NSA snooping is abusive if it's the norm. But who exactly would really want to protect themselves from the NSA?
I mean ultimately, isn't the problem the NSA is snooping on people who aren't aware of it ? Why would someone try to hide itself from the NSA ? Is it just because it's a political principle or to just annoy the NSA and discourage them ? I mean wouldn't this help the bad guys more ?
The power of the government getting into your personal life to blackmail you into submission (for a multitude of purposes) is something everyone needs to worry about.
The fact that they are the defacto spy agency means they can simply lie about you, and claim their spy powers tell them so, and therefore you are guilty. (Just make sure to claim national security privileges on the information gathered so they cant argue against their accuser.)
I might be wrong, but I feel like I must have misunderstood entirely the thrust of your comment due to how oppositely I interpret this question.
One of the main things I want to keep private is just family life - conflicts, love, sex, etc. I don't want the government to know about my private family life. I don't see how a free, thoughtful, creative society can flourish if the government can always know the goods on everybody.
Yes, but can your government really turn up to be your enemy ? I mean if you're a wealthy businessman, and if you can step on some political subject, I'd agree, but this article doesn't aim to explain it to everybody.
If the government was so repressive, people would know about it. It's america, not Russia. There are many things in place which makes it difficult for the government to literally take advantage of all this data.
I don't think the government wants to know about your private family life neither. I mean, it's edgy to imagine that the government has a secret file on all of us. But they don't do they? It's just very silly nonsense.
That was the argument before Snowden, but we now know that the government passively records and stores as much information as possible on anyone. So they can build a secret file on anyone should they feel like it. And they'll use every piece of information at their disposal (private family life, shopping and travel habits, what websites you browse, what media you consume, etc.) to profile you. Ever download a copyrighted file or view pornography? That will be used against you.
Snowden demonstrates the way NSA and the British equivalent operate on demand* at the documentary film 'Snowden'. You should really skim through it at least, you will be surprised to what their finite budget can do.
* they collect bulk data, then develop the tools to sort them out
Sure they do. The details of your private life gives them a source of great power: to embarrass you, expose you, blackmail you, and destroy you. Why would they want this power? Because you might threaten to expose them or otherwise oppose them.
People expose and oppose the government everyday in various forms. You would expect the news to be filled with scandals of government opposers or we would have no opposition at all in the US due to them being blackmailed etc. Neither is true.
"The government" is not a person and has no feelings. Additionally, the government has massive resources and one individual has humble resources (even the very wealthy ones). This is an asymmetrical comparison.
Protecting yourself against the NSA is a good proxy for protecting yourself against other bad actors. The NSA has thousands of employees, a multi-billion dollar budget, and works 24 hours to crack, hack or otherwise gain unauthorized access to computer systems. So, if I can defend myself against the NSA, I've probably inoculated myself against other attackers using similar attack vectors.
I highly doubt that, and I don't think it's a good logic. You cannot compare the power, tools and jurisdiction the NSA has and compare that to other bad actors. The NSA literally has the right to spy on you, but it will get very difficult for somebody else to do something comparable if they don't have the same resources AND the same intentions.
Wow. Seriously, why would you think they had that right?
If the link in their HN profile is to be believed, the person you are replying to is almost certainly a US citizen. The NSA is not authorized for domestic surveillance, as General Alexander admitted when he perjured himself in front of Congress[1]. It's in their charter, it's in the 4th Amendment and a couple hundred years of legal precedent. We even addressed these limitations in the Church Committee.
So I really don't understand why you would believe they had the right to spy on domestic targets. Besides, the game played by the FVEY members is letting GCHQ do the spying on US targets, not the NSA.
I've read the wikipedia article, and I don't see how I should be afraid of it. Or maybe I don't understand it properly. Anyway, this article would be targeting people who are the target of the NSA, like political dissidents or journalists.
If the NSA has invested money in attacking these constructs, it's also likely other attackers may have, as well. So even if you want the NSA to be able to break into your stuff, you might not want other folks to.
* There's no such thing as "the bad guys". Everybody is a potential "bad guy" depending on who the authorities are. J Edgar Hoover investigated Dr Martin Luther King Jr as a subversive and used the FBI to try to pressure him to suicide himself. Nixon is on tape ordering J Edgar to investigate his political opponents. Perhaps the US political system fails and whatever government replaces it finds a trove of NSA data and uses it to find+convict political dissenters. Just because the 1st Amendment exists and protects open political discussion now doesn't meant it will always exist in its current form.
* Hackers/crackers/phishers and organized crime. The NSA data troves _must_ be a juicy target. If any malicious intruder gets access to the data (I know, highly unlikely), what could they use it for? Surveillance, tracking, blackmail, extortion, political affiliations, personal beliefs, etc. What if they don't target you, but rather political leaders in the US. That would make the holders of that information _way_ more powerful than any political campaign donor.
* Have a US security clearance? You are subject to very high standards of conduct. Anything that could impair your judgement or lead to possible blackmail of you or your family is potentially grounds for taking away your security clearance (which likely means you can no longer do your job). Alcohol addiction, gambling addiction, sexual relationships, history of crime, immoral behaviors, etc. Gen David Patreus (Director of the CIA, IIRC) was in an extra-marital affair and tried to his this fact from "the company" and from politicians. In this scenario, he is a "bad guy".
* You are assuming the NSA only uses records for official purposes. We have already heard that some NSA employees have been reprimanded for snooping on their spouses and neighbors using work tools.
* It's not as if the NSA has a perfect record. Snowden wasn't even close to being the first whistleblower and it looks like there may be another post-Snowden disclosure. The NSA doesn't have control of its own people (or contractors) so I assume it doesn't have perfect security procedures either. That means it is open to threats against its data and procedures from both inside and out.
* The NSA is suspected to have tipped off the DEA/DHS and FBI for cases that don't involve terrorism or national security. NSA techniques are suspected to have been adopted by much of DHS. This means the threshold to be considered a "bad guy" is now a lot lower than the NSA used to be tasked with watching. Apply the slippery slope argument. What if the NSA quietly helps out with civil cases (such as MegaUpload) and not just criminal? What if it goes even further?
* The NSA isn't the only organization trying to gain access to sensitive internet communications. If anyone else finds out how to take advantage of some of the same tricks the NSA uses, they could potentially have access to the same data and communications. Think nation-states, organized crime, disorganized criminals, even marketing/tracking companies with questionable ethics.
* If SSL / TLS is no longer beyond cracking in near-real-time, MITM is now possible. This could set back peoples' faith in the security underpinnings of the web even more than it has been eroded in recent years. Even worse if people don't find out about it.
People who know they are being watched change their thoughts and behavior either consciously or subconsciously.
If the government had cameras inside your house set to record 24x7 would you act any differently than you do today? Are you breaking any laws inside your home, if not, what are you trying to protect yourself from by refusing access?
Have you ever avoided visiting a website, searching for information on certain subjects, or held back writing something online that you felt strongly about because you were afraid of possible repercussions in the future?
If yes, then that is an example of the government eroding our rights which are protected by the first and fourth amendments. The right to privacy online is just as important as the privacy you enjoy (take for granted?) within your own home.
Well, if every time you sent a message or visited a web site, your computer asked you "Do you want to send a copy of this message or URL to the NSA? [Yes] [No]", what would you click?
It's strange that this is all coming up just now. The NSA has had this technology since at least 1992 when it was revealed in the gripping documentary movie "Sneakers".
A good deal of this is to try to take the US down a notch because they are seen as too powerful. This is why it is rarely mentioned how close the entire West works together, hell what are you going to do hate the entire West? Recently they have had to concede the UK and eventually will have to concede the entire West and then the game is over unless you like actual authoritarianism like China and Russia.
This recent publication illustrates a problem that we have trying to keep our communications secure. If we all use a single "strong" prime number with our crypto then the NSA has a huge incentive to pre-compute results from that single strong number. Now that we know that the NSA is doing this, we won't all use a proven strong number, and we will all start to do key exchanges with another method, and it will become the common thread that the NSA can attack.
So the NSA will pretty much always attack whatever common procedure we all use and find the weak point. If we all used different methods for key exchanges and encryption then we will all be fractured and the NSA can easily pick off their targets individually. What's the answer to this problem? Is there crypto that we can all use that the NSA won't be able to crack even if they have a strong incentive to do so? And why aren't we all using if such a solution exists?
By this do you mean don't use 1024 bit keys? Would using 2048 bit (or larger) mean that the NSA wouldn't be able to buy a computer that could do the computation within a year?
Why don't we all use 2048 bit keys then? Is the communication and processing overhead so high that we'd rather be vulnerable?
Edit to add: I'm not an expert, but I'm competent enough to force a certain level of crypto on my computer and to know not to trust the communication when a website forces a fallback to a lower level. But sometimes I wish there was a level of explanation (of why we want to do certain things) that was above what you would give to "Joe off the street" and below the explanation that you would give to a graduate student in cryptography.
NSA almost definitely can't buy a computer that can break 2048 bit conventional multiplicative group discrete logs, and if by same insane space-alien-technology chance they can, the implication is that conventional multiplicative group discrete logs are probably entirely unsuitable for secure cryptography: no amount of jazz-hands with parameters will save you.
Reminder: 2048 bit discrete logs aren't just twice as hard as 1024 bit discrete logs!
Yes: 2048 bit RSA and DH are significantly slower than 1024 bit, and that's a big part of why they're still in use.
> By this do you mean don't use 1024 bit keys? Would using 2048 bit (or larger) mean that the NSA wouldn't be able to buy a computer that could do the computation within a year?
Keep in mind, going from 1024 to 2048 bit DH parameters doesn't double the search space, it raises it from 2^1024 to 2^2048. At some point the search space gets so large that you'd need more energy than required to boil all of Earth's oceans to find the key, which makes such a brute-force attack implausible.
I haven't had much crypto-in-practice background (outside of thought experiments), but I have some math background so I'm quite curious. Shouldn't people also be worried about non brute force attacks based on finding mathematical solutions? I mean, "The Uneasy Relationship Between Mathematics and Cryptography"[0]?
The attacks we're talking about are non-brute-force mathematical attacks (specifically, in this case, the index calculus). A pure brute-force attack on a 2^1024 search space would be comically implausible.
Actually that is wrong. The search space of 1024 bit Diffie Hellman is about 2^80, of 3248 bit about 2^128. I failed to find a number for 2048 bit DHE.
Sure, if you dismiss all the evidence there is, then there's no evidence. If that reassures you, great. Just don't be surprised that the rest of us are not reassured...
I'm assuming you believe in the passive intercept so this will focus on the 1024-bit prime. It is crackable with the NSA's leaked budget and it fits their mission. If you had the NSA's leaked budget, you could crack this. I could crack this. The budget is not astronomical and it could be cracked by dozens of governments your country doesn't get along with.
That's why it's important to defend against it because even if you trust the NSA, the attack is equally available to Russia / China / North Korea / your country's boogeyman-of-the-day. The whole global internet is under threat along with billions of dollars of eCommerce GDP.
