How The NSA Broke Trillions Of Encrypted Connections

October 19, 2015 mitch tanenbaum Leave a comment

Encryption can be very secure. Or Not. It depends on how it is implemented. Apparently, at least according to some sources, most of the Internet has gotten it wrong. That’s not very comforting.

The rules of who people are protecting themselves from has changed from just a few years ago. Now we are talking about nation states and extremely well funded hackers.

Here is the flaw. The most common form of encryption is what is behind HTTPS, VPNs and SSH. Part of that protocol is to exchange keys between the sender and the recipient and is called Diffie Hellman or DH. Those keys secure the communications used in eCommerce (such as Amazon) or your bank (such as Chase or Citi).

Apparently, most common DH implementations use one of two 1,024 bit prime numbers as part of the process.

Cracking one of these numbers would allow the NSA to decrypt two thirds of the VPN connections and one quarter of the SSH sessions around the world.

Cracking the second of these numbers would give the NSA access to 20% of the top 1 million web site.

According to the article, it would likely have taken the NSA a year and a few hundred million dollars. Given the payback, this is a no brainer.

Obviously, the NSA is not confirming this, but this is what researchers think.

The solution is either to increase the size of the numbers that the web site is using (from 1,024 bits to either 2,048 bits or 4,096 bits), which makes the computation required to crack the keys out of reach of the NSA or at least change the software to not use one of these standard primes.

Some web sites (I just checked Google and Facebook) have already upgraded to more secure solutions. Hopefully, they are not using “standard” numbers, but that leaves tens of millions of web sites and VPNs still susceptible. Hopefully, many of these are in the Mideast!

VPN and SSH administrators can control their key size, making the encryption much more difficult to crack – but they must do that; the users usually cannot do that themselves. For users of web sites, the web site has to make the change. All the user can do is complain and hope they fix it.

Which is why security IMPLEMENTERs have to be so careful.

Information for this post came from Reddit and The Hacker News.