Et af de store mysterier omkring NSA’s evner til kodebrydning er måske løst, i og med at en række sikkerhedsfolk endelig er kommet med en plausibel teori der kan forklare dem:
For the nerds in the audience, here’s what’s wrong: If a client and server are speaking Diffie-Hellman, they first need to agree on a large prime number with a particular form. There seemed to be no reason why everyone couldn’t just use the same prime, and, in fact, many applications tend to use standardized or hard-coded primes. But there was a very important detail that got lost in translation between the mathematicians and the practitioners: an adversary can perform a single enormous computation to “crack” a particular prime, then easily break any individual connection that uses that prime.
How enormous a computation, you ask? Possibly a technical feat on a scale (relative to the state of computing at the time) not seen since the Enigma cryptanalysis during World War II. Even estimating the difficulty is tricky, due to the complexity of the algorithm involved, but our paper gives some conservative estimates. For the most common strength of Diffie-Hellman (1024 bits), it would cost a few hundred million dollars to build a machine, based on special purpose hardware, that would be able to crack one Diffie-Hellman prime every year.
Would this be worth it for an intelligence agency? Since a handful of primes are so widely reused, the payoff, in terms of connections they could decrypt, would be enormous. Breaking a single, common 1024-bit prime would allow NSA to passively decrypt connections to two-thirds of VPNs and a quarter of all SSH servers globally. Breaking a second 1024-bit prime would allow passive eavesdropping on connections to nearly 20% of the top million HTTPS websites. In other words, a one-time investment in massive computation would make it possible to eavesdrop on trillions of encrypted connections.
— Alex Halderman & Nadia Heninger, “How is NSA breaking so much crypto?“
Electronic Frontier Foundation har lavet en vejledning hvordan man kan deaktivere de berørte krypteringsalgoritmer i nogle applikationer, f.eks. webbrowsere. I øvrigt bør man nok en gang imellem besøge “How’s My SSL?“* så man kan se om ens browser er tilstrækkelig opdateret.
(*) Ja, det burde hedde “How’s My TSL?” og det ved de godt. Men de fleste kalder det stadig SSL…