So what's the internet community doing about the NSA cracking VPN, HTTPS encryption?
TL;DR: Stop using 1024-bit keys ... like we said in 2005
Now that the cat is firmly out the bag, and it's clear that the NSA has cracked the encryption behind, potentially, a huge amount of internet traffic, the question inevitably turns to: what are internet engineers going to do about it?
Clearly the experts at the Internet Engineering Task Force (IETF) have pondered the same question: a blog post on Thursday by IETF chairman Jari Arkko and security specialist Paul Wouters outlines how to beef up the internet's security.
The post's title references a crucial element at the heart of the security flap: the Diffie-Hellman key-exchange protocol.
Broadly stated, this protocol – developed in 1976 by Whit Diffie and Martin Hellman – lets two users (say, Alice and Bob) calculate and share a secret between themselves, and just themselves, in public. The secret is developed between Alice and Bob using very, very large prime numbers and math.
Even if the pair are snooped on by an eavesdropper, Eve, it should be virtually impossible for the spy to discover their secret.
This secret can be used as a key to encrypt messages and other data; only Alice and Bob know the secret key to decrypt the information they send each other. All Eve has is a pile of intercepted scrambled bytes.
In theory, it works extremely well, which is why it is ubiquitous online – it lets people establish secure private communications over a very public network: the internet.
Unfortunately, software and hardware in the real world doesn't always implement Diffie-Hellman's protocol perfectly: besides bugs and shortcuts that hamper the security of the key exchange, people just haven't been using large enough prime numbers.
This, along with advances in number-crunching technology, means secret keys can be deduced by powerful eavesdroppers, and intercepted private information decrypted.
Sorta like a modern version of the old wartime Enigma code-breaking machines, computer systems capable of calculating common prime numbers used in Diffie-Hellman exchanges are not beyond the NSA's budget and capabilities.
In other words, it's entirely possible, with a few hundred million dollars, for the NSA to work out the prime numbers needed to decrypt a lot of the world's VPN and HTTPS traffic.
So what's the solution? Well, according to the IETF, there are two main things that can be done:
- Stop using 1024-bit keys, and use longer prime numbers, and
- Use the latest revisions of protocols (which require longer prime numbers)
It's assumed the NSA can calculate primes commonly used in Diffie-Hellman keys up to 1024 bits in length – or put simply, numbers that are up to 309 digits long. Here's an example prime:
16152174667064029642647365822885998430666314431815268152405470907824573659036 62972483772980826569393306732864932303362619914669385966910731129686267107921 48904239628873374506302653492009810626437582587089465395941375496004739918498 276676334238241465498030036586063929902368192004233172032080188726965600617167
If you're using a key with a known prime number, the NSA can crack your stuff.
The world was advised to bump up its key lengths to 2048 bits back in 2005 in the IETF's RFC 4307 document on internet key exchanges.
Of course, it takes a long time for software and hardware to catch up with published standards and recommendations, so 1024-bit keys prevailed for far too long, leaving systems and applications at the mercy of the NSA.
So now the IETF plans to kill off all support for 1024-bit Diffie-Hellman keys by updating RFC 4307, urging in the strongest terms developers and engineers to use at least 2048-bit key sizes.
That would make it significantly harder for the NSA to crack new keys.
It's a balance, of course. Some embedded hardware just won't be able to handle 4096-bit keys; using much larger keys will require greater computational effort, so it will take longer to send and decrypt information, and it will drain a battery faster.
Calculating the primes in 2048-bit keys is going to be a real headache for the NSA, meaning the spies won't be able to decrypt data secured using these key for a very long time; 4096-bit keys will take even longer.
Meanwhile, a new RFC – RFC 7525 – provides the best practice for improving the security of TLS/SSL by recommending "specific, stronger cipher suites" with at least 2048-bit keys.
It's been just under two years that the IETF created RFC 7258 in response to the Edward Snowden revelations of mass online surveillance. It's been one year since the Internet Architecture Board (IAB) called for everything to be encrypted.
As the post's authors note: "The IETF community has done considerable work to strengthen trust in the Internet, in line with its mission of 'making the Internet work better.' But, a lot of work also remains – in deploying the better versions, in building defenses to new attacks, and in understanding the issues and possible improvements. This is a continuous process." ®