How is NSA breaking so much crypto? Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice

How is NSA breaking so much crypto?

There have been rumors for years that the NSA can decrypt a significant fraction of encrypted Internet traffic. …
The Snowden documents also hint at some extraordinary capabilities …
Yesterday at ACM CCS, one of the leading security research venues, we and twelve coauthors presented a paper that we think solves this technical mystery.

Paper: Imperfect Forward Secrecy:How Diffie-Hellman Fails in Practice

We investigate the security of Diffie-Hellman key exchange asused in popular Internet protocols and find it to be less securethan widely believed. First, we present Logjam, a novel flawin TLS that lets a man-in-the-middle downgrade connectionsto “export-grade” Diffie-Hellman. To carry out this attack,we implement the number field sieve discrete log algorithm.After a week-long precomputation for a specified 512-bitgroup, we can compute arbitrary discrete logs in that groupin about a minute. We find that 82% of vulnerable servers usea single 512-bit group, allowing us to compromise connectionsto 7% of Alexa Top Million HTTPS sites. In response, majorbrowsers are being changed to reject short groups.We go on to consider Diffie-Hellman with 768- and 1024-bitgroups. We estimate that even in the 1024-bit case, the com-putations are plausible given nation-state resources. A smallnumber of fixed or standardized groups are used by millionsof servers; performing precomputation for a single 1024-bitgroup would allow passive eavesdropping on 18% of popularHTTPS sites, and a second group would allow decryptionof traffic to 66% of IPsec VPNs and 26% of SSH servers. Aclose reading of published NSA leaks shows that the agency’sattacks on VPNs are consistent with having achieved sucha break. We conclude that moving to stronger key exchangemethods should be a priority for the Internet community.

Apparently the conclusion from all that is move to ECDHE, or move to 2048 bit.

1 Like

fortunately we don’t use IKE or diffie Hellmam algo’s. As we have the public keys in the dht already we connect already encrypted. It allows us to avoid MiTM attacks, which is very powerful really.


$1000 to anyone who can successfully tell Mr Irvine something about encryption security that he doesn’t already know! :smiley:

Oh there is lots, I am a poor Engineer, Jack of all trades really. So crypto is only a tool in my box like networking, programming etc. There is much I don’t know, but nothing that cannot be researched and that is the important part for us all :wink:


Uh oh I might lose some money soon then! :smiley:


It’s ironic you ask that. I was searching my own implementation to be resilient to quantum and end up with this so far (already forget the remaining my bad):

NTRU for key exchange.
scrypt for password derivation.

Still need more investigation but that should interest you: Post-quantum cryptography - Wikipedia

1 Like

Lattice is indeed where research is at the moment, be slightly careful of NTRU encrypt at the moment. Signatures seem stronger though, With mix of patents (there are OSS version though so not a huge issue) and really field testing these algo’s we need to take care. It’s very good though so far, so this is only a caution atm.

1 Like

Don’t worry. It’s only what I’m going to do with my own SAFE Network. It’s not going to happen. I was just dreaming.